SEC542: Web App Penetration Testing and Ethical Hacking

As a web application developer this course gives great insight into what I can do better and what to look for.
Joshua Barone, Geocent

With the infinite tools used for web application penetration, SEC542 helps you understand/use the best tools for your environment.
Linh Sithihao, UT South Western Medical Center

Web applications play a vital role in every modern organization. But, if your organization does not properly test and secure its web apps, adversaries can compromise these applications, damage business functionality, and steal data. Unfortunately, many organizations operate under the mistaken impression that a web application security scanner will reliably discover flaws in their systems.

SEC542 helps students move beyond push-button scanning to professional, thorough, high-value web application penetration testing.

Customers expect web applications to provide significant functionality and data access. Even beyond the importance of customer-facing web applications, internal web applications increasingly represent the most commonly used business tools within any organization. Unfortunately, there is no "patch Tuesday" for custom web applications, so major industry studies find that web application flaws play a major role in significant breaches and intrusions. Adversaries increasingly focus on these high-value targets either by directly abusing public-facing applications or by focusing on web apps as targets after an initial break-in.

Modern cyber defense requires a realistic and thorough understanding of web application security issues. Anyone can learn to sling a few web hacks, but effective web application penetration testing requires something deeper.

SEC542 enables students to assess a web application's security posture and convincingly demonstrate the impact of inadequate security that plagues most organizations.

Students will come to understand major web application flaws and their exploitation and, most importantly, learn a field-tested and repeatable process to consistently find these flaws and convey what they have learned to their organizations. Even technically gifted security geeks often struggle with helping organizations understand risk in terms relatable to business. Much of the art of penetration testing has less to do with learning how adversaries are breaking in than it does with convincing an organization to take the risk seriously and employ appropriate countermeasures. The goal of SEC542 is to better secure organizations through penetration testing, and not just show off hacking skills. The course will help you demonstrate the true impact of web application flaws through exploitation.

In addition to high-quality course content, SEC542 focuses heavily on in-depth, hands-on labs to ensure that students can immediately apply all they learn.

In addition to more than 30 formal hands-on labs, the course culminates in a web application pen test tournament, powered by the SANS NetWars Cyber Range. This Capture the Flag event on the final day brings students into teams to apply their newly acquired command of web application penetration testing techniques in a fun way to hammer home lessons learned.

Course Topics

  • Interception Proxies
    • ZAP (Zed Attack Proxy)
    • Burp Suite
  • SQL Injection
  • Blind SQL Injection
  • Reflected Cross-Site Scripting (XSS)
  • Stored Cross-Site Scripting (XSS)
  • Local File Inclusion (LFI)
  • Remote File Inclusion (RFI)
  • Cross-Site Request Forgery (CSRF/XSRF)

You Will Learn:

  • To apply a repeatable methodology to deliver high-value penetration tests.
  • How to discover and exploit key web application flaws.
  • How to explain the potential impact of web application vulnerabilities.
  • The importance of web application security to an overall security posture.
  • How to wield key web application attack tools more efficiently.

Course Syllabus
Course Contents
  SEC542.1: Web App Penetration Testing and Ethical Hacking: The Attacker's View of the Web
Overview

Understanding the attacker's perspective is key to successful web application penetration testing. The course begins by thoroughly examining web technology, including protocols, languages, clients, and server architectures, from the attacker's perspective. We also examine different authentication systems, including Basic, Digest, Forms, and Windows Integrated authentication, and discuss how servers use them and attackers abuse them. After authentication, we analyze the importance of encryption and HTTPS. Before leaving HTTPS, we dive into the infamous Heartbleed flaw and get our first taste of exploitation with a hands-on lab.

We then turn to the four steps that make up our process for conducting web application penetration tests: reconnaissance, mapping, discovery, and exploitation. On the first day, we review the fundamental principles of each phase and discuss how penetration testers can use them together as a cyclical in-depth attack process. We then cover the types of penetration testing and what pieces need to be part of a thorough, high-value pen test report. To complete the course day, we explore aspects of a vulnerable web application using Burp Suite.

