Web Application Penetration Testing

Similar documents
Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer

A D V I S O R Y S E R V I C E S. Web Application Assessment

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Web Security, Summer Term 2012

Web Application Security. OWASP 11 th August, The OWASP Foundation Basic SQL injection Basic Click Jacking

Curso: Ethical Hacking and Countermeasures

Solutions Business Manager Web Application Security Assessment

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

RiskSense Attack Surface Validation for Web Applications

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

WEB APPLICATION PENETRATION TESTING VERSION 2

Web Application Security. Philippe Bogaerts

Application Security Approach

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

WAPTv2 at a glance: Self-paced, online, flexible access interactive slides and 5+ hours of video material. Downloadable material

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Notes From The field

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Introduction to Ethical Hacking

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

A Samurai-WTF intro to the Zed Attack Proxy

Penetration Testing. James Walden Northern Kentucky University

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Web Security. Thierry Sans

Injectable Exploits. New Tools for Pwning Web Apps and Browsers

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

GOING WHERE NO WAFS HAVE GONE BEFORE

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Tiger Scheme SST Standards Web Applications

Application security : going quicker

C1: Define Security Requirements

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Penetration Testing with Kali Linux

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

SECURITY TESTING. Towards a safer web world

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

1 About Web Security. What is application security? So what can happen? see [?]

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Sichere Software vom Java-Entwickler

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Copyright

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

دوره تست نفوذ. Ver.1.2 شما میتوانید آنلاین در این دوره ثبت نام بلافاصله از آن استفاده کنید. Information Gathering. Bash scripting

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

CPTE: Certified Penetration Testing Engineer

Security Course. WebGoat Lab sessions

Scanning. Introduction to Hacking. Networking Concepts. Windows Hacking. Linux Hacking. Virus and Worms. Foot Printing.

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Multi-Post XSRF Web App Exploitation, total pwnage

Welcome to the OWASP TOP 10

Training on CREST Practitioner Security Analyst (CPSA)

EasyCrypt passes an independent security audit

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Your Turn to Hack the OWASP Top 10!

Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK

Evaluating the Security Risks of Static vs. Dynamic Websites

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Advanced Diploma on Information Security

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Ethical Hacking and Prevention

WEB APPLICATION PENETRATION TESTING EXTREME VERSION 1

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

PRACTICAL WEB DEFENSE VERSION 1

Application. Security. on line training. Academy. by Appsec Labs

SensePost Training Overview 2011/2012

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Exploiting and Defending: Common Web Application Vulnerabilities

OWASP Romania Chapter

Bank Infrastructure - Video - 1

PRESENTED BY:

Audience. Pre-Requisites

AppSpider Enterprise. Getting Started Guide

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Human vs Artificial intelligence Battle of Trust

Aguascalientes Local Chapter. Kickoff

Web Application Vulnerabilities: OWASP Top 10 Revisited

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

IEEE Sec Dev Conference

Transcription:

Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate websites and web applications. These vulnerabilities leave websites open to exploitation. The Web Application Penetration Testing course from CODEC Networks is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Globally with the rising number of incidents of web defacement, the scope of Web Application penetration Tester is definitely rising. Today Web Application Penetration Testers are in very high demand in software companies, IT security firms, Government and Private Sectors etc. By the end of the course, you should be able to meet the following objectives: An understanding of advanced web penetration techniques Skills to test and exploit specific target environments such as content management systems and infrastructure applications Understanding of encryption and its usage within web applications Methods to recognize and bypass application, platform, and WAF defences Skills to test and evaluate web services used in an enterprise Understanding how to test backend services for mobile applications Target Audience Prior to enrolling in our authorized WAPT, candidates must have basic knowledge of: JAVA or.net or PHP Knowledge of Database Programming Knowledge of HTML & Java-script Those who successfully completed this training have pursue his/her career as a Web Pen tester, Web security analyst/consultant, Web Application security analyst. Course Duration: 24 Hours

