Web App Penetration Testing and Ethical Hacking

This Course enables students to assess a web application’s security posture and convincingly demonstrate the business impact should attackers exploit the discovered vulnerabilities. You will practice the art of exploiting web applications to find flaws in your enterprise’s web apps. You’ll learn about the attacker’s tools and methods and, through detailed hands-on exercises, you will learn a best practice process for web application penetration testing, inject SQL into back-end databases to learn how attackers exfiltrate sensitive data, and utilize cross-site scripting attacks to dominate a target infrastructure. (Online classes available)

Skills Gained

YOU WILL BE ABLE TO:

Apply OWASP’s methodology to your web application penetration tests to ensure they are consistent, reproducible, rigorous, and under quality control.
Analyze the results from automated web testing tools to validate findings, determine their business impact, and eliminate false positives.
Manually discover key web application flaws.
Use Python to create testing and exploitation scripts during a penetration test.
Discover and exploit SQL Injection flaws to determine true risk to the victim organization.
Understand and exploit insecure deserialization vulnerabilities with ysoserial and similar tools.
Create configurations and test payloads within other web attacks.
Fuzz potential inputs for injection attacks with ZAP, BurP’S Intruder and ffuf.
Explain the impact of exploitation of web application flaws.
Analyze traffic between the client and the server application using tools such as the Zed Attack Proxy and BurpSuite Pro to find security issues within the client-side application code.
Manually discover and exploit Cross-Site Request Forgery (CSRF) attacks.
Manually discover and exploit Server-Side Request Forgery (SSRF) attacks.
Use the Browser Exploitation Framework (BeEF) to hook victim browsers, attack client software and the network, and evaluate the potential impact that XSS flaws have within an application.
Use the Nuclei tool to perform scans of target web sites/servers.
Perform two complete web penetration tests, one during the five sections of course instruction, and the other during the Capture the Flag exercise.

BUSINESS TAKEAWAYS:

Apply a repeatable methodology to deliver high-value penetration tests
Discover and exploit key web application flaws
Explain the potential impact of web application vulnerabilities
Convey the importance of web application security to an overall security posture
Wield key web application attack tools more efficiently
Write web application penetration test reports

Course Content:

Module1: : Introduction and Information Gathering

Overview

Understanding the attacker’s perspective is key to successful web application penetration testing. The course begins by thoroughly examining foundational concepts such as web technology, including protocols, languages, clients, and server architectures, from the attacker’s perspective. We look at collecting open-source intelligence (OSINT) specific to data points likely to help exploitation be more successful, and we analyze the importance of encryption and HTTPS.

Section one concludes with profiling the target(s) to understand the underlying configuration. The collected data is used to build a profile of each server and identify potential configuration flaws. The discussion is underscored through several practical, hands-on labs in which we conduct reconnaissance in order to find forgotten virtual hosts. Students will get deeper hands-on experience with BurpSuite Pro, cURL, and manual exploitation techniques with tools such as nmap and testssl.sh.

Topics

- Overview of the web from a penetration tester’s perspective
- Web application assessment methodologies
- The penetration tester’s toolkit
- Interception proxies
- Proxying SSL through BurpSuite Pro and Zed Attack Proxy
- DNS reconnaissance
- Virtual host discovery
- Open-source intelligence (OSINT)
- The HTTP protocol
- Secure Sockets Layer (SSL) configurations and weaknesses
- Target discovery and profiling
- Configuration flaws

Module2: Content Discovery, Authentication, and Session Testing

Overview

Modern web applications frequently are not monitored as closely as they should, giving attackers the opportunity to discover, and exploit, vulnerabilities without anyone noticing. A systems configuration should involve proper logging and monitoring to ensure security-related events are not missed. That is why in this section we briefly explore logging configuration and basic incident response testing.

We enumerate the application’s pages and features. This phase involves identifying the components, analyzing the relationship between them, and determining how the pieces work together. We then dive deep into the spidering/crawling results, which represents a vital part of the overall penetration test, as well as perform forced browsing to find hidden content in a lab. This lab also introduces an extremely fast fuzzer, ffuf.

