WAPTv2 at a glance: Self-paced, online, flexible access interactive slides and 5+ hours of video material. Downloadable material

Transcription

1 The most practical and comprehensive training course on Web App Pentest WAPTv2 at a glance: Self-paced, online, flexible access interactive slides and 5+ hours of video material Downloadable material 56 labs to practice attack techniques and exploits Integrated with Hera Lab Based on latest Web Application Penetration Testing research Master Web Application Security tools Prepares for the ewpt Certification Prepares for real world Web App Penetration testing job Prepares for the Web Application Penetration Testing extreme (WAPTx) course This training course has been chosen by students in 148 countries in the world and by leading organizations such as: Course home page:

2 The Web Application Penetration Testing course (WAPT) is the online, self-paced training course that provides all the necessary advanced skills to carry out a thorough and professional penetration test against modern web applications. Thanks to the extensive use of Hera Lab and the coverage of the latest researches in the web application security field, the WAPT course is not only the most practical training course on the subject but also the most up to date. The course, although based on the offensive approach, contains, for each chapter, advices and best practices to solve the security issues detected during the penetration test. The training course is totally self-paced with interactive slides and video material that students can access online without any limitation. Students have a lifetime access to the training material. Students can study from home, office or everywhere an Internet connection is available. It is always possible to resume studying from the last slide or video accessed. The course Web Application Penetration Testing v2 is integrated with Hera Lab: the most sophisticated virtual lab on IT Security. A minimum amount of 60 hours is advised. For a more intensive use, 120 hours may be necessary. Hera Lab provides vulnerable infrastructures on demand where a student can practice every topic seen in the course in a dedicated and isolated environment. The WAPT training course benefits the career of penetration testers and IT Security personnel in charge of defending their organization web applications. This course allows organizations of all sizes assess and mitigate the risk at which their web applications are exposed, by building strong, practical in-house skills. Penetration testing companies can train their teams with a comprehensive and practical training course without having to deploy internal labs that are often outdated and not backed by solid theoretical material. 2

3 The student willing to enroll in the course must possess a solid understanding of web applications and web application security models. No programming skills are required. However, snippets of JavaScript/HTML/PHP code will be used during the course. The WAPT course leads to the ewpt certification. The certification can be obtained by successfully completing the requirements of a 100% practical exam consisting in a penetration test of a real world complex web application hosted in our elearnsecurity Hera labs. A ewpt voucher is included in all the plans of the WAPT course. 3

4 The student is provided with a suggested learning path to ensure the maximum success rate and the minimum effort: - Module 1: Penetration Testing Process - Module 2: Introduction to Web Applications - Module 3: Information Gathering - Module 4: Cross Site Scripting - Module 5: SQL Injection - Module 6: Authentication and Authorization - Module 7: Session Security - Module 8: Flash Security - Module 9: HTML 5 - Module 10: File and Resource Attacks - Module 11: Other Attacks - Module 12: Web Services - Module 13: XPath All modules come in slides (FLASH and HTML5) + video format and PDFs. Modules can be accessed from within the elearnsecurity Members area. Labs are referenced within the slides in order to suggest the correct learning path to follow. 4

5 This module helps Penetration tester gain confidence with the processes and legal matters involved in a penetration testing engagement. The student will learn the methodologies and the reporting best practice in order to become a confident and professional penetration tester. This is a wealth of information useful throughout the entire career of a penetration tester. 1. Introduction 1.1. Pre-engagement Rules of Engagement Goal Scope of engagement Timetable Liabilities and Responsibilities Non-disclosure agreements Emergency Plan Allowed Techniques Deliverables 1.2. Methodologies PTES OWASP Testing Guide 1.3. Reporting What do clients want? Writing the report Reporting Phase Understanding your audience Report structure - Executive Summary - Risk Exposure over time - Successful attacks by type - Vulnerabilities by cause - Vulnerability Report - Remediation Report Report templates and guides 5

