Overview
Master the craft of exploiting web applications to find flaws in your enterprise's web apps. You'll learn about the attacker's tools and methods to be a more powerful defender. Through detailed, hands-on exercises and with guidance from the instructor, you will learn the four-step process for web application penetration testing; inject SQL into back-end databases to learn how attackers exfiltrate sensitive data; and utilise cross-site scripting attacks to dominate a target infrastructure. You will also explore various web app vulnerabilities in-depth using proven techniques and a structured testing regimen.
Key Takeaways
At the end of this programme, you will be able to:
- Apply OWASP's methodology to your web application penetration tests to ensure they are consistent, reproducible, rigorous, and under quality control
- Analyse the results from automated web testing tools to validate findings, determine their business impact, and eliminate false positives
- Manually discover key web application flaws
- Use Python to create testing and exploitation scripts during a penetration test
- Discover and exploit SQL Injection flaws to determine true risk to the victim organisation
- Understand and exploit insecure deserialisation vulnerabilities with ysoserial and similar tools
- Create configurations and test payloads within other web attacks
- Fuzz potential inputs for injection attacks
- Explain the impact of exploitation of web application flaws
- Analyse traffic between the client and the server application using tools such as the Zed Attack Proxy and BurpSuite Pro to find security issues within the client-side application code
- Manually discover and exploit Cross-Site Request Forgery (CSRF) attacks
- Use the Browser Exploitation Framework (BeEF) to hook victim browsers, attack client software and the network, and evaluate the potential impact that XSS flaws have within an application
- Perform two complete web penetration tests, one during the five sections of programme instruction, and the other during the Capture the Flag exercise
Who Should Attend
- Please refer to the job roles section.
- Security personnel whose job involves assessing networks and systems to find and remediate vulnerabilities.
- Penetration testers.
- Ethical hackers.
- Defenders who want a better understanding of offensive methodologies, tools, and techniques.
- Auditors who need to build deeper technical skills.
- Red Team members.
- Blue Team members.
- Forensics specialists who wants a better understanding of offensive tactics.
- Incident responders who want to understand the mind of an attacker.