CPE/CMU Credits: 6

Topics
  • Overview of the web from a penetration tester's perspective
  • Exploring the various servers and clients
  • Discussion of the various web architectures
  • Discovering how session state works
  • Discussion of the different types of vulnerabilities
  • Defining a web application test scope and process
  • Defining types of penetration testing
  • Heartbleed exploitation
  • Utilizing the Burp Suite in web app penetration testing
 
  SEC542.2: Web Penetration Testing and Ethical Hacking: Reconnaissance and Mapping
Overview

The second day begins with the reconnaissance and mapping phases of a web app penetration test. Reconnaissance includes gathering publicly available information regarding the target application and organization, identifying the machines that support our target application, and building a profile of each server, including the operating system, specific software, and configuration. The discussion is underscored through several practical, hands-on labs in which we conduct reconnaissance against in-class targets.

In the mapping phase, we build a map or diagram of the application's pages and festures. This phase involves identifying the components, analyzing the relationship between them, and determining how the pieces work together. We often discover configuration flaws in web application infrastructure components during the mapping phase. After discussion of these types of flaws, we use the Shellshock vulnerability as an opportunity to get deeper hands-on experience with Burp Suite, cURL, and manual exploitation techniques. We then dive deep into spidering/crawling web applications. Spidering represents a vital part of both the mapping phase and the overall penetration test.

CPE/CMU Credits: 6

Topics
  • Discovering the infrastructure within the application
  • Identifying the machines and operating systems
  • Secure Sockets Layer (SSL) configurations and weaknesses
  • Exploring virtual hosting and its impact on testing
  • Learning methods to identify load balancers
  • Software configuration discovery
  • Exploring external information sources
  • Learning tools to spider a website
  • Scripting to automate web requests and spidering
  • Brute forcing unlinked files and directories
  • Discovering and exploiting Shellshock
 
  SEC542.3: Web Penetration Testing and Ethical Hacking: Discovery
Overview

This section continues to explore our methodology with the discovery phase. We build on the information identified during the mapping phase, exploring methods to find and verify vulnerabilities within the application. Students also begin to explore the interactions between the various vulnerabilities.

This course day dives deeply into vital manual testing techniques for vulnerability discovery. To facilitate manual testing, we kick off the day with an introduction to Python and a hands-on lab working with it.

In addition to custom scripts, we focus on developing in-depth knowledge of interception proxies for web application vulnerability discovery. A highlight of the day involves spending significant time working with both traditional and blind SQL injection flaws.

Throughout the discovery phase, we will explore both manual and automated methods of discovering vulnerabilities within applications and discuss the circumstances under which each is appropriate.

CPE/CMU Credits: 6

Topics
  • Python for web app penetration testing
  • Web app vulnerabilities and manual verification techniques
  • Interception proxies
  • Zed Attack Proxy (ZAP)
  • Burp Suite
  • Information leakage and directory browsing
  • Username harvesting
  • Command Injection
  • Directory traversal
  • Local File Inclusion (LFI)
  • Remote File Inclusion (RFI)
  • SQL injection
  • Blind SQL injection
  • JavaScript for the attacker
 
  SEC542.4: Web Penetration Testing and Ethical Hacking: Discovery (continued)
Overview

On day four, students continue exploring the discovery phase of the methodology. We cover methods to discover key vulnerabilities within web applications, such as Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF/XSRF). Manual discovery methods are employed during hands-on labs.

The course day will also include a detailed discussion of AJAX as we explore how it enlarges the attack surface leveraged by penetration testers. We also analyze how AJAX is affected by other vulnerabilities already covered in depth earlier in the course.

After detailing the various vulnerabilities and manual discovery methods, day four concludes with a review of various automated web application vulnerability scanners, to complement our previous coverage of manual techniques with scripting, ZAP, and the Burp Suite.

CPE/CMU Credits: 6

Topics
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Session flaws
  • Session fixation
  • AJAX
  • XML and JSON
  • Logic attacks
  • Data binding attacks
  • Automated web application scanners
  • w3af
 
  SEC542.5: Web Penetration Testing and Ethical Hacking: Exploitation
Overview

On the fifth day, we launch actual exploits against real-world applications, building on the previous three steps, expanding our foothold within the application, and extending it to the network on which it resides. As penetration testers, we specifically focus on ways to leverage previously discovered vulnerabilities to gain further access, highlighting the cyclical nature of the four-step attack methodology.

During our exploitation phase, we expand our use of tools such as ZAP and the Burp Suite, and complement them with further use of sqlmap, BeEF, the Browser Exploitation Framework, and Metasploit to help craft exploits against various web applications.. We launch SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery attacks, amongst others. In class we exploit these flaws to perform data theft, hijack sessions, steal passwords, get shells, pivot against connected networks, and much more. Through various forms of exploitation, the student gains a keen understanding of the potential business impact of these flaws to an organization.