6 During this introductory module, the student will understand the basics of Web applications. An in-depth coverage of the Same Origin Policy in its latest developments and the Cookie will help experienced and nonexperienced penetration testers gain critical foundational skills useful for the rest of the training course. At the end of the module, the student will become familiar with tools such as Burp Suite and OWASP ZAP. It is a light necessary introduction for a heavily practical, advanced training course. 2. Introduction to Web Applications 2.1. HTTP/S Protocol Basics HTTP Request HTTP Response HTTP Header Field Definitions HTPPS 2.2. Encoding Introduction Charset ASCII UNICODE Charset vs. Charset Encoding Unicode Encoding HTML Encoding - HTML Entities URL Encoding (percent encoding) Base Same Origin Origin definition What does SOP protect from? How SOP Works Exceptions Windows.location Document.domain Cross window messaging Cross Origin Resource Sharing 2.4. Cookies Cookies Domain Specified cookie domain Unspecified cookie domain Internet Explorer Exception Inspecting the cookie protocol Login Set-Cookie Cookie Cookie installation Correct cookie installation Incorrect cookie installation 2.5. Sessions 2.6. Web Application Proxies Burp Suite OWASP ZAP 6

7 Let the Penetration test start! Every penetration test begins with the Information gathering phase. This is where a penetration tester understands the application under a functional point of view and collects useful information for the following phases of the engagement. A multitude of techniques will be used in order to collect behavioral, functional, applicative and infrastructural information. The student will use a variety of tools to retrieve readily available information from the target. 3. Information Gathering 3.1. Gathering information on your target Finding owner, IP and s Whois - Command line - Web based tool DNS Nslookup - Find target ISP - Netcraft 3.2. Infrastructure Fingerprinting the web server Netcat WhatWeb Wappalyzer Web server modules Enumerating subdomains Netcraft Google Subbrute Dnsrecon TheHarvester Zone transfer Finding virtual hosts 3.3. Fingerprinting frameworks and applications Third party add-ons Mapping results 3.4. Fingerprinting custom applications Burp target crawler Creating a functional graph Mapping the attack surface Client side validation Database interaction Ile uploading and downloading Display of user supplied data Redirections Accesss control and login protected pages Error messages Charting 7

8 3.5. Enumerating resources Crawling the website Finding hidden files Back up and source code Enumerating users accounts Map 3.6. Relevant information through misconfigurations Directory listing Log and configuration files HTTP verbs and file upload 3.7. Google hacking Search operators 3.8. Shodan HQ The most widespread web application vulnerability will be dissected and studied in all its parts. At first, you will be provided with theoretical explanation. This understanding will help you in the exploitation and remediation process. Later you will master all the techniques to find XSS vulnerabilities through black box testing. 4. Cross Site Scripting 4.1. Cross Site Scripting Basics 4.2. Anatomy of an XSS Exploitation 4.3. The three types of XSS Reflected XSS Persistent XSS DOM based XSS 4.4. Finding XSS Finding XSS in PHP code 4.5. XSS Exploitation XSS and Browsers XSS Attacks Cookie Stealing through XSS Defacement XSS for advanced phishing attacks BeEF 4.6. Mitigation Input Validation Context-Aware output encoding Never trust user input 8

9 This module will contain the most advanced techniques to find and exploit SQL Injections. From the explanation of the most basic SQL injection up to the most advanced. Advanced methods will be taught with real world examples and the best tools will be demonstrated on real targets. You will not just be able to dump remote databases but also get root on the remote machine through advanced SQL Injection techniques. 5. SQL Injection 5.1. Introduction to SQL Injections SQL Statements SELECT UNION SQL Queries inside web applications Vulnerable dynamic queries How dangerous is a SQL Injection SQLi attacks classification In-band SQLi Error-based SQLi Blind SQLi 5.2. Finding SQL Injections Simple SQL injection scenario SQL errors in web applications Boolean based detection Example 5.3. Exploiting in-band SQL Injections First scenario In-band attack challenges Enumerating the number of fields in a query Different DBMS UNION mismatch errors Blind enumeration Identifying field types Dumping the database content 5.4. Exploiting Error based SQL Injections MS SQL Server error-based exploitation The CAST technique Finding the DBMS version Dumping the database data Finding the current username Finding readable databases Enumerating database tables Enumerating columns Dumping data Video Error based SQLi MySQL Error-Based SQLi PostgreSQL Error-Based SQLi Developing Error-Based SQLi Payloads 5.5. Exploiting Blind SQL Injections Exploitation Scenario 9

