3 Days Left to Save $400 on SANS Security East 2015, New Orleans

SEC642: Advanced Web App Penetration Testing and Ethical Hacking

This course is designed to teach you the advanced skills and techniques required to test web applications today. This advanced pen testing course uses a combination of lecture, real-world experiences, and hands-on exercises to educate you in the techniques used to test the security of enterprise applications. The final day of the course culminates in a Capture the Flag event, which tests the knowledge you will have acquired the previous five days.

We will begin by exploring specific techniques and attacks to which applications are vulnerable. These techniques and attacks use advanced ideas and skills to exploit the system through various controls and protections. This learning will be accomplished through lectures and exercises using real-world applications.

We will then explore encryption as it relates to web applications. You will learn how encryption works as well as techniques to identify the type of encryption in use within the application. Additionally, you will learn methods for exploiting or abusing this encryption, again through lecture and labs.

The next day of class will focus on how to identify web application firewalls, filtering, and other protection techniques. You will then learn methods to bypass these controls in order to exploit the system. You'll also gain skills in exploiting the control itself to further the evaluation of the security within the application.

Following these general exploits, you will learn techniques that target specific enterprise applications. You will attack systems such as content management and ticketing systems. We will explore the risks and flaws found within these systems and how to better exploit them. This part of the course will also include web services and mobile applications due to their prevalence within modern organizations.

This information packed advanced pen testing course will wrap up with a full day Capture the Flag (CtF) event. This CtF will target an imaginary organization's web applications and will include both Internet and intranet applications of various technologies. This event is designed to allow you to put the pieces together from the previous five days reinforcing the information and learning you will have gained.

The SANS promise is that you will be able to use these ideas immediately upon returning to the office in order to better perform penetration tests of your web applications and related infrastructure. This course will enhance your exploitation and defense skill sets as well as fulfill a need to teach more advanced techniques than can be covered in the foundational course, Security 542: Web Application Penetration Testing and Ethical Hacking.

  • An understanding of advanced web penetration techniques
  • Skills to test and exploit specific target environments such as content management systems and infrastructure applications
  • Understanding of encryption and its usage within web applications
  • Methods to recognize and bypass application, platform, and WAF defenses
  • Skills to test and evaluate web services used in an enterprise
  • Understanding how to test backend services for mobile applications

Course Syllabus
Course Contents
  SEC642.1: Advanced Discovery and Exploitation
Overview

As applications and their vulnerabilities become more complex, penetration testers have to be able to handle these targets. We will begin the class by exploring how Burp Suite works and more advanced ways to use it within your penetration-testing processes. The exploration of Burp Suite will focus on its ability to work within the traditional web penetration testing methodology and assist in manually discovering the flaws within the target applications.

Following this discussion, we will move into studying specific vulnerability types. This examination will explore some of the more advanced techniques for finding server-based flaws such as SQL injection. After discovering the flaws, we will then work through various ways to exploit these flaws beyond the typical means exhibited today. These advanced techniques will help penetration testers show the risks the flaws expose an organization to.

CPE/CMU Credits: 6

Topics

  • Review of the testing methodology
  • Using Burp Suite in a web penetration test
  • Examine how to use Burp Intruder to effectively fuzz requests
  • Explore advanced discovery techniques for SQL injection and other server-based flaws
  • Learn advanced exploitation techniques

 
  SEC642.2: Discovery and Exploitation for Specific Applications
Overview

We will continue the exploration of advanced discovery and exploitation techniques. We'll start by exploring client-side flaws such as cross-site scripting (XSS) and cross-site request forgery (XSRF). We will explore some of the more advanced methods for discovering these issues. After finding the flaws, you will learn some of the more advanced methods of exploitation, such as scriptless attacks and building web-based worms using XSRF and XSS flaws within an application.

During the next part of the day we'll explore various popular applications and frameworks and how they change the discovery techniques within a web penetration test. This section of the class examines applications such as SharePoint and WordPress. These specific targets have unique needs and features that make testing them both more complex and more fruitful for the tester. This section of the class will help you understand these differences and make use of them in your testing.

