Advanced Web App Penetration Testing and Ethical Hacking
This course is designed to teach you the advanced skills and techniques required to test web applications today. This advanced pen testing course uses a combination of lecture, real-world experiences, and hands-on exercises to educate you in the techniques used to test the security of enterprise applications. The final day of the course culminates in a Capture the Flag event, which tests the knowledge you will have acquired the previous five days.
We will begin by exploring specific techniques and attacks to which applications are vulnerable. These techniques and attacks use advanced ideas and skills to exploit the system through various controls and protections. This learning will be accomplished through lectures and exercises using real-world applications.
We will then explore encryption as it relates to web applications. You will learn how encryption works as well as techniques to identify the type of encryption in use within the application. Additionally, you will learn methods for exploiting or abusing this encryption, again through lecture and labs.
The next day of class will focus on how to identify web application firewalls, filtering, and other protection techniques. You will then learn methods to bypass these controls in order to exploit the system. You'll also gain skills in exploiting the control itself to further the evaluation of the security within the application.
Following these general exploits, you will learn techniques that target specific enterprise applications. You will attack systems such as content management and ticketing systems. We will explore the risks and flaws found within these systems and how to better exploit them. This part of the course will also include web services and mobile applications due to their prevalence within modern organizations.
This information packed advanced pen testing course will wrap up with a full day Capture the Flag (CtF) event. This CtF will target an imaginary organization's web applications and will include both Internet and intranet applications of various technologies. This event is designed to allow you to put the pieces together from the previous five days reinforcing the information and learning you will have gained.
The SANS promise is that you will be able to use these ideas immediately upon returning to the office in order to better perform penetration tests of your web applications and related infrastructure. This course will enhance your exploitation and defense skill sets as well as fulfill a need to teach more advanced techniques than can be covered in the foundational course, Security 542: Web Application Penetration Testing and Ethical Hacking.
- An understanding of advanced web penetration techniques
- Skills to test and exploit specific target environments such as content management systems and infrastructure applications
- Understanding of encryption and its usage within web applications
- Methods to recognize and bypass application, platform, and WAF defenses
- Skills to test and evaluate web services used in an enterprise
- Understanding how to test backend services for mobile applications
SEC642.1: Advanced Discovery and Exploitation
As applications and their vulnerabilities become more complex, penetration testers have to be able to handle these targets. We will begin the class by exploring how Burp Suite works and more advanced ways to use it within your penetration-testing processes. The exploration of Burp Suite will focus on its ability to work within the traditional web penetration testing methodology and assist in manually discovering the flaws within the target applications.
Following this discussion, we will move into studying specific vulnerability types. This examination will explore some of the more advanced techniques for finding server-based flaws such as SQL injection. After discovering the flaws, we will then work through various ways to exploit these flaws beyond the typical means exhibited today. These advanced techniques will help penetration testers show the risks to which the flaws expose an organization.
CPE/CMU Credits: 6
- Review of the testing methodology
- Using Burp Suite in a web penetration test
- Examine how to use Burp Intruder to effectively fuzz requests
- Explore advanced discovery techniques for SQL injection and other server-based flaws
- Learn advanced exploitation techniques
SEC642.2: Discovery and Exploitation for Specific Applications
We will continue the exploration of advanced discovery and exploitation techniques. We'll start by exploring client-side flaws such as cross-site scripting (XSS) and cross-site request forgery (XSRF). We will explore some of the more advanced methods for discovering these issues. After finding the flaws, you will learn some of the more advanced methods of exploitation, such as scriptless attacks and building web-based worms using XSRF and XSS flaws within an application.
During the next part of the day we'll explore various popular applications and frameworks and how they change the discovery techniques within a web penetration test. This section of the class examines applications such as SharePoint and WordPress. These specific targets have unique needs and features that make testing them both more complex and more fruitful for the tester. This section of the class will help you understand these differences and make use of them in your testing.
CPE/CMU Credits: 6
- Discovering XSRF flaws within complex applications
- Learning about DOM-based XSS flaws and how to find them within applications
- Exploiting XSS using scriptless injections
- Bypassing anti-XSRF controls using XSS/XSRF worms
- Attacking SharePoint installations
- How to modify your test based on the target application
SEC642.3: Web Application Encryption
Cryptographic weaknesses are a common area where flaws are present, yet few penetration testers have the skill to investigate, attack and exploit these flaws. When we investigate web application crypto attacks, we typically target the implementation and use of cryptography in modern web applications. Many popular web programming languages or development frameworks make encryption services available to the developer, but do not inherently protect encrypted data from being attacked, or permit the developer to use cryptography in a weak manner. These implementation mistakes are going to be our focus in this section, as opposed to the exploitation of deficiencies in the cryptographic algorithms themselves. We will also explore the various ways applications use encryption and hashing insecurely. Students will learn how techniques such as identifying what the encryption technique is to how to exploit various flaws within the encryption or hashing.
CPE/CMU Credits: 6
- Explore how to identify the cryptography used in the web application
- Discover how to analyze and attack the encryption keys
- Exploiting stream cipher IV collisions
- Exploiting Electronic Codebook (ECB) Mode Ciphers with block suffling
- Exploiting Cipher Block Chaining (CBC) Mode with bit flipping
SEC642.4: Mobile Applications and Web Services
Web applications are no longer limited to the traditional HTML based interface. Web services and mobile applications have become more common and are regularly being used to attack client and organizations. As such, it has become very important that penetration testers understand how to evaluate the security of these systems. After finishing up our discussion on cryptography attacks, you will learn how to build a test environment for testing web services for used by mobile applications. We will also explore various techniques to discover flaws within the applications and backend systems. These techniques will make use of tools such as Burp Suite and other automated toolsets.
CPE/CMU Credits: 6
- Attacking CBC chosen plaintext
- Exploiting CBC with padding oracles
- Understanding the mobile platforms and architectures
- Intercepting traffic to web services and from mobile applications
- Building a test environment
- Penetration testing of web services
SEC642.5: Web Application Firewall and Filter Bypass
Today, applications are using more security controls to help prevent attacks. These controls, such as Web Application Firewalls and filtering techniques, make it more difficult for penetration testers during their testing. These controls block many of the automated tools and simple techniques used to discover flaws today. This day you will explore techniques used to map the control and how it is configured to block attacks. You'll be able to map out the rule sets and determine the specifics of how it detects attacks. This mapping will then be used to determine attacks that will bypass the control. You'll use HTML5, UNICODE and other encodings that will enable your discovery techniques to work within the protected application.
CPE/CMU Credits: 6
- Understanding of web application firewalling and filtering techniques
- Explore how to determine the rule sets protecting the application
- Learn how HTML5 injections work
- Discover the use of UNICODE and other encodings
SEC642.6: Capture the Flag
During day six of the class you will be placed on a network and given the opportunity to complete an entire penetration test. The goal of this capture the flag event is for you to explore the techniques, tools, and methodology you will have learned over the last five days. You'll be able to use these ideas and methods against a realistic extranet and intranet. At the end of the day, you will provide a verbal report of the findings and methodology you followed to complete the test. Students will be provided with a virtual machine that contains the Samurai Web Testing Framework web penetration-testing environment. You will be able to use this both in the class and after leaving and returning to your jobs.
