Application Penentration Testing Training

A 4-day on a Client Site or Public course delivered by a CREST-Certified CHECK Team Leader

 

A Black Hat USA 2015 Course

Delivered by a CHECK Team Leader

Bootcamp Style Intensive Training

Infrastructure, Networks and Apps

Course Overview                                                                  

Web applications have in recent years increasingly become the prime focus of malicious attacks by cyber criminals. By exploiting the potential weak spots within a web application code, a threat actor is able to gain unauthorised access to sensitive information stored at the backend. Due to the increase in the quantity and importance of the data used by the web application, it is important that web developers/application pen testers learn how to secure/defend them.

Using a holistic approach that covers the mitigation strategies for the supporting infrastructure and web application coding using the real-world scenarios, our course prepares you to write secure applications as well as defend one from a consultant’s perspective. The supporting slides and the classroom discussion would add benefit for the attendees to learn new techniques of attack and help understand the mitigation of the same. 

What is the class difficulty level?

Based on the audience level, this course is taught in two different classes:

  • Intermediate Track (Beginner to Intermediate level experience) – 2 days
  • Advanced Track (In Depth) – 4  days

An Advanced course can be squeezed into 3 days based on client requirement/audience skill-set.

Who should attend this  course?

Security professionals (analysts, consultants, IT security officers), web developers and security administrators who are looking to add to their skill-set are welcome!

This course covers real world scenarios and discusses techniques that can be used by the attendees to improve their skill-set, and prepare for professional pen test certifications. 

What are the pre-requisites for attendees?

  • Intermediate Track – web application familiarity is required. 
  • Advanced Track – basic application assessment and tools knowledge/experience is necessary.

 

What are the logistical requirements for onsite training?

A training room equipped with internet and a projector.

All coursework is performed in designated labs. Each attendee is provided with a VPN setup in order to connect to the labs. You only need a laptop and ensure that you have admin/root access.

Who teaches this course?

Each of the above classes is delivered by a CREST-Certified CHECK Team Leader with over 9 years professional penetration testing experience (ex-employers include Deloitte, IRM and the NCC Group). 

All attendees are provided with class course documents along with lab challenges and solutions. Hints will be dropped throughout the challenges, including via Capture The Flag (CTF) events. Complete module answers are either provided in the class on the same day, or emailed afterwards.

 

Hands-On Hacking Syllabus                                        

This section outlines the course syllabus designed to help professionals achieve a high skill- set to improve their delivery quality. Highlighted text below relates to advanced track syllabus. 

Features:

  • Dedicated labs for training and practise
  • 100% Practical
  • Hands-on training
  • Black Hat 2015 Course
  • CHECK Team Leader Instructor
  • Course Material
  • Capture the flag-style challenges
  • Best practices from an experienced tutor
  • Access to labs post training for up to 2 months

 

Course Outline

  New Call-to-action

Day 1: Laying the Foundation & Testing Methodology
● Application security overview.
● Application architecture (single tier, multi-tier).
● Web technologies.
● HTTP basics (different HTTP methods and how to exploit them on a web server).
● Current attack trend (discussion on past attacks and techniques used).
● Common pen test tools overview – strength and weaknesses of tools including manual and automated assessment techniques.
● Pen test tool basics – Burp Proxy, ZAP Proxy and Fiddler.
● Browser plugins for application assessment.
● Google hacking (passive application attacks).
● Port scanning of the supporting infrastructure.
● Web server assessment (looking for configuration issues).
● SSL security (TLS/SSL configuration issues).
● Default configuration checks/common CMS identification techniques.
Day 2: Application Testing (Covering OWASP Top 10)
● Authentication vulnerabilities
● Session management security (Session
● Business logic flaws
● SQL Injection – Blind, Error based, Time, out-of-band
● Cross Site Scripting – DOM, Reflected, Stored
● Insecure direct object references
● Broken Access Control (Weak Authorization checks)
● Session Fixation
Day 3: Application Testing (OWASP Top 10)
● Web services/XML attacks.
● Web services overview.
● XML security.
● SOAP/WSDL/JSON/AJAX hacking.
Day 4: Advanced Application Hacking Techniques

● Exploiting clickjacking.
● Flash/Java application security.
● .Net remoting (optional).
● Advanced SQL injection.
● Cross Site Scripting bypass blacklist techniques.
● Creating custom Burp plugins (optional).

 

  • testimonial_img.png

    This course is created by a CREST-Certified CHECK Team Leader with over 9 years experience. Penetration testing clients include some of the largest banks in the world. 

    CREST-Certified CHECK Team Leader

     

Book your Management Best Practice in SAP Compliance Security and Audit Essentials (SAP - CSA) course. 

This course is available as internal training course delivered on client site or alternatively you can attend one of our public courses. Please fill in the form below and one of our team will get in touch to discuss your requirments. 

  • callOr call us on:
  • +44 (0) 203 189 1422