CPE/CMU Credits: 6

Topics

  • Discovering XSRF flaws within complex applications
  • Learning about DOM-based XSS flaws and how to find them within applications
  • Exploiting XSS using scriptless injections
  • Bypassing anti-XSRF controls using XSS/XSRF worms
  • Attacking SharePoint installations
  • How to modify your test based on the target application

 
  SEC642.3: Web Application Encryption
Overview

Cryptographic weaknesses are a common area where flaws are present, yet few penetration testers have the skill to investigate, attack and exploit these flaws. When we investigate web application crypto attacks, we typically target the implementation and use of cryptography in modern web applications. Many popular web programming languages or development frameworks make encryption services available to the developer, but do not inherently protect encrypted data from being attacked, or permit the developer to use cryptography in a weak manner. These implementation mistakes are going to be our focus in this section, as opposed to the exploitation of deficiencies in the cryptographic algorithms themselves. We will also explore the various ways applications use encryption and hashing insecurely. Students will learn how techniques such as identifying what the encryption technique is to how to exploit various flaws within the encryption or hashing.

CPE/CMU Credits: 6

Topics
  • Explore how to identify the cryptography used in the web application
  • Discover how to analize and attack the encryption keys
  • Exploiting stream cipher IV collisions
  • Exploiting Electronic Codebook (ECB) Mode Ciphers with block suffling
  • Exploiting Cipher Block Chaining (CBC) Mode with bit flipping

 
  SEC642.4: Mobile Applications and Web Services
Overview

Web applications are no longer limited to the traditional HTML based interface. Web services and mobile applications have become more common and are regularly being used to attack client and organizations. As such, it has become very important that penetration testers understand how to evaluate the security of these systems. After finishing up our discussion on cryptography attacks, you will learn how to build a test environment for testing web services for used by mobile applications. We will also explore various techniques to discover flaws within the applications and backend systems. These techniques will make use of tools such as Burp Suite and other automated toolsets.

CPE/CMU Credits: 6

Topics
  • Attacking CBC chosen plaintext
  • Exploiting CBC with padding oracles
  • Understanding the mobile platforms and architectures
  • Intercepting traffic to web services and from mobile applications
  • Building a test environment
  • Penetration testing of web services

 
  SEC642.5: Web Application Firewall and Filter Bypass
Overview

Today, applications are using more security controls to help prevent attacks. These controls, such as Web Application Firewalls and filtering techniques, make it more difficult for penetration testers during their testing. These controls block many of the automated tools and simple techniques used to discover flaws today. This day you will explore techniques used to map the control and how it is configured to block attacks. You'll be able to map out the rule sets and determine the specifics of how it detects attacks. This mapping will then be used to determine attacks that will bypass the control. You'll use HTML5, UNICODE and other encodings that will enable your discovery techniques to work within the protected application.

CPE/CMU Credits: 6

Topics
  • Understanding of web application firewalling and filtering techniques
  • Explore how to determine the rule sets protecting the application
  • Learn how HTML5 injections work
  • Discover the use of UNICODE and other encodings

 
  SEC642.6: Capture the Flag
Overview

During day six of the class you will be placed on a network and given the opportunity to complete an entire penetration test. The goal of this capture the flag event is for you to explore the techniques, tools, and methodology you will have learned over the last five days. You'll be able to use these ideas and methods against a realistic extranet and intranet. At the end of the day, you will provide a verbal report of the findings and methodology you followed to complete the test. Students will be provided with a virtual machine that contains the Samurai Web Testing Framework web penetration-testing environment. You will be able to use this both in the class and after leaving and returning to your jobs.