CPE/CMU Credits: 6
|Mon Mar 10th, 2014||7:00 PM - 10:00 PM ET||Justin Searle|
|Wed Mar 12th, 2014||7:00 PM - 10:00 PM ET||Justin Searle|
|Mon Mar 17th, 2014||7:00 PM - 10:00 PM ET||Justin Searle|
|Wed Mar 19th, 2014||7:00 PM - 10:00 PM ET||Justin Searle|
|Mon Mar 24th, 2014||7:00 PM - 10:00 PM ET||Justin Searle|
|Wed Mar 26th, 2014||7:00 PM - 10:00 PM ET||Justin Searle|
|Mon Mar 31st, 2014||7:00 PM - 10:00 PM ET||Justin Searle|
|Wed Apr 2nd, 2014||7:00 PM - 10:00 PM ET||Justin Searle|
|Mon Apr 7th, 2014||7:00 PM - 10:00 PM ET||Justin Searle|
|Wed Apr 9th, 2014||7:00 PM - 10:00 PM ET||Justin Searle|
|Mon Apr 14th, 2014||7:00 PM - 10:00 PM ET||Justin Searle|
|Wed Apr 16th, 2014||7:00 PM - 10:00 PM ET||Justin Searle|
- Latest VMware Player, VMware Workstation, or VWware Fusion pre-installed before class begins. Other virtualization software such as Parallels or VirtualBox will probably work if the attendee is familiar with its functionality, however VMware Player should be prepared as a backup just in case.
- Ability to disable all security software on their laptop such as Antivirus and/or firewalls
- At least twenty (20) GB of hard drive space
- At least four (4) GB of RAM
- An Ethernet port or Ethernet adapter to plug into a private, in-class network.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
Who Should Attend
- Web penetration testers
- Security consultants
- QA testers
- System administrators
- IT managers
- System architects
This course assumes that you have a solid understanding of web penetration techniques and methodologies. You should be familiar with the HTTP protocol, HTML, web applications, and a scripting language such as Python. Successful completion of the GWAPT certification or having attended the SEC542 class would fulfill these prerequisites.
What You Will Receive
- A copy of the Samurai Web Testing Framework (SamuraiWTF) which includes some of the latest and greatest opensource penetration testing tools for web application testing
- Six course booklet including course slides, student notes, and multiple hands-on exercises for each day
- MP3 audio files of the complete course lecture
You Will Be Able To
- Assess and attack complex modern applications
- Understand the special testing and exploits available against content management systems such as SharePoint and WordPress
- Use techniques to identify and attack encryption within applications
- Identify and bypass web application firewalls and application filtering techniques to exploit the system
- Use exploitation techniques learned in class to perform advanced attacks against web application flaws such as XSS, SQL injection and CSRF
- Blind SQL injection data exfiltration via error messages and time delays
- Code execution via local file inclusion (LFI) vulnerabilities
- Creating and deploying XSS/XSRF worms
- Crypto exploits: stream cipher IV collisions, ECB shuffling, CBC bit flipping, and padding oracles
- WAF rule fingerprinting and bypass
Press & Reviews
"This course is outstanding! I would highly recommend it to pen-testers that have already a good grasp on 542 content." - Mark Geeslin, Citrix
What To Take Next?
Courses that Lead-in
- SEC542: Web App Penetration Testing and Ethical Hacking
- DEV522: Defending Web Applications Security Essentials
- SEC560: Network Penetration Testing and Ethical Hacking
Courses that are Pre-reqs
Courses that are good follow-ups
Students who have taken SEC542 have learned the benefits of applying hands-on in-depth web application penetration testing techniques to take their assessments far beyond the limited push-button approach of purely automated scanners, but how do we take that to the next level? How can we dig deeper to find those vulnerabilities still hiding in our apps? In SEC642, I love seeing students get excited about taking SQLi, RFI/LFI, XSRF/XSS exploits to the next level, exploring the ins and outs of various web frameworks, testing for crypto flaws in cookies and parameter values that look like random characters to novice testers, working with alternate web interfaces like services and client side binaries, and probing the effectiveness of their WAFs. In SEC642 we get to step away from the basics and dig into advanced topics that can be leveraged in our assessments, exploring parts of our apps that are often overlooked or not considered testable by less experienced penetration testers. - Justin Searle