Overview
In SEC542, you will practice the art of exploiting web applications to find flaws in your enterprise's web apps. You'll learn about the attacker's tools and methods in order to be a more powerful defender. Through detailed, hands-on exercises and with guidance from the instructor, you will learn the four-step process for web application penetration testing; inject SQL into back-end databases to learn how attackers exfiltrate sensitive data; and utilise cross-site scripting attacks to dominate a target infrastructure. You will also explore various other web app vulnerabilities in-depth using proven techniques and a structured testing regimen.
Key Takeaways
At the end of this programme, you will be able to:
- apply OWASP's methodology to your web application penetration tests to ensure they are consistent, reproducible, rigorous, and under quality control
- analyse the results from automated web testing tools to validate findings, determine their business impact, and eliminate false positives
- manually discover key web application flaws
- use Python to create testing and exploitation scripts during a penetration test
- discover and exploit SQL Injection flaws to determine true risk to the victim organization
- understand and exploit insecure deserialization vulnerabilities with ysoserial and similar tools
- create configurations and test payloads within other web attacks
- fuzz potential inputs for injection attacks
- explain the impact of exploitation of web application flaws
- analyse traffic between the client and the server application using tools such as the Zed Attack Proxy and BurpSuite Pro to find security issues within the client-side application code
- manually discover and exploit Cross-Site Request Forgery (CSRF) attacks
- use the Browser Exploitation Framework (BeEF) to hook victim browsers, attack client software and the network, and evaluate the potential impact that XSS flaws have within an application
- perform two complete web penetration tests, one during the five sections of course instruction, and the other during the Capture the Flag exercise
Who Should Attend
- Please refer to the job roles section.
- Security personnel whose job involves assessing networks and systems to find and remediate vulnerabilities.
- Penetration testers.
- Ethical hackers.
- Defenders who want to better understand offensive methodologies, tools, and techniques.
- Auditors who need to build deeper technical skills.
- Red Team members.
- Blue Team members.
- Forensics specialists who want to better understand offensive tactics.
- Incident responders who want to understand the mind of an attacker.
Programme Structure
This programme will cover the following topics in order of day:
- Introduction and Information Gathering
- Content Discovery, Authentication, and Session Testing
- Injection and XXE
- CSRF, Logic Flaws and Advanced Tools
- Capture the Flag
Fees
|
Full Fee
|
|
Full programme fee
|
S$11753
|
|
8% GST on nett programme fee
|
S$940.24
|
| Total nett programme fee payable, including GST |
S$12693.24 |
With effect from 1 Jan 2023 till 31 Dec 2023
Upcoming Classes
Class 1
16 Oct 2023 to 21 Oct 2023 (Full Time)
Duration: 6 days
When:
Time : Day 1: 8am to 4.30pm; Day 2-6: 8.30am to 4.30pm
How To Register
|
Step 1
|
Apply through your organisation's training request system
|
|
Step 2
|
Your organisation's training request system (or relevant HR staff) confirms your organisation's approval for you to take the programme.
Your organisation will send registration information to the academy.
Organisation HR L&D or equivalent staff can click here for details of the registration submission process.
|
|
Step 3
|
GovTech Digital Academy will inform you whether you have been successful in enrolment.
|