What You Will Learn
Can Your Web Applications Withstand the Onslaught of Modern Advanced Attack Techniques?
Modern web applications are growing more sophisticated and complex as they use exciting new technologies and support ever-more critical operations. Long gone are the days of basic HTML requests and responses. The complexity of HTTP and modern web applications is progressing at breathtaking speed. With the demands of highly available web clusters and cloud deployments, web applications are looking to deliver more functionality in smaller packets at a decreased strain on backend infrastructure. Welcome to an era that includes tricked-out cryptography, WebSockets, HTTP/2, and a whole lot more. Are your web application assessment and penetration testing skills ready to evaluate these impressive new technologies and make them more secure?
Are You Ready to Put Your Web Applications to the Test with Cutting-Edge Skills?
This pen testing course is designed to teach you the advanced skills and techniques required to test modern web applications and next-generation technologies. The course uses a combination of lectures, real-world experiences, and hands-on exercises to teach you the techniques to test the security of tried-and-true internal enterprise web technologies, as well as cutting-edge Internet-facing applications. The final course day culminates in a Capture-the-Flag competition where you will apply the knowledge you acquired during the previous five course sections in a fun environment based on real-world technologies.
Hands-on Learning of Advanced Web Application Exploitation Skills
We begin by exploring advanced techniques and attacks to which all modern-day complex applications may be vulnerable. We'll learn about new web frameworks and web backends, then explore encryption as it relates to web applications, digging deep into practical cryptography used by the web, including techniques to identify the type of encryption in use within the application and methods for exploiting or abusing it. We'll then look at alternative front ends to web applications and web services such as mobile applications, and examine new protocols such as HTTP/2 and WebSockets. The last section of the course, before the Capture-the-Flag competition, will focus on how to identify and bypass web application firewalls, filtering, and other protection techniques.
You Will Learn
- How to discover and