10 Detecting the current user Scripting Blind SQLi data dump Exploiting blind SQLi String extraction Optimize blind SQLi Time based blind SQLi 5.6. SQLMap Basic syntax Extracting the database banner Information Gathering Extracting the Database Extracting the Schema Video SQL Injection Video SQLMap SQLMap advanced Usage Forcing the DBMS Fine tuning the payloads Aggressiveness and load Conclusions 5.7. Mitigation Strategies Prepare statement Implementation Type casting Input validation 5.8. From SQLi to Server Takeover Advanced SQL Server Exploitation xp_cmdshell Internal Network Host Enumeration Port Scanning Reading the File System Uploading Files Storing Command Results into a Temporary Table Advanced MySQL Exploitation Reading the File System Uploading Files Executing Shell Commands Conclusions

11 Any application with a minimum of complexity requires authentication at some point. Chances are that the authentication mechanisms in place are not sufficient or are simply broken, exposing the organization at serious security issues leading to a complete compromise of the web application and the data it stores. During this module, the student will learn the most common authentication mechanisms, their weaknesses and the related attacks: from inadequate password policies to weaknesses in the implementation of common features. 6. Authentication and Authorization 6.1. Introduction Authentication vs Authorization Authentication factors Single-factor authentication Two-factor authentication 6.2. Common Vulnerabilities Credentials over unencrypted channel Inadequate password policy Dictionary attacks Brute force attacks Defending from inadequate password policy - Strong password policy - Storing hashes - Lockout/Blocking requests User enumeration Via error messages Via website behavior Via timing attacks Taking advantage of user enumeration Default or easily-guessable user accounts The remember me functionality Cache browser method Cookie method Web storage method Best defensive techniques Password reset feature Easily guessable answers Unlimited attempts Password reset link Logout weaknesses Incorrect session destruction CAPTCHA 6.3. Bypassing Authorization Insecure direct object references Best defensive techniques Missing function level access control Parameter modification Vulnerable web application Incorrect redirection Redirect to protect contents Best defensive techniques 11

12 SessionID prediction SQL Injections Local file inclusion and path traversal Session related vulnerabilities are the subject of this module with extensive coverage of the most common attacking patterns. Code samples on how to prevent session attacks are provided in PHP, Java and.net At the end of the module the student will master offensive as well as defensive procedures related to session management within web applications. 7. Session Security 7.1. Weaknesses of the session identifier 7.2. Session hijacking Session Hijacking via XSS Exploit session hijacking via XSS Preventing session hijacking via XSS - PHP - Java -.Net Session Hijacking via Packet Sniffing Session Hijacking via access to the web server 7.3. Session Fixation Attacks Set the sessionid Force the victim Vulnerable web application Preventing Session Fixation 7.4. Cross-site request forgeries Finding CSRF Exploiting CSRF Preventing CSRF 12

13 Flash, although a dying technology, is still present on millions of websites online. Flash files can expose a web application and its users to a number of security risks that will be covered within this module. The student will first study the Flash security model and its pitfalls. Then will use the most recent tools to find and exploit vulnerabilities in Flash files. After having studied this module, students will never look at SWF files the same way. 8. Flash Security and Attacks 8.1. Introduction Actionscript Compiling and decompiling Embedding flash in HTML The allowscriptaccess attribute Passing arguments to flash files Direct reference Flash embedded in HTML FlashArgs attribute 8.2. Flash Security Model Sandboxes Stackeholders Administrative role User role Website role URL policy file Author role Calling JavaScript from Actionscript Calling ActionScript from JavaScript Method NavigateToURL Local shared object 8.3. Flash Vulnerabilities Flash parameter injection Fuzzing flash with SWFInvestigator Finding hardcoded sensitive information 8.4. Pentesting Flash Application Analyzing client side components Identifying communication protocol Analyzing server side components This module is an extremely in-depth coverage of all the attack vectors and weaknesses introduced by drafted as well as finalized W3C new standards and protocols. 9. HTML Cross Origin Resource Sharing Same Origin Policy issues Cross-Domain policy in flash Cross Origin resource sharing Cross-origin Ajax requests Requests 13