CPE/CMU Credits: 6

 
Additional Information
 
  Laptop Required
  • Latest VMware Player, VMware Workstation, or VWware Fusion pre-installed before class begins. Other virtualization software such as Parallels or VirtualBox will probably work if the attendee is familiar with its functionality, however VMware Player should be prepared as a backup just in case.
  • Ability to disable all security software on their laptop such as Antivirus and/or firewalls
  • At least twenty (20) GB of hard drive space
  • At least four (4) GB of RAM
  • An Ethernet port or Ethernet adapter to plug into a private, in-class network.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend

  • Web penetration testers
  • Security consultants
  • Developers
  • QA testers
  • System administrators
  • IT managers
  • System architects

 
  Prerequisites

This course assumes that you have a solid understanding of web penetration techniques and methodologies. You should be familiar with the HTTP protocol, HTML, web applications, and a scripting language such as Python. Successful completion of the GWAPT certification or having attended the SEC542 class would fulfill these prerequisites.

 
  What You Will Receive
  • A copy of the Samurai Web Testing Framework (SamuraiWTF) which includes some of the latest and greatest opensource penetration testing tools for web application testing
  • Six course booklet including course slides, student notes, and multiple hands-on exercises for each day

 
  You Will Be Able To
  • Assess and attack complex modern applications
  • Understand the special testing and exploits available against content management systems such as SharePoint and WordPress
  • Use techniques to identify and attack encryption within applications
  • Identify and bypass web application firewalls and application filtering techniques to exploit the system
  • Use exploitation techniques learned in class to perform advanced attacks against web application flaws such as XSS, SQL injection and CSRF

 
  Hands-on Training
  • Blind SQL injection data exfiltration via error messages and time delays
  • Code execution via local file inclusion (LFI) vulnerabilities
  • Creating and deploying XSS/XSRF worms
  • Crypto exploits: stream cipher IV collisions, ECB shuffling, CBC bit flipping, and padding oracles
  • WAF rule fingerprinting and bypass

 
  Press & Reviews

"This course is outstanding! I would highly recommend it to pen-testers that have already a good grasp on 542 content." - Mark Geeslin, Citrix

 
  What To Take Next?

Courses that Lead-in

  • SEC542: Web App Penetration Testing and Ethical Hacking
  • DEV522: Defending Web Applications Security Essentials
  • SEC560: Network Penetration Testing and Ethical Hacking

Courses that are Pre-reqs

  • SEC542: Web App Penetration Testing and Ethical Hacking

Courses that are good follow-ups

  • SEC573: Python for Penetration Testers
  • SEC575: Mobile Device Security and Ethical Hacking
  • SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking

 

Author Statement

Students who have taken SEC542 have learned the benefits of applying hands-on in-depth web application penetration testing techniques to take their assessments far beyond the limited push-button approach of purely automated scanners, but how do we take that to the next level? How can we dig deeper to find those vulnerabilities still hiding in our apps? In SEC642, I love seeing students get excited about taking SQLi, RFI/LFI, XSRF/XSS exploits to the next level, exploring the ins and outs of various web frameworks, testing for crypto flaws in cookies and parameter values that look like random characters to novice testers, working with alternate web interfaces like services and client side binaries, and probing the effectiveness of their WAFs. In SEC642 we get to step away from the basics and dig into advanced topics that can be leveraged in our assessments, exploring parts of our apps that are often overlooked or not considered testable by less experienced penetration testers. - Justin Searle

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

*CPE/CMU credits not offered for the SelfStudy delivery method

Online options available. Train from any location.
Type
Topic
Course
/ Location
/ Instructor
Date
Register

Training Event
Penetration Testing
SANS Brussels 2015
Brussels, Belgium
Jan 26, 2015 -
Jan 31, 2015
 

Training Event
Penetration Testing
SANS 2015
Orlando, FL
Apr 11, 2015 -
Apr 18, 2015
 

Training Event
Penetration Testing Jun 22, 2015 -
Jun 27, 2015
 

Training Event
Penetration Testing
SANS Bangalore 2015
Bangalore, India
Staff
Sep 28, 2015 -
Oct 10, 2015
 

Community SANS
Penetration Testing
Staff
Feb 23, 2015 -
Feb 28, 2015
 

OnDemand
Penetration Testing
Online
Anytime  

SelfStudy
Penetration Testing
Online
Anytime  

Onsite
All OnSite Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.