Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques Training Course Hands-on
This Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques Training course is designed to teach you the advanced skills and techniques required to test modern web applications and next-generation technologies. The Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques Training course uses a combination of lecture, real-world experiences, and hands-on exercises to teach you the techniques to test the security of tried-and-true internal enterprise web technologies, as well as cutting-edge Internet-facing applications.
The final Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques Training course day culminates in a Capture the Flag competition where you will apply the knowledge you acquired during the previous five days in a fun environment based on real-world technologies.
Modern web applications are growing more sophisticated and complex as they utilize exciting new technologies and support ever-more critical operations. Long gone are the days of basic HTML requests and responses. Even in the age of Web 2.0 and AJAX, the complexity of HTTP and modern web applications is progressing at breathtaking speed. With the demands of highly available web clusters and cloud deployments, web applications are looking to deliver more functionality in smaller packets at a decreased strain on backend infrastructure. Welcome to an era that includes tricked-out cryptography, WebSockets, HTTP/2, and a whole lot more. Are your web application assessment and penetration testing skills ready to evaluate these impressive new technologies and make them more secure?
Duration: 5 days
• We can adapt this Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques Training course to your group’s background and work requirements at little to no added cost.
• If you are familiar with some aspects of this Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques Training course, we can omit or shorten their discussion.
• We can adjust the emphasis placed on the various topics or build the Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques Training course around the mix of technologies of interest to you (including technologies other than those included in this outline).
• If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques Training course in manner understandable to lay audiences.
Audience / Target Group
• Web penetration testers
• Red team members
• Vulnerability assessment personnel
• Network penetration testers
• Security consultants
• QA testers
• System administrators
• IT managers
• System architects
This course assumes that you have a solid understanding of web penetration techniques and methodologies. You should be familiar with the HTTP protocol, HTML, and web applications. A minimum or one to two years of web penetration testing experience, successful completion of the GWAPT certification, or having attended the SEC542 course would fulfill these prerequisites.
After completing this Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques Training course, attendees will be able to:
• How to discover and exploit vulnerabilities in modern web frameworks, technologies, and backends
• Skills to test and exploit specific technologies such as HTTP/2, Web Sockets, and Node.js
• How to evaluate and find vulnerabilities in the many uses of encryption within modern web applications
• Skills to test and evaluate mobile backends and web services used in an enterprise
• Methods to recognize and bypass custom developer, web framework, and Web Application Firewall defenses
Review of the testing methodology
Using Burp Suite in a web penetration test
Exploiting local and remote file inclusions
Exploring advanced discovery techniques for SQL injection and other server-based flaws
Exploring advanced exploitation of XSS and XSRF in a combined attack
Learning advanced exploitation techniques
Web design patterns
Languages and frameworks
Java and struts
PHP type juggling
Attacking object serialization
The MEAN stack
Content management systems
Identifying the cryptography used in the web application
Analyzing and attacking the encryption keys
Exploiting stream cipher IV collisions
Exploiting Electronic Codebook (ECB) Mode Ciphers with block shuffling
Exploiting Cipher Block Chaining (CBC) Mode with bit flipping
Vulnerabilities in PKCS#7 padding implementations
Alternative Web Interfaces
Intercepting traffic to web services and from mobile applications
Flash, Java, ActiveX, and Silverlight vulnerabilities
SOAP and REST web services
Penetration testing of web services
WebSocket protocol issues and vulnerabilities
New HTTP/2 protocol issues and penetration testing
Web Application Firewall and Filter Bypass
Understanding of Web Application Firewalling and filtering techniques
Determining the rule sets protecting the application
Fingerprinting the defense techniques used
Learning how HTML5 injections work
Using UNICODE, CTYPEs, and Data URIs to bypass restrictions
Bypassing a Web Application Firewall's best-defended vulnerabilities, XSS and SQLi
On this final course day you will be placed on a network and given the opportunity to complete an entire penetration test. The goal of this exercise is for you to explore the techniques, tools, and methodology you will have learned over the last five days. You'll be able to use these skills against a realistic extranet and intranet. At the end of the day, you will provide a verbal report of the findings and methodology you followed to complete the test. Students will be provided with a virtual machine that contains the Samurai Web Testing Framework (SamuraiWTF). You will be able to use this both in the class and after leaving and returning to your jobs.