RSS

Web Application Security

SecurityLearn Web Application Security Training course focuses on manual and automated, discovery and exploitation of web application vulnerabilities. This is a complete practical web application penetration testing training course for the people who are interested in learning the art of security testing of web applications. The training also provides insight into the up-to-date modern hacking tools required for conducting a complete web application security assessment.

Course Content

History of web applications
– Why to secure web applications
– How to secure web applications

HTTP
– Introduction
– HTTP Methods
– WEBDAV methods
– Request/Response analysis [demo]
– Security problems with HTTP [demo]

HTTPS
– Handshake protocol
– Record protocol

Proxy
– Need for proxy tool
– Configuring proxy [demo]
– Burp Proxy

Encoding Techniques
– URL Encoding
– HTML Encoding
– Base64 Encoding
– Tools: Burp decoder

Information Gathering
– Spiders, crawlers / Search engine discovery / Banner Grabbing / Robots.txt [demo]
– Analysis of error codes
– Tools: HttpPrint, net craft

Attacking Authentication
– Authentication Types
– Wrong implementations of ‘Forgot Password’ [demo]
– Brute force/Account Lockouts/Error messages
– Insecure credential transmission
– Countermeasures
– Tools: Burp Repeater

Attacking Authorization
– Authentication vs Authorization
– Unprotected Functionality [demo]
– Parameter tampering [demo]
– Horizontal privilege escalation [demo]
– Vertical privilege escalation [demo]

Cryptography weakness
– Types of encryption
– Unencrypted Channel
– Weak SSL ciphers [demo]
– Cracking hashes [demo]
– Advanced SSL attacks
– Tools: QualysLabs SSL Server Test

Attacking Session management
– Introduction
– Session Token analysis [demo]
– Session fixation [demo]
– Secure flag / HTTPOnly flag [demo]
– Cookie Domain & Path [demo]
– Tools: Burp sequencer
– Other issues

Cross site scripting attacks
– Reflective XSS [demo]
– Stored XSS [demo]
– DOM based XSS [demo]
– Anatomy of XSS
– Exploitation [demo]
– Impact of XSS
– Remediation

SQL injection
– Error based SQLi [demo]
– Union based SQLi [demo]
– Blind SQLi
– SQLi exploitation [demo]
– Data extraction [demo]
– Impact of SQLi
– Remediation
– Stored procedures Vs Parameterized queries
– Tools: SQLMap

Cross site request forgery
– Anatomy of CSRF [demo]
– Remediation

URL Redirection attacks
– Phishing attacks [demo]
– Remediation

Input validation attacks
– File Uploads [demo]
– Path traversal attacks [demo]
– Local file inclusions
– Remote file inclusions
– Remediation Techniques

Server Configuration issues
– Directory listing
– Caching vulnerabilities [demo]
– Exploiting WebDAV methods [demo]
– Clickjacking Attacks [demo]

 Attacking Web Server
-Denial of service attacks [demo]
– Buffer over flows
– Remediation

OWASP Top10 web application risks

 Automated Scanners
– Usage of tools
– Advantages & disadvantages with scanners
– IBM- AppScan Standard Edition [demo]

OWASP Risk Rating methodology

 Penetration testing Reports
– Executive reports
– Detailed reports

Web application Security check list

For registrations contact  – satishb3@securitylearn.net

* For remote users the course will be delivered online over Skype. 

 

Comments are closed.