Web Application Pentesting - WEB

Beschreibung

This course covers techniques and strategy concepts for performing professional web applications penetration testing in a highly secure environment. Our course has been developed around professional penetration testing, web applications development and security awareness in the business and IT fields.
We will start the course by reviewing the key aspects of penetration testing – both in terms of methodologies and legal aspects and reporting. During the course, we will learn advanced reconnaissance techniques, which will allow us to professionally prepare for a penetration test. After discussing the OWASP Top 10 for 2021, we will deep-dive into web browser security mechanisms, vulnerability exploitations, injections, bypassing API controls and many more valuable skills.

Our goal is to show you all the most important aspects of web application penetration testing. Together we will look for vulnerabilities and exploit them in practice in CQURE’s custom-built training environment. During the exercises, we will use industry-standard tools such as the Kali Linux, Burp Suite, Bloodhound, Metasploit and the Wireshark.
To make sure that all participants gain the application penetration testing concepts and knowledge, our classes have an intensive hands-on labs format.
The knowledge used to prepare the unique content of this amazing course has been gathered during tons of penetration testing projects all around the world by CQURE’s world-renowned Experts. The training will allow you to prepare for penetration testing projects or red team exercises.

Every exercise is supported by lab instructions and multiple tools, both traditional and specialized. CQURE trainers recommend students have some knowledge of web application security. However, all required concepts will be covered throughout the course

error_outline Wichtige Information

Dieses Seminar wird in ENGLISCH gehalten!

expand_more chevron_right Zielgruppe

Ideal candidate for this course:
  • Pen-testers
  • red teamers
  • Windows network administrators
  • security professionals
  • systems engineers
  • IT professionals
  • web application developers
  • security consultants and other people responsible for implementing infrastructure security

    expand_more chevron_right Vorkenntnisse

    The following knowledge is recommended for this seminar:
    You should have at 3-5 years of experience in cybersecurity field or as a web developer to attend this training or have successfully completed the following CQURE Academy course:
    • Introduction to Pentesting Course
    To attend this training you should have experience in web application creation. You should be familiar with basic web building blocks, such as HTML, JavaScript and CSS.

    expand_more chevron_right Detail-Inhalte

    Module 1: Introduction to Penetration Testing
    • What is Penetration Testing
    • Cyber Kill Chain
    • MITRE ATT&CK Matrix
    • Testing methodologies
    • Reporting

    Module 2: Reconnaissance
    • Open-Source Intelligence (OSINT)
    • Social Media Intelligence (SOCMINT)
    • Google hacking and alternative search engines
    • Subdomains and DNS enumeration
    • Public services enumeration
    • Discovering hidden secrets

    Module 3: Introduction to Web Application testing
    • Modern Web standards and protocols
    • Modern Web languages and libraries
    • OWASP TOP 10
    • Role of web-proxy
    • Work automatization
    • Business and logic issues
    • Supply chain attacks and vulnerable components
    • Chaining security issues
    • SSL/TLS issues
    • Information disclosures

    Module 4: Browser's security mechanisms
    • Same Origin Policy
    • CORS and other exceptions
    • Security headers
    • Cookies' and local storage security
    • Differences across implementations

    Module 5: Cross Site Scripting
    • Reflected and Stored Cross Site Scripting
    • Attacking Document Object Model
    • DOM clobbering
    • Bypassing weak CSP
    • Dangling markups

    Module 6: Injections
    • Blacklisting vs whitelisting
    • SQL injections
    • Command injections
    • Header splitting and injection
    • Other injection attacks

    Module 7: Authentication and Authorization
    • Attacks on authentication and authorization
    • Attacks on sessions
    • Insecure Direct Object Reference (IDOR) attacks
    • Default credentials
    • JSON Web Tokens
    • SAML
    • OAuth

    Module 8: Insecure file handling
    • Path traversal
    • Content manipulation
    • Insecure file extensions

    Module 9: Insecure inclusions
    • Local File Inclusion
    • Remote File Inclusion

    Module 10: Testing API
    • OWASP Top 10 for API
    • Bypassing API access controls
    • Mass assignment attack

    Terminanfrage

      Durch Angabe Ihrer E-Mail-Adresse und Anklicken des Buttons „Newsletter abonnieren“ erklären Sie sich damit einverstanden, dass ETC Ihnen regelmäßig Informationen zu IT Seminaren und weiteren Trainings- und Weiterbildungsthemen zusendet. Die Einwilligung kann jederzeit bei ETC widerrufen werden.

    Ähnliche Seminare