Topics

Logging and monitoring
Learning tools to spider a website
Analyzing website content
Brute forcing unlinked files and directories via ZAP and ffuf
Web authentication mechanisms
Fuzzing with Burp Intruder
Username harvesting and password guessing
Burp sequencer
Session management and attacks
Authentication and authorization bypass
Mutillidae

Module3: Injection

After ending section two with authentication bypass, we begin section three by exploring security-related protections included in the web server responses: cookie flags and response headers.

This course section dives deeply into vital manual testing techniques for vulnerability discovery. We focus on developing in-depth knowledge of interception proxies for web application vulnerability discovery. Many of the most common injection flaws (command injection and local and remote file inclusion) are introduced, and followed with lab exercises, to reinforce the discovery and exploitation.

Besides this, a section covers insecure deserialization, a common vulnerability in object-oriented programming languages, where students will exploit a Java insecure deserialization vulnerability in a lab to steal a secret file from a vulnerable web application. This lab requires more effort and demonstrates chaining of vulnerabilities to achieve the final goal.

Due to its prevalence and the significant impact generally associated with the flaw, a considerable portion of this section is devoted to traditional and blind SQL injection.

Topics

HTTP resonse security controls
Command injection
Directory traversal
Local File Inclusion (LFI)
Remote File Inclusion (RFI)
Insecure deserialization
SQL injection
Blind SQL injection
Error-based SQL injection
Exploiting SQL injection

Module4: :XSS, SSRF, and XXE

Overview

Section four continues exploring injection flaws and spends time introducing Cross-Site Scripting (XSS) vulnerabilities, including reflected, stored, and DOM-based XSS vulnerabilities. Manual discovery methods are employed during hands-on labs, and students are introduced to the developer tools in browsers, as a means of analyzing client side JavaScript in modern web applications.

Section four also introduces the Browser Exploitation Framework (BeEF) to students, which is used in multiple labs. The course continues with a detailed discussion of AJAX as we explore how it enlarges the attack surface leveraged by penetration testers. We also analyze how AJAX is affected by other vulnerabilities already covered in depth earlier in the course.

We discuss REST (Representational State Transfer) and SOAP (Simple Object Access Protocol). Finally, section four ends with us covering server-side request forgery (SSRF) and XML external entities (XXE)both of which include an associated lab. Again, in the SSRF lab multiple vulnerabilities are chained, relying on previously covered material.

Topics

Cross-Site Scripting (XSS)
Browser Exploitation Framework (BeEF)
AJAX
XML and JSON
Document Object Model (DOM)
API attacks
Data attacks
REST and SOAP
Server-Side Request Forgery (SSRF)
XML Eternal Entity (XXE)

Module5: CSRF, Logic Flaws and Advanced Tools

Overview

During the fifth section, we launch actual exploits against real-world applications, expand our foothold within the application, and extend it to the network on which it resides. As penetration testers, we specifically focus on ways to leverage previously discovered vulnerabilities to gain further access, highlighting the cyclical nature of web application penetration testing.

During our exploitation phase, we expand our use of tools such as ZAP and BurpSuite Pro, plus complement them with further use of sqlmap and Metasploit to help craft exploits against various web applications. We launch SQL injection and Cross-Site Request Forgery attacks, amongst others. In class we exploit these flaws to perform data theft, hijack sessions, deface a website, get shells, pivot against connected networks, and much more. Through various forms of exploitation, students gain a keen understanding of the potential business impact of these flaws to an organization.

Topics

Cross-Site Request Forgery (CSRF)
Logic attacks
Python for web app penetration testing
WPScan
ExploitDB
BurpSuite Pro scanner
Nuclei
Metasploit
When tools fail
Business of Penetration Testing:
- Preparation
- Post Assessment and Reporting

Module6: Capture The Flag

Overview

During section six, students form teams and compete in a web application penetration testing tournament. This Netwars-powered Capture-the-Flag exercise provides students an opportunity to wield their newly developed or further honed skills to answer questions, complete missions, and exfiltrate data, applying skills gained throughout the course. The style of challenge and integrated hint system allows students of various skill levels to both enjoy a game environment and solidify the skills learned in class.