Course Content Introduction o Introduction to the course. o How to get most out of the course o Resources you will need for the course o What is WAPT? Introduction to Web-application o What is web application? o History of Web-Applications o Existing problems and challenges in present web applications o Overview of web application defences Basics o How a web application works o Architecture of web applications o Basics of HTML, CSS and Javascript o Basics of any server-side language (PHP/J2EE/ASP.NET) HTTP Protocol o Overview of RFC 2616 o HTTP Messages & Entities o HTTP Request, HTTP Response o HTTP Status Codes o Various types of encoding schemes Web servers and clients o IIS Server, Apache Server and Other Servers o Browsers o Browser s same origin policy o Other Web enabled Clients Server-side and Client-side security controls o Input Validation &Output validation (encoding) o Insufficient input & output validations o Validation approaches o Bypass thin/thick(decompile) client validations o Leveraging Ajax and web 2.0 in attacks o Bypass Server-side validations Mastering Burp suite o Introduction to burp suite o Configuring burp suite o Burp proxy, Burp Spider, Burp Intruder, Burp Repeater, Burp Sequencer

Injections o SQL Injection, Blind SQL Injection, Command Injection, LDAP Injection, XPATH Injection, SOAP Injection o Other Injections o Implications of Injections o Test methodology for injections Cross-site Scripting o Reflected XSS, Stored XSS, DOM XSS o Implications of XSS o Test Methodology for XSS Cross-site Request Forgery o CSRF with GET method o CSRF with POST method o Implications of CSRF o Test methodology for CSRF Authentication testing o Guessable Passwords o Failure Messages o Brute forcing login o Plain text password transmission o Improper implementation of forgot password functionality o Remember Me Functionality o Guessable User names o Multi factor authentication flaws o Fail-Open Login Mechanisms o Insecure Storage of Credentials Authorization testing o Introduction to authorization o Implementation weaknesses in authorization o Horizontal privilege escalation o Vertical privilege escalation o URL, Form, cookie based escalation Types of web application security testing o Black box testing,white box testing&grey box testing o Vulnerability Assessment vs Penetration testing o Web application penetration test scope and process o Legalities of the VAPT

Reconnaissance o Foot printing Domain details (whois) - Technicalinfo.net o OS and Service fingerprinting Netcraft.com, Banner grabbing, HTTPprint o Google hacking o Load balancer Identification o Spidering a web site (wget, Burp spider) o Application flow charting o Relationship analysis within an application o Software configuration discovery SSL & Configuration testing o Testing SSL / TLS cipher o Testing SSL certificate validity client and server o Infrastructure and Application Admin Interfaces o Testing for HTTP Methods and XST o Testing for file extensions handling o Old, Backup and Unreferenced Files o Application Configuration Management Testing Session Management testing o Need for session and state o Ways to implement state o How session state work o What are cookies o Common Cookies and Session Issues o Man in the middle Brute force web applications o Brute force authentication, Brute force Authorization, Brute force web services, Brute force web server, Brute force.htaccess Parameter Manipulation o Query string manipulation, Form field manipulation, Cookie manipulation, HTTP header manipulation Other Attacks o Sniffing, Phishing &Vishing o D(D)OS Attacks o Invalidated Redirects and Forwards Samurai WTF o Introduction to Samurai WTF o Various Tools in Samurai WTF o Nikto, w3af, BeEF Framework, Fuzzing and JBroFuzz, DirBuster, Netcat, Brutus and Hydra o Overview of various Proxies (zed, rat, paros, webscarab)

Firefox security Add-ons o Tamper Data o SQL inject me o XSS me o Firebug o Live HTTP headers o Foxy Proxy o Web Developer Automated Scanners o Acunetix, IBM App Scan, Burp Scanner o Effectiveness of Automated tools o Reduction of False positives and false Negatives VAPT Methodologies o OWASP, SANS 25, WAHH, OWASP Check-list Reporting o Importance of documentation o OWASP Risk rating methodology o Creating managerial, technical VAPT reports o Open reporting standards

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback