the most trusted source for computer security training, certification and research
select a course
Global Information Assurance Certification

Real world people giving real world training.
-John Szyszlo, The Gem Group, Inc.

SECURITY 542

Web Application Penetration Testing In-Depth

6 CPE Credits Per Day

Assess Your Web Apps in Depth

Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited Web sites altered by attackers. In this class, you'll learn the art of exploiting Web applications so you can find flaws in your enterprise's Web apps before the bad guys do. Through detailed, hands-on exercises and training from a seasoned professional, you will be taught the four-step process for Web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize Cross-Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And, you will explore various other Web app vulnerabilities in depth, with tried-and-true techniques for finding them using a structured testing regimen. You will learn the tools and methods of the attacker so that you can be a powerful defender.

On day one we will study the attacker's view of the Web. On day two, we will analyze the art of reconnaissance, specifically targeted to Web applications. We will also examine the mapping phase, when we interact with a real application to determine its internal structure. We will also start the discovery step. During day three, we will continue our in-depth discovery using the information we gathered on day two. On day four we will continue discovery, focusing on client side portions of the application, such as Flash objects and Java applets. On day five we will move into the final stage of exploitation, using advanced exploitation methods to gain further access within the application. Day six will finish the exploitation stage of a Web pen test with a walk-through of an entire attack scenario. Students will learn methods of combining various attacks to better gauge the business impact of application vulnerabilities.

Throughout the class, you will learn the context behind the attacks so that you intuitively understand the real-life applications of exploitation. In the end, you will be able to assess your own organization's Web applications to find some of the most common and damaging Web application vulnerabilities today.

By knowing your enemy, you can defeat your enemy. General security practitioners, as well as Web site designers, architects, and developers, will benefit from learning the practical art of Web application penetration testing in this class.

Who Should Attend:

General security practitioners, as well as Web site designers, architects, and developers, will benefit from learning the practical art of Web application penetration testing in this class.

Sampling of Topics:

  • Discover the infrastructure within the application
  • Analyze SSL configurations and weaknesses
  • Explore virtual hosting and its impact on testing
  • Learn methods to identify load balancers
  • Learn tools to spider a Web site
  • Analyze scripting to automate Web requests and spidering
  • Flow charting an application's logic
  • Learn methods to discover various vulnerabilities
    • Information Leakage
    • Username Harvesting
    • Command Injection
    • SQL Injection
    • Blind SQL Injection
    • Cross-Site Scripting (XSS)
    • Cross-Site Request Forgery
  • Analyze fuzzing and various fuzzing tools
  • Understand methods for attacking Web services
  • Study methods for testing Web 2.0 and AJAX based sites
  • Learn methods to decompile client side code, including Flash and Java
  • Explore malicious applets and objects
Author Statement

Testing the security of web applications is not as simple as just knowing what SQL injection and cross site scripting means. Successful testers understand that methodical, thorough testing is a tremendous means of finding the vulnerabilities within applications. This requires a deep understanding of how web applications work and what attack vectors are available. This course provides that understanding by examining the various parts of a web application penetration. When teaching the class, I especially enjoy the use of real world exercises and the in-depth exploration of web penetration testing.
- Kevin Johnson

SECURITY 542 :: Web Application Penetration Testing In-Depth
SANS Network Security 2008 Las Vegas, NV September 28, 2008 - October 06, 2008
SANS Cyber Defense Initiative 2008 Washington, DC December 10, 2008 - December 16, 2008
SANS Vancouver 2008 Vancouver, BC November 17, 2008 - November 22, 2008
SANS Sydney 2008 Sydney, Australia October 27, 2008 - November 01, 2008
SANS Security West 2009 Las Vegas, NV January 24, 2009 - February 01, 2009
SANS Audit and Compliance 2008 Chicago, IL September 03, 2008 - September 10, 2008
Community SANS Memphis 2008 Memphis , TN October 20, 2008 - October 23, 2008
SANS London 2008 London, United Kingdom December 01, 2008 - December 09, 2008

GIAC Secure Software Programmer (GSSP) Certification Exam