Web App Penetration Testing and Ethical Hacking
Assess Your Web Apps in Depth
Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited Web sites altered by attackers. In this intermediate to advanced level class, you'll learn the art of exploiting Web applications so you can find flaws in your enterprise's Web apps before the bad guys do. Through detailed, hands-on exercises and training from a seasoned professional, you will be taught the four-step process for Web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize cross-site scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And you will explore various other Web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regimen. You will learn the tools and methods of the attacker, so that you can be a powerful defender.
Throughout the class, you will learn the context behind the attacks so that you intuitively understand the real-life applications of our exploitation. In the end, you will be able to assess your own organization's Web applications to find some of the most common and damaging Web application vulnerabilities today.
By knowing your enemy, you can defeat your enemy. General security practitioners, as well as Web site designers, architects, and developers, will benefit from learning the practical art of Web application penetration testing in this class.
SEC542.1: Web App Penetration Testing and Ethical Hacking: The Attacker's View of the Web
Understanding the attacker's perspective is key to successful Web application penetration testing. We will begin by thoroughly examining Web technology, including protocols, languages, clients, and server architectures, from the attacker's perspective. In this portion of the class we will also examine different authentication systems, including Basic, Digest, Forms, and Windows Integrated authentication, and discuss how servers use them and how attackers abuse them.
CPE/CMU Credits: 6
- Overview of the Web from a penetration tester's perspective
- Exploring the various servers and clients
- Discussion of the various Web architectures
- Discover how session state works
- Discussion of the different types of vulnerabilities
- Define a Web application test scope and process
- Define types of penetration testing
SEC542.2: Web Penetration Testing and Ethical Hacking: Reconnaissance and Mapping
On the second day we will start the actual penetration testing process, beginning with the reconnaissance and mapping phases. Reconnaissance includes gathering publicly available information regarding the target application and organization, identifying the machines which support our target application, and building a profile of each server, including operating system, specific software, and configuration. Our discussion will be augmented by practical, hands-on exercises in which we conduct reconnaissance against an in-class target.
In the mapping phase, we will build a "map" or diagram of the application. In order to do this, we identify the components, analyze the relationship between them, and determine how the pieces work together. We will specifically consider how the session management system works within an application. This will help us identify potential vulnerabilities during the next sections.
CPE/CMU Credits: 6
- Discover the infrastructure within the application
- Identify the machines and operating systems
- SSL configurations and weaknesses
- Explore virtual hosting and its impact on testing
- Learn methods to identify load balancers
- Software configuration discovery
- Explore external information sources
- Google hacking
- Learn tools to spider a Web site
- Scripting to automate Web requests and spidering
- Application flow charting
- Relationship analysis within an application
SEC542.3: Web Penetration Testing and Ethical Hacking: Discovery
In this section, we will continue to explore our methodology with the discovery phase. We will build upon the information started yesterday, exploring methods to find and verify vulnerabilities within the application. The students will also begin to explore the interactions between the various vulnerabilities.
Manual testing techniques for vulnerability discovery will be the primary approach taken in Day 3. To facilitate manual testing, we kick off the day with an introduction and hands-on exercise with Python.
In addition to custom scripts, major emphasis will be placed on developing in-depth knowledge of interception proxies for web application vulnerability discovery. A highlight of the day will be spending significant time working with both traditional and blind SQL Injection flaws.
Throughout the discovery phase, we will explore both manual and automated methods of discovering vulnerabilities within applications and discuss the circumstances under which each is appropriate.
CPE/CMU Credits: 6
- Vulnerability Discovery Overview
- Creating Custom Scripts for Penetration Testing
- Python for Penetration Testing
- Web App Vulnerabilities and Manual Verification Techniques
- Interception Proxies
- OWASP Zed Attack Proxy
- Burp Suite
- Information Leakage & Directory Browsing
- Username Harvesting
- Command Injection
- Directory Traversal
- SQL Injection
- Blind SQL Injection
SEC542.4: Web Penetration Testing and Ethical Hacking: Discovery Continued
On day four, students will continue exploring the discovery phase of the methodology. We will cover methods to discover key vulnerabilities within web applications such as Cross-Site Scripting and Cross-Site Request Forgery. Manual discovery methods will be employed during hands-on exercises.
The day's content will also include a detailed discussion of AJAX in which we will explore how AJAX enlarges the attack surface that penetration testers leverage. We will also explore how AJAX is affected by the vulnerabilities already explored.
After detailing the various vulnerabilities and manual discovery methods, Day 4 will conclude with review of various automated web application vulnerability scanners, such as Skipfish and w3af, to complement our previous coverage of the Burp Suite.
By the end of Day 4, students will be well prepared to move into the exploitation phase of the methodology on Day 5.
CPE/CMU Credits: 6
- Cross-Site Scripting (XSS)
- Cross-Site Scripting Discovery
- Cross-Site Request Forgery (CSRF)
- Session Flaws
- Session Fixation
- Logic Attacks
- API Attacks
- Data Binding Attacks
- Automated Web Application Scanners
SEC542.5: Web Penetration Testing and Ethical Hacking: Exploitation
On the fifth day we will launch actual exploits against real-world applications. In this component, we will build upon the previous three steps, expanding our foothold within the application and extending that to the network on which it resides. As penetration testers, we will specifically focus on ways that we can leverage previously discovered vulnerabilities to gain further access, highlighting the cyclical nature of our four-step attack methodology.
During our exploitation, we will use tools such as the Burp Suite and Paros Proxy to assist us in crafting exploits against real-world applications like Wordpress and AWStats. We will launch an SQL injection attack against Wordpress, intercepting real transactions and modifying them. We will use Cross-Site Scripting attacks against phpMyAdmin and phpBB to steal cookies and sessions from other users.
We are also going to explore the use of attack frameworks, such as AttackAPI and BeEF. We will discuss how the frameworks can assist us in our testing process, gaining access to browser history, port scanning internal networks, and searching for other vulnerable Web applications through zombie browsers.
We will also explore multiple exploit attacks. This is where the student will build complex attack series to gain much greater access within the Web applications. By fully uncovering vulnerabilities within applications using the same resources as attackers, we can provide organizations with the best assessment possible.
CPE/CMU Credits: 6
- Explore methods to zombify browsers
- Discuss using zombies to port scan or attack internal networks
- Explore attack frameworks
- Walk through an entire attack scenario
- Exploit the various vulnerabilities discovered
- Leverage the attacks to gain access to the system
- Learn how to pivot our attacks through a Web application
- Understand methods of interacting with a server through SQL injection
- Exploit applications to steal cookies
- Execute commands through Web application vulnerabilities
SEC542.6: Web Penetration Testing and Ethical Hacking: Capture the Flag
During day six of the class students will be placed on a network and given the opportunity to complete an entire penetration test. The goal of this capture the flag event is for the students to explore the techniques, tools, and methodology they have learned over the last five days. They will be able to use these ideas and methods against a realistic intranet application. At the end of the day, they will provide a verbal report of the findings and methodology they followed to complete the test.
Students will be provided with a virtual machine that contains the SamuraiWTF Web penetration testing environment. They will be able to use this both in the class and after leaving and returning to their normal jobs.
CPE/CMU Credits: 6
|Mon Jun 9th, 2014||7:00 PM - 10:00 PM ET||Tanya Baccam|
|Wed Jun 11th, 2014||7:00 PM - 10:00 PM ET||Tanya Baccam|
|Mon Jun 16th, 2014||7:00 PM - 10:00 PM ET||Tanya Baccam|
|Wed Jun 18th, 2014||7:00 PM - 10:00 PM ET||Tanya Baccam|
|Wed Jun 25th, 2014||7:00 PM - 10:00 PM ET||Tanya Baccam|
|Mon Jun 30th, 2014||7:00 PM - 10:00 PM ET||Tanya Baccam|
|Wed Jul 2nd, 2014||7:00 PM - 10:00 PM ET||Tanya Baccam|
|Mon Jul 7th, 2014||7:00 PM - 10:00 PM ET||Tanya Baccam|
|Wed Jul 9th, 2014||7:00 PM - 10:00 PM ET||Tanya Baccam|
|Mon Jul 14th, 2014||7:00 PM - 10:00 PM ET||Tanya Baccam|
|Wed Jul 16th, 2014||7:00 PM - 10:00 PM ET||Tanya Baccam|
|Mon Jul 21st, 2014||7:00 PM - 10:00 PM ET||Tanya Baccam|
Security 542 requires a Windows, Linux or Macintosh computer with the following minimum hardware requirements:
- 1GHz processor
- 2GB RAM (More memory is highly recommended)
- 10 GB free hard disk space
- DVD ROM drive
- Ethernet adapter (A wired connection is required in class. If your laptop supports only wireless, please make sure to bring an Ethernet adapter with you.)
Please install the following software on the computer:
- VMWare Player 3.x or VMWare Workstation 7.x or newer or VMWare Fusion (Server and ESX are not supported)
- Firefox browser
You must have the ability to disable the host firewall (Windows firewall or other third party firewall) and antivirus running on your desktop. This usually means you need to have administrative privilege on the machine.
DO NOT plan on just killing your antivirus service or processes, because most antivirus tools still function even when their associated services and processes have been terminated.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
You Will Be Able To
- Apply a detailed, four-step methodology to your web application penetration tests, including Recon, Mapping, Discovery and Exploitation
- Analyze the results from automated web testing tools to remove false positives and validate findings
- Use python to create testing and exploitation scripts during a penetration test
- Create configurations and test payloads within other web attacks
- Use FuzzDB to generate attack traffic to find flaws such as Command Injection and File Include issues
- Assess the logic and transaction flaw within a target application to find logic flaws and business vulnerabilities
- Use the rerelease of Durzosploit to obfuscate XSS payloads to bypass WAFs and application filtering
- Analyze traffic between the client and the server application using tools such as Ratproxy and Zed Attack Proxy to find security issues within the client-side application code
- Use BeEF to hook victim browsers, attack the client software and network and evaluate the potential impact XSS flaws have within an application
- Perform a complete web penetration test during the Capture the Flag exercise to pull all of the tech- niques and tools together into a comprehensive test
Press & Reviews
"Sec 542 is my 10th SANS course. Kevin is definitely one of the best I have encountered. Truly motivational." - Joe Hamm, US. Army
"This course taught me to truly focus on the methodology while performing a pen test. During the CTF, I realized how much time can be wasted if you fail to respect your methodology." - Sean Rosado, RavenEye
"The Sec542 tools and course presentation are top-notch. I'll be using this material extensively." - Jeremy Pierson, Academy Mortgage
"Sec542 provides rapid exposure to a variety of tools and techniques invaluable to recon on target site." - Gareth Grindle, QA Ltd.
"With the infinite tools used for web application penetration, SEC 542 helps you understand/use the best tools for your environment." -Linh Sithihao, UT South Western Medical Center
"Testing the security of Web applications is not as simple as just knowing what SQL injection and cross-site scripting mean. Successful testers understand that methodical, thorough testing is the best means of finding the vulnerabilities within the applications. This requires a deep understanding of how Web applications work and what attack vectors are available. This course provides that understanding by examining the various parts of a Web application penetration. When teaching the class, I especially enjoy the use of real-world exercises and the in-depth exploration of Web penetration testing."