Scribd
Upload
125 views

Web Application Penetration Testing Course Content

The document describes a Web Application Penetration Testing training course. The course teaches skills like web app analysis, information gathering, enumeration, and exploiting vulnerabilities commonly found in web and mobile apps. Students will learn techniques for exploiting and defending apps, performing static and dynamic app analysis, and finding vulnerabilities in source code. The target audience includes penetration testers, developers, administrators, and security analysts with basic HTML and security experience. The training will provide hands-on experience in a cloud lab environment using tools to assess and exploit demo apps.

Uploaded by

happyfeet dash
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
125 views

Web Application Penetration Testing Course Content

The document describes a Web Application Penetration Testing training course. The course teaches skills like web app analysis, information gathering, enumeration, and exploiting vulnerabilities commonly found in web and mobile apps. Students will learn techniques for exploiting and defending apps, performing static and dynamic app analysis, and finding vulnerabilities in source code. The target audience includes penetration testers, developers, administrators, and security analysts with basic HTML and security experience. The training will provide hands-on experience in a cloud lab environment using tools to assess and exploit demo apps.

Uploaded by

happyfeet dash
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Course Description

Web Application Penetration Testing Training at Infosectrain is


designed to teach the details of web app penetration testing
in an immersive environment. Our trainers are experts of the
industry and they will teach you Web application analysis,
information gathering and enumeration to add to your skill.
Our Web Application Penetration Testing course will let you
have a hands-on penetration testing experience in our
cloud-hosted lab environment.You will be provided with an
app demonstrating a vulnerability commonly found in a Web
or mobile app. which will help you in learning to assess the
app and exploit it like an experienced professional.

Thus, during this WAPT course you will learn to:

• Exploit and defend web and mobile apps

• Perform static and dynamic analysis of iOS and


Android apps by using popular tools

• Find vulnerabilities in source code, and

• Exploit weaknesses in the implementation of web application


security

www.infosectrain.com | [email protected] 01
Target Audience
Web Application Penetration Testing Course is beneficial for:

• Penetration testers
• Application developers
• Web administrators
• Security analysts

Pre-Requisite
• Basic understanding of HTML, HTTP and JavaScript.
• Knowledge of PHP code will help although it is not mandatory
• one year in an information security role, or equivalent experience
is recommended.

www.infosectrain.com | [email protected] 02
Why Infosec Train?

Certified & Flexible Schedule Access to the


Experienced Instructor recorded
sessions

Post Training Tailor Made Training 4 hrs/day in


Support Weekend/
Weekday

www.infosectrain.com | [email protected] 03
COURSE CONTENT

Web Application Assessment

Authentication vulnerabilities

Authorization vulnerabilities

Improper Input Validation & Injection


vulnerabilities

Insecure file handling

Session & browser manipulation attacks

Information leak

www.infosectrain.com | [email protected] 04
Course Content

Web Application Assessment


• OWASP Top 10 Vulnerabilities
• Threat Modelling Principle
• Site Mapping & Web Crawling
• Server & Application Fingerprinting
• Identifying the entry points
• Page enumeration and brute forcing
• Looking for leftovers and backup files

Authentication vulnerabilities
• Authentication scenarios
• User enumeration
• Guessing passwords - Brute force & Dictionary attacks
• Default users/passwords
• Weak password policy
• Direct page requests
• Parameter modification
• Password flaws
• Locking out users
• Lack of SSL at login pages
• Bypassing weak CAPTCHA mechanisms
• Login without SSL

Authorization vulnerabilities
• Role-based access control (RBAC)
• Authorization bypassing
• Forceful browsing
• Client-side validation attacks
• Insecure direct object reference

www.infosectrain.com | [email protected] 05
Improper Input Validation & Injection vulnerabilities

• Input validation techniques


• Blacklist VS. Whitelist input validation bypassing
• Encoding attacks
• OWASP Top 10 Vulnerabilities
• Directory traversal
• Threat Modelling Principle
• Command injection
• Site Mapping & Web Crawling
• Code injection
• Server & Application Fingerprinting
• Log injection
• Identifying the entry points
• XML injection – XPath Injection | Malicious files | XML Entity
• Page enumeration and brute forcing
• bomb
• Looking for leftovers and backup files
• LDAP Injection
• SQL injection
• Common implementation mistakes – authentication
• Bypassing using SQL Injection
• Cross Site Scripting (XSS)
• Reflected VS. Stored XSS
• Special chars – ‘ & < >, empty

Insecure file handling


• Path traversal • Directory listing
• Canonicalization • File size
• Uploaded files backdoors • File type
• Insecure file extension handling • Malware upload

Session & browser manipulation attacks


• Session management techniques • Session id rotation
• Cookie based session management • Session Fixation
• Cookie properties • Cross Site Request Forgery (CSRF)
• Cookies - secrets in cookies, tampering - URL Encoding
• Exposed session variables • Open redirect
• Missing Attributes - httpOnly, secure
• Session validity after logoff
• Long session timeout
• Session keep alive - enable/disable

www.infosectrain.com | [email protected] 06
Information leak

• Web Services Assessment


• Web Service Testing
• OWASP Web Service Specific Testing
• OWASP Top 10 Vulnerabilities
• Testing WSDL
• Threat Modelling Principle
• Sql Injection to Root
• Site Mapping & Web Crawling
• LFI and RFI]
• Server & Application Fingerprinting
• OWASP Top 10 Revamp
• Identifying the entry points
• Page enumeration and brute forcing
• Looking for leftovers and backup files

www.infosectrain.com | [email protected] 07
www.infosectrain.com | [email protected]

You might also like