Web Application Penetration Testing
16 Week Training Program
Web Application Penetration Testing
There are various kinds of penetration testing. This course will more specifically focus on Web Application penetration testing. As this is focused towards an entry level audience, the class will be focusing on the most common Web Application vulnerabilities including the OWASP TOP 10 Vulnerabilities. The course will be between three (3) to four (4) months long including the boot camp at the end of the course and will comprise of twelve (12) modules. The class is paced to ensure that all the students are able to follow and learn at the same time. Students have maximum access to teaching resources so that they may be able to learn and perform their tasks on time. After graduating from this course or for those who are currently working as penetration testers, we have an advanced course that would go more in depth into Web Application Penetration Testing. Throughout the course, the students will have regular homework and quizzes. The homework will be submitted in a report format, as it is often done in the real world. By this practice, the students will be prepared for the final projects that they must submit at the end of the course during the boot camp period.
Introduction to Penetration Testing
Students will learn what penetration testing is and differentiate it from Quality Assurance testing. The student will become familiar with what to expect in the professional world and what tools to use to become confident on the job.
Information Gathering
In this section, students will learn how to look for pertinent information for testing the application, or fingerprint the application, and find potential vulnerabilities.
Authentication
In this section, we will discuss how to test for authentication flaws and what measures to take against it.
Authorization
In this module, we will discuss what authorization bypass is, how to identify the potential vulnerabilities and prevent against attacks targeting authorization flaws.
Session Management
Students will learn about session targeted attacks and vulnerabilities and how to prevent against such attacks.
Client-Side Attacks
This section will cover client-side attacks like DOM based XSS, HTML Injection, Unvalidated Redirects, Client-Side Control bypass and Cross Frame Scripting, how the attack occurs and how to mitigate them.
Injection Flaws
Students will learn about various injection flaws like XSS, SQL Injection, Malicious File Uploads, and Command Injections. We will also go over why the attacks matter and how to mitigate against these attacks.
Cross site Request Forgery
In this module, we will learn all about CSRF attacks and how to create a form that would execute the attack. We will talk about the security measures to protect against CSRF attacks.
Configuration Management
In this module, the entire configuration of the web application along with all its components is discussed. We also discuss how to test for configuration flaws and like all above, prevent against it.
API Testing
We will learn how different functions of the applications exercise APIs and how we may test the APIs for security vulnerabilities.
Cryptography
This module will cover various vulnerabilities related to Cryptographic algorithms in use by the application and how to mitigate these vulnerabilities.
Information Disclosure
This module will prepare students to identify and prevent exposure of sensitive data through the application’s verbose error messages, server-side code exposure, improper caching directives, client-side code comments and etc.
i. Boot Camp
This course will feature a boot camp at the end of the course combining all the knowledge that the students gained throughout the course. The Boot Camp will be led by a manager, just like the work environment. The manager will assign tasks collect the work from the students. The students will be engaged in the entire assessment cycle, starting from the pre-engagement meeting to the debrief meeting. So, they will have a clear concept of a real-life work environment.
ii. Final Projects
All students will be required to complete at least 2 complete assessments of applications assigned to them by the Boot Camp manager at the end of the course during the month-long boot camp. This will prepare them for the real world and combine all the information that they gained throughout the class, by performing end to end testing of applications.
iii. Interview Session
During the Boot Camp, we will do mock interviews and teach how to interpret interview questions. The student will learn how to strategically answer interview questions for any scenarios discussed during the entire course, thereby, wrapping up the whole session and preparing the student for the Application security workforce.
iv. Report Writing
The students will learn how to write professional reports that will help communicate findings to developers, application owners and senior management. The students will be actively writing reports throughout the course for each of their homework. This will help them fine-tune their report writing skills. However, during the boot camp, the students will be required to submit final project reports that will be a part of their overall class grade. Report writing is always about 20% of the grade for any Penetration Testing certification and it is certainly one of the most important parts in a Penetration Tester’s job.
v. Homework
After each of the modules, the students will be assigned homework. The homework will mostly involve performing test cases for that module. After testing for those vulnerabilities, the students will be required to compile the findings within a report.
vi. Quizzes
The students will have a quiz each week based on the topics that are taught for that week. The quizzes will be mostly multiple-choice questions with some mix and match, multiple answers questions and fill-in-the-blanks. Apart from the weekly quizzes, there will be a mid-term and final exam. The quizzes and exams will help the students revise the modules, understand the “Whats”, “Hows” and “Whys” of the vulnerabilities and prepare them with interview questions as well