Web Application Penetration Testing Modules
Web Application Penetration Testing Modules
Introduction to Penetration Testing
Testing In this module, the student will learn what penetration testing is and how it is different from Quality Assurance testing. The student will become familiar with what to expect in the professional world and what tools to use to become confident on the job. The student will understand what web applications are, how they work, what components comprise an entire web application and how they all work together. The student will learn about how clients request data and how servers respond.
Information Gathering
This module will be the first part of testing a chosen web application. In this section, the student will learn how to look for pertinent information for testing the application, or fingerprint the application, and find potential vulnerabilities.
Authentication
In this section, we will discuss how to test for authentication flaws and what measures to take against it.
Authorization
In this section, we will discuss what authorization bypass is, how to identify the potential vulnerabilities and prevent against attacks targeting authorization flaws.
Session Management
In this module, the student will learn about session targeted attacks and vulnerabilities and how to prevent against such attacks.
Client-Side Attacks
This section will cover client-side attacks like DOM based XSS, HTML Injection, Invalidated Redirects, Client-Side Control bypass and Cross Frame Scripting, how the attack occurs and how to mitigate them.
Injection Flaws
In this section, the student will learn about various injection flaws like XSS, SQL Injection, Malicious File Uploads, and Command Injections. Why the attacks matter and how to mitigate against these attacks will also be covered in the class.
Cross Site Request Forgery
In this module, we will learn all about CSRF attacks and how to create a form that would execute the attack. We will talk about the security measures to protect against CSRF attacks.
Configuration Management
In this module, the entire configuration of the web application along with all its components is discussed. We also discuss how to test for configuration flaws and like all above, prevent against it.
API Testing
This section will touch upon one of the most important parts of Web Application Penetration Testing as most applications use APIs to transfer information between other applications. We will learn how different functions of the applications exercise APIs and how we may test the APIs for security vulnerabilities.
Cryptography
The Cryptography section will cover various vulnerabilities related to Cryptographic algorithms in use by the application. The students will learn in detail about the vulnerabilities and how to mitigate those vulnerabilities.
Information Disclosure
This module will prepare students to identify exposure of sensitive data through the application’s verbose error messages, server-side code exposure, improper caching directives, client-side code comments, etc. We will learn how to prevent sensitive data exposure and why it is pertinent to ensure its confidentiality.