IT Gate Academy

Web Penetration Testing

hours

5.0

Description

Web applications play a vital role in every modern organization. But, if your organization does not properly test and secure its web apps, adversaries can compromise these applications, damage business functionality, and steal data.
Unfortunately, many organizations operate under the mistaken impression that a web application security scanner will reliably discover flaws in their systems.
Customers expect web applications to provide significant functionality and data access.
Even beyond the importance of customer-facing web applications, internal web applications increasingly represent the most commonly used business tools within any organization.
Unfortunately, there is no "patch Tuesday" for custom web applications, so major industry studies find that web application flaws play a major role in significant breaches and intrusions.
Adversaries increasingly focus on these high-value targets either by directly abusing public-facing applications or by focusing on web apps as targets after an initial break-in.Modern cyber defense requires a realistic and thorough understanding of web application security issues.
Anyone can learn to sling a few web hacks, but effective web application penetration testing requires something deeper.

What Will I Learn?

You Will Learn:
To apply a repeatable methodology to deliver high-value penetration tests.
How to discover and exploit key web application flaws.
How to explain the potential impact of web application vulnerabilities.
The importance of web application security to an overall security posture.
How to wield key web application attack tools more efficiently.
How to write web application penetration test reports.
Apply OWASP's methodology to your web application penetration tests to ensure they are consistent, reproducible, rigorous, and under quality control.
Analyze the results from automated web testing tools to validate findings, determine their business impact, and eliminate false positives.
Manually discover key web application flaws.
Use Python to create testing and exploitation scripts during a penetration test.
Discover and exploit SQL Injection flaws to determine true risk to the victim organization.
Understand and exploit insecure deserialization vulnerabilities with ysoserial and similar tools.
Create configurations and test payloads within other web attacks.
Fuzz potential inputs for injection attacks.
Explain the impact of exploitation of web application flaws.
Analyze traffic between the client and the server application using tools such as the Zed Attack Proxy and BurpSuite Pro to find security issues within the client-side application code.
Manually discover and exploit Cross-Site Request Forgery (CSRF) attacks.
Use the Browser Exploitation Framework (BeEF) to hook victim browsers, attack client software and the network, and evaluate the potential impact that XSS flaws have within an application.
Perform two complete web penetration tests, one during the five days of course instruction, and the other during the Capture the Flag exercise.

Certificates

Introduction

Why Is Web Pen testing Require?
Importance of Web App Pen testing
Vulnerability Scanning or Pen testing
What Is A Vulnerability?
How Vulnerability Occurs?
Types of Vulnerabilities
History of Vulnerabilities
Exploitation of Vulnerabilities

WEB Basics

Protocols of Web
HTML
PHP Basics
JS Basics
Types of Wen Pen-Test (External Internal)

Tools of Web Pen testing:

Burp suite
Zap Proxy
Dirbuster
Dirb
Dir Search
theHarvester
Dig
Host
Nslookup
Recon-ng
Metasploit Fundamentals
SQLMap
JSQL
SQLNinja
Nikto
Whatweb
Dmitry
Who is
Hackrawler

Port Scanning Tools

Nmap
Netcat
Socat
Zenmap
Advanced Port Scanner

Database Management

SQL
PHPMyAdmin

System Administration

Bash Scripting (Basics)
Batch Scripting (Basics)

Bash Scripting ( Building Pentesting Tools )

Practical Tools
Error Handling

Advanced web hacking

DNS Information Gathering
Subdomains Gathering
Endpoint Gathering
Compare hand The Application
Understanding the Application Logic
Source Code Reviewing
Fuzzing the Web App Directories and Files
Subdomain Monitoring
LinkedIn Discovery
GitHub Discovery
Port Scanning
Identifying the Application
Knowing the WAF Parameter Fuzzing
Google Hacking
Knowing the HTTP Headers Used
Some Methodologies

Anonymous Pen tester

Proxy
VPN
TOR
Proxy chains
Tails OS

Practical Web Pen testing

Logical Vulnerabilities
IDOR
Broken Authentication
Business Logic
Attacking Other Application Logics

Technical Vulnerabilities

OS Command Injection
XSS
SQL injection
Open Redirect
XXE
CSRF
SSRF
HTML Injection
LFI
LFD
RFI
File Upload
Exploitation through Error Message
HTTP Parameter Pollution
Cookie Injection (Session Hijacking)
Cookie Injection (Session Hijacking)
Cache Deception
Cache Poisoning
HTTP Request Smuggling Attacks

Misconfiguration

Sub domain Take Over
Information Disclosure
Web Pen testing & Bug hunting Methodologies

Web Pen testing Approach (Before Testing):

Planning Phase
Known Your Scope
Availability of Documentation to Testers
Determining the Success Criteria
Reviewing the Test Result from the Previous Training
Understanding & Comprehend the Environment

Attacks / Execution Phase (During Testing}:

Ensure To Make the Test In Different User Roles
Awareness on How To Handel A Post Exploitation
Generation of Test Reports

Post Execution Phase (After Testing):

Suggest Remediation
Retest Vulnerabilities

Web Pen testing in real Lives

Bug Hunting In Real Life
Reporting
Vulnerability Escalation
Social Engineering Concepts

Course Details!

Details