CPE/CMU Credits: 6

Topics
  • The sqlmap tool
  • Metasploit for web penetration testers
  • Exploring methods to zombify browsers
  • Browser Exploitation Framework (BeEF)
  • Leveraging attacks to gain access to the system
  • How to pivot our attacks through a web application
  • Understanding methods of interacting with a server through SQL injection
  • Exploiting applications to steal cookies
  • Executing commands through web application vulnerabilities
  • Walking through an entire attack scenario
 
  SEC542.6: Web Penetration Testing Tournament: Powered by NetWars
Overview

On day six, students form teams and compete in a web application penetration testing tournament. This NetWars-powered Capture the Flag exercise provides students an opportunity to wield their newly developed or further honed skills to answer questions, complete missions, and exfiltrate data, applying skills gained throughout the course. The style of challenge and integrated hint system allows students of various skill levels to both enjoy a game environment and solidify the skills learned in class.

CPE/CMU Credits: 6

 
Additional Information
 
  Laptop Required

Security 542 requires a Windows, Linux or Macintosh computer with the following minimum hardware requirements:

  • CPU: 2.0+ processor
  • RAM: 4 GB or higher
  • 15 GB free hard disk space
  • USB port
  • Ethernet adapter (A wired connection is required in class. If your laptop supports only wireless, please make sure to bring an Ethernet adapter with you.)

Please install the following software on the computer:

  • VMware Workstation 9, Player 5, or Fusion 5 (or newer)

You must have the ability to disable the host firewall (Windows firewall or other third-party firewall), antivirus programs, or other security software running on your desktop. This usually means you need to have administrative privileges on the machine.

DO NOT plan on just killing your antivirus service or processes, because most antivirus tools still function even when their associated services and processes have been terminated.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • General security practitioners
  • Penetration testers
  • Ethical hackers
  • Web application developers
  • Website designers and architects
 
  Prerequisites

SEC542 assumes students have a basic working knowledge of the Linux command line.

 
  Other Courses People Have Taken

Other Courses People Have Taken

Courses that lead in to SEC542:

Courses that are good follow-ups to SEC542:

 
  What You Will Receive
  • Course media that includes both web application attack tools, as well as many vulnerable web applications for testing and training within the classroom and beyond
  • Audio recordings of the course to review material after class
  • A custom virtual machine tailored specifically for web application penetration testing
 
  You Will Be Able To
  • Apply a detailed, four-step methodology to your web application penetration tests: reconnaissance, mapping, discovery, and exploitation.
  • Analyze the results from automated web testing tools to validate findings, determine their business impact, and eliminate false positives.
  • Manually discover key web application flaws.
  • Use Python to create testing and exploitation scripts during a penetration test.
  • Discover and exploit SQL Injection flaws to determine true risk to the victim organization.
  • Create configurations and test payloads within other web attacks.
  • Fuzz potential inputs for injection attacks.
  • Explain the impact of exploitation of web application flaws.
  • Analyze traffic between the client and the server application using tools such as the Zed Attack Proxy and Burp Suite to find security issues within the client-side application code.
  • Manually discover and exploit Cross-Site Request Forgery (CSRF) attacks.
  • Use the Browser Exploitation Framework (BeEF) to hook victim browsers, attack client software and the network, and evaluate the potential impact that XSS flaws have within an application.
  • Perform a complete web penetration test during the Capture the Flag exercise to bring techniques and tools together into a comprehensive test.
 
  Hands-on Training

SANS SEC542 employs hands-on labs throughout the course to further students' understanding of web application penetration concepts. Some of the many hands-on labs in the course include:

  • Assessing Web Authentication
  • Heartbleed Exploitation
  • Mobile Application MITM
  • Reflective XSS Attacks
  • Persistent XSS Attacks
  • SQL Injection
  • Blind SQL Injection
  • CSRF Exploitation
  • Metasploit for Web Application Attacks
  • Exploiting Shellshock
  • Leveraging the sqlmap tool
  • BeEF and Browser Exploitation
  • Session Hijacking
  • Username Harvesting
  • HTML Injection
  • Remote File Inclusion
  • Local File Inclusion
  • OS Command Injection
  • Drupalgeddon Exploitation
  • w3af
  • Python for Web Application Pen Testers
  • Pen Testing with JavaScript
  • Extensive use of both Burp Suite and ZAP throughout the course
 
  Press & Reviews

"This course taught me to truly focus on the methodology while performing a pen test. During the Capture the Flag event, I realized how much time can be wasted if you fail to respect your methodology." - Sean Rosado, RavenEye

"The SEC542 tools and course presentation are top-notch. I will be using this material extensively." - Jeremy Pierson, Academy Mortgage

"SEC542 provides rapid exposure to a variety of tools and techniques invaluable to recon on target site." - Gareth Grindle, QA Ltd.

"With the infinite tools used for web application penetration, SEC542 helps you understand/use the best tools for your environment." - Linh Sithihao, UT South Western Medical Center

"Every class gives you invaluable information from real-world testing you cannot find in a book." - David Fava, The Boeing Company

 

Author Statement

Students routinely show up to SEC542 having been demoralized by their organization's web application vulnerability scanner. Sitting on the business end of these scanners, students regularly attest to 1,000+ pages of output littered with false positives. One of the most rewarding aspects of teaching SEC542 is seeing and hearing those very same students' enthusiasm for applying the skills they have learned through the week to the applications they are responsible for securing. They intrinsically knew the push-button approach to penetration testing was failing them, but lacked the knowledge and skill to ably and efficiently perform any other style of assessment. We are happy to say that SEC542 remedies this problem. Students walk away from class with a deep knowledge of key web application flaws and how to discover and exploit them, as well as how to present these findings in an impactful way. - Seth Misenar and Eric Conrad

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

*CPE/CMU credits not offered for the SelfStudy delivery method

Online options available. Train from any location.
Type
Topic
Course
/ Location
/ Instructor
Date
Register

Training Event
Penetration Testing Sep 12, 2015 -
Sep 21, 2015
 

Training Event
Penetration Testing
SANS Gulf Region 2015
Dubai, United Arab Emirates
Oct 17, 2015 -
Oct 29, 2015
 

Training Event
Penetration Testing Oct 19, 2015 -
Oct 31, 2015
 

Training Event
Penetration Testing
SANS South Florida 2015
Fort Lauderdale, FL
Nov 9, 2015 -
Nov 14, 2015
 

Training Event
Penetration Testing
SANS London 2015
London, United Kingdom
Nov 14, 2015 -
Nov 23, 2015
 

Training Event
Penetration Testing
SANS Hyderabad 2015
Hyderabad, India
Nov 24, 2015 -
Dec 4, 2015
 

Training Event
Penetration Testing
SANS Brussels Winter 2016
Brussels, Belgium
Jan 18, 2016 -
Jan 23, 2016
 

Training Event
Penetration Testing Jan 25, 2016 -
Jan 30, 2016
 

Training Event
Penetration Testing Feb 15, 2016 -
Feb 20, 2016
 

Training Event
Penetration Testing
SANS London Spring
London, United Kingdom
Feb 29, 2016 -
Mar 5, 2016
 

Summit
Penetration Testing Nov 16, 2015 -
Nov 23, 2015
 

Community SANS
Penetration Testing Oct 5, 2015 -
Oct 9, 2015
 

Community SANS
Penetration Testing Oct 12, 2015 -
Oct 17, 2015
 

Community SANS
Penetration Testing
Staff
Feb 1, 2016 -
Feb 6, 2016
 

Community SANS
Penetration Testing
Staff
Apr 11, 2016 -
Apr 16, 2016
 

Community SANS
Penetration Testing
Staff
May 23, 2016 -
May 28, 2016
 

Mentor
Penetration Testing
Mentor Session
Frankfurt, Germany
Sep 23, 2015 -
Nov 25, 2015
 

Mentor
Penetration Testing
Mentor Session
Salt Lake City, UT
Oct 8, 2015 -
Dec 17, 2015
 

Mentor
Penetration Testing
Mentor Session
McKinney, TX
Oct 13, 2015 -
Nov 24, 2015
 

vLive
Penetration Testing
Online
Dec 15, 2015 -
Feb 4, 2016
 

OnDemand
Penetration Testing
Online
Anytime  

Simulcast
Penetration Testing
Online
Nov 18, 2015 -
Nov 23, 2015
 

SelfStudy
Penetration Testing
Online
Anytime  

Private Training
All Private Training Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.