Overview

Students will come to understand major web application flaws and their exploitation and, most importantly, learn a field-tested and repeatable process to consistently find these flaws and convey what they have learned to their organizations. Even technically gifted security geeks often struggle with helping organizations understand risk in terms relatable to business. Much of the art of penetration testing has less to do with learning how adversaries are breaking in than it does with convincing an organization to take the risk seriously and employ appropriate countermeasures. The goal of this course is to better secure organizations through penetration testing, and not just show off hacking skills. The course will help you demonstrate the true impact of web application flaws through exploitation.

Learning Outcomes

The course will prepare you to:
  • Apply a detailed, four-step methodology to your web application penetration tests: reconnaissance, mapping, discovery, and exploitation
  • Analyze the results from automated web testing tools to validate findings, determine their business impact, and eliminate false positives
  • Manually discover key web application flaws
  • Use Python to create testing and exploitation scripts during a penetration test
  • Discover and exploit SQL Injection flaws to determine true risk to the victim organization
  • Create configurations and test payloads within other web attacks
  • Fuzz potential inputs for injection attacks
  • Explain the impact of exploitation of web application flaws
  • Analyze traffic between the client and the server application using tools such as the Zed Attack Proxy and Burp Suite to find security issues within the client-side application code
  • Manually discover and exploit Cross-Site Request Forgery (CSRF) attacks
  • Use the Browser Exploitation Framework (BeEF) to hook victim browsers, attack client software and the network, and evaluate the potential impact that XSS flaws have within an application
  • Perform a complete web penetration test during the Capture the Flag exercise to bring techniques and tools together into a comprehensive test

Who should Attend?

  • General security practitioners
  • Penetration testers
  • Ethical hackers
  • Web application developers
  • Website designers, architects, and developers

Eligibility Criteria

  • Basic working knowledge of the Linux command line.
This course is endorsed under Critical Infocomm Technology Resource Programme Plus (CITREP+) Programme.
To find out more about CITREP+ Funding, please refer to Programme Support under CITREP+ page


Information is accurate as of 11 August 2020