Intense Introduction to Hacking Web Applications
This course starts with an introduction to modern web applications and then immediately dives into the mapping and discovery phase of testing. In this course, you will learn security penetration testing methodologies and concepts by going over step-by-step examples in real time.
This hands-on training course will use various open source tools. You will learn how to exploit SQL injection, command injection, cross-site scripting (XSS), XML External Entity (XXE), and cross-site request forgery (CSRF). You will also learn how to perform assessments of modern APIs used for mobile and IoT applications. This course includes interactive labs where students can interact with a series of vulnerable web applications in a safe environment. Learn how to craft the exploits used by ethical hackers to perform real-world penetration testing attacks and vulnerabilities.
What you'll learn-and how you can apply it
- Learn through step-by-step interactive demonstrations
- Perform real-world pen testing
This training course is for you because...
- You have an understanding of cybersecurity fundamentals.
- You are interested in cybersecurity and penetration testing (ethical hacking)
- You want to learn different methodologies and best practices to perform security penetration testing assessments.
Course participants should have a basic understanding of cybersecurity and networking, plus core familiarity with Microsoft Windows and Linux operating systems. The following books and video courses provides a good overview of cybersecurity fundamentals that are pre-requisites for this course:
- CCNA Cyber Ops SECFND 210-250 Official Cert Guide, First Edition (book)
- CCNA Cyber Ops SECFND 210-250 (video)
- This is a hands-on course. Please go to the accompanying site for this Live Training course to download and install the required virtual machine (VM): https://webapps.h4cker.org
- (Learning Path) From Zero to Ethical Hacker- 10 Weeks to Becoming an Ethical Hacker and Bug Hunter: https://learning.oreilly.com/learning-paths/from-zero-to/8204091500000000008/
- The Art of Hacking (Video Collection)
- Security Penetration Testing The Art of Hacking Series LiveLessons (video)
- Wireless Networks, IoT, and Mobile Devices Hacking (The Art of Hacking Series) (video)
- Enterprise Penetration Testing and Continuous Monitoring The Art of Hacking (video)
About your instructor
Omar Santos is an active member of the cybersecurity community, where he leads several industry-wide initiatives. He is the lead of the DEF CON Red Team Village; the chair of the Common Security Advisory Framework (CSAF) technical committee; the co-chair of the Forum of Incident Response and Security Teams (FIRST) Open Source Security working group; and has been the chair of several initiatives in the Industry Consortium for Advancement of Security on the Internet (ICASI). His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to increasing the security of their critical infrastructures.
Omar is the author of over twenty books and video courses, as well as numerous white papers, articles, and security configuration guidelines and best practices. Omar is a principal engineer of the Cisco Product Security Incident Response Team (PSIRT), where he mentors and leads engineers and incident managers during the investigation and resolution of cyber security vulnerabilities. Additional information about Omar’s current projects can be found at omarsantos.io and you can follow Omar on Twitter @santosomar.
The timeframes are only estimates and may vary according to how the class is progressing
Section 1: Introduction to Web Application Penetration Testing Methodologies (20 minutes)
- An introduction to ethical hacking and penetration testing methodologies
- Reviewing the OWASP Testing Methodologies
Section 2: Building Your Own Web Application Lab (20 minutes)
- Building your own lab
- Installing WebSploit
- Reviewing the Installation and Tools
- Reviewing additional tools and web application hacking environments
Section 3: Reconnaissance and Profiling Web Applications (20 minutes)
- Conducting information gathering using appropriate techniques
- Vulnerability Scanning
- Analyzing vulnerability scan results
- The process of leveraging information to prepare for exploitation
- Weaknesses related to specialized systems
Section 4: Authentication and Session Management Vulnerabilities (20 minutes)
- Introducing authentication methods
- Exploiting authentication-based vulnerabilities
- Exploiting session management vulnerabilities
Lab Exercises and Break: 60 minutes
Section 5: Exploiting Cross-site Scripting (XSS) and Understanding Cross-site Request forgery (CSRF/XSRF) Vulnerabilities (20 minutes)
Reflected XSS Stored XSS DOM-based XSS Understanding Cross-site Request forgery (CSRF/XSRF)
Break 5 minutes
Section 6: Exploiting SQL Injection (25 minutes)
- Overview of SQL Injection
- Exploiting SQL Injection Vulnerabilities
Section 7: Exploiting XML External Entity (XXE) Vulnerabilities (30 minutes)
- Understanding XXE
- Exploiting XXE vulnerabilities
Section 6: Hacking APIs, Fuzzing, and Q&A (20 minutes)
- Overview of APIs
- Hacking APIs