14 We will go through the most important elements of HTML5 and especially the new CORS paradigm that completely changes the way the SOP is applied to most modern web applications. By mastering this module in theory and practice, the student will possess an arsenal of penetration testing techniques that are still unknown to the vast majority of penetration testers. A number of Hera labs are available to practice all the aspects covered within this module. This module brings penetration testers skills to the next level with next generation attack vectors that are going to affect web applications for the next decade. - Simple request - Preflighted request - Request with credentials Access Control Headers - Access-Control-Allow-Origin - Access-Control-Allow-Credentials - Access-Control-Allow-Headers - Access-Control-Allow-Methods - Access-Control-Allow-Max-Age - Access-Control-Expose-Headers - Header origin - Access-Control-Request-Method - Access-Control-Request-Headers 9.2. Cross Windows Messaging Relationship between windows Sending messages Receiving messages Security issues Cross Domain XSS 9.3. Web Storage Different storages Local storage Session storage Local storage APIs Adding an item Retrieving an item Removing an item Removing all items SessionStorage APIs Security Issues Stealing local storage via JS 9.4. WebSocket Real-time applications using HTTP WebSocket a new W3C standard Benefits WebSocket API Security Issues 9.5. Sandboxed frames Security issues before HTML Redirection Accessing the parent document from iframe HTML5 sandbox attribute 14

15 During this module, the student will practice a number of vulnerabilities that affect web application files and resources. The student will learn how to identify and exploit path traversal, file inclusion and unrestricted file upload vulnerabilities. 10. File and Resource Attacks 10.1.Path traversal Path convention Encoding Best defensive techniques 10.2.File Inclusion vulnerabilities Local File Inclusion (LFI) Remote File Inclusion (RFI) 10.3.Unrestricted file upload Vulnerable web application The attack Best defensive techniques Filtering based on file content During this module, the student will practice a number of vulnerabilities that, despite being less known or publicized, are still affecting a number of web applications across many different programming languages and platforms. Advanced clickjacking attacks are covered in depth with real world examples and dissected real world attacks. The level of depth and the amount of practical sessions during this module will provide even seasoned penetration testers with new ways to break the security of their targets. 11. Other Attacks 11.1.Clickjacking Understanding Clickjacking Feasibility study Case 1: Clickjacking is possible Case 2: Clickjacking is not possible Building of a malicious web page Spreading the malicious link Waiting for the victim click Best defensive techniques The old school Using HTTP header X-Frame- Options Likejacking in Facebook Cursorjacking 11.2.HTTP Response Splitting Typical vulnerable scenario XSS through HTTP response splitting Bypassing Same Origin Policy Attack explained Best defensive techniques Defense in PHP 11.3.Business Logic Flow Vulnerable web application 15

16 Best defensive techniques 11.4.Denial of Services Different DoS attacks DoS due huge number of requests DoS due to greedy pages Best defensive techniques Professional penetration testers should master all aspects related to web services testing. Web services are nowadays the data and logic provider for a variety of thin and thick clients, from web application clients to mobile applications. During this highly in depth module the student will first become familiar with web services paradigms and protocols and then learn all the most important related security issues. WSDL and SOAP testing will be covered not only in theory but also in practice in our Hera Lab. 12. Web Services 12.1.Introduction 12.2.Web Services Implementations XML-RPC JSON-RPC SOAP RESTful 12.3.The WSDL Language Interaction between client and server Objects in the WSDL Binding PortType Operation Interface Message SOAP in action Further reading 12.4.Attacks WSDL Disclosure Google hacking Discovering WSDL files Public Web Services WSDL Scanning Attack in action SOAPAction spoofing Prerequisites for the attack Attack in action Best defensive techniques SQLi Through SOAP messages Best defensive techniques 16

17 XPath is the XML standard that allows web applications to query XML databases. In this module, the student will learn advanced XPath injection techniques, in theory and practice in Hera lab. 13. XPath Injection 13.1.XML Documents and Databases 13.2.XPath XPath expression and syntax XPath vs SQL 13.3.Detecting XPath Injection Error based injection Blind injection Detect trues condition Detect false condition 13.4.Exploitation Bypassing XPath query Extracting the XML document structure Finding out the root node Finding the first child node name Finding the content of a node 13.5.Best Defensive Techniques 17

18 About elearnsecurity A leading innovator in the field of practical, hands-on IT security training. Based in Pisa (Italy), Dubai (UAE) and in San Jose (USA), elearnsecurity is a leading provider of IT security and penetration testing courses including certifications for IT professionals. elearnsecurity's mission is to advance the career of IT security professionals by providing affordable and comprehensive education and certification. All elearnsecurity courses utilize engaging elearning and the most effective mix of theory, practice and methodology in IT security - all with real-world lessons that students can immediately apply to build relevant skills and keep their organization s data and systems safe elearnsecurity S.R.L Via Matteucci 36/ Pisa, Italy For more information, please visit 18