The most trusted source for computer security training, certification and research.

select a course
Global Information Assurance Certification

SANS delivers the best training I have seen in the industry.
-Brian Hughes, Idaho State University

SECURITY 542

Web App Penetration Testing and Ethical Hacking

6 CPE Credits Per Day

Assess Your Web Apps in Depth

Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited Web sites altered by attackers. In this intermediate to advanced level class, you'll learn the art of exploiting Web applications so you can find flaws in your enterprise's Web apps before the bad guys do. Through detailed, hands-on exercises and training from a seasoned professional, you will be taught the four-step process for Web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize Cross-Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And you will explore various other Web app vulnerabilities in depth with tried-and-true techniques for finding them using a structured testing regimen. You will learn the tools and methods of the attacker, so that you can be a powerful defender.

On day one, we will study the attacker's view of the Web as well as learn an attack methodology and how the pen-tester uses JavaScript within the test. On day two, we will study the art of reconnaissance, specifically targeted to Web applications. We will also examine the mapping phase as we interact with a real application to determine its internal structure. During day three we will continue our test by starting the discovery phase using the information we gathered on day two. We will focus on application/server-side discovery. On day four we will continue discovery, focusing on client-side portions of the application, such as Flash objects and Java applets. On day five, we will move into the final stage of exploitation. Students will use advanced exploitation methods to gain further access within the application. Day six will be a Capture the Flag event where the students will be able to use the methodology and techniques explored during class to find and exploit the vulnerabilities within an intranet site.

Throughout the class, you will learn the context behind the attacks so that you intuitively understand the real-life applications of our exploitation. In the end, you will be able to assess your own organization's Web applications to find some of the most common and damaging Web application vulnerabilities today.

By knowing your enemy, you can defeat your enemy. General security practitioners, as well as Web site designers, architects, and developers, will benefit from learning the practical art of Web application penetration testing in this class.

This course opened my eyes and gave new perspectives of web app penetration testing.
-Ji Lee, Seamless Web

Author Statement

Testing the security of Web applications is not as simple as just knowing what SQL injection and Cross-Site Scripting mean. Successful testers understand that methodical, thorough testing is the best means of finding the vulnerabilities within the applications. This requires a deep understanding of how Web applications work and what attack vectors are available. This course provides that understanding by examining the various parts of a Web application penetration. When teaching the class, I especially enjoy the use of real-world exercises and the in-depth exploration of Web penetration testing.

– Kevin Johnson

Training Events By Course

DEVELOPER 542 :: Web App Penetration Testing and Ethical Hacking
SANS 2010 Orlando, FL March 06, 2010 - March 15, 2010
SANS CDI East 2009 Washington, DC December 11, 2009 - December 18, 2009
SANS Sydney 2009 Sydney, Australia November 09, 2009 - November 14, 2009
SANS London 2009 London, United Kingdom November 28, 2009 - December 06, 2009
Community SANS Providence At Brown University 2010 Providence, RI January 11, 2010 - January 16, 2010
SANS Northern Virginia Bootcamp 2010 Reston, VA April 06, 2010 - April 13, 2010
SANS AppSec 2010 and WhatWorks in AppSec Summit San Francisco, CA January 29, 2010 - February 05, 2010
Community SANS New York 2010 New York City, NY January 25, 2010 - January 30, 2010
SANS OnDemand Online Training & Assessments Anytime
SANS SelfStudy Books and .MP3s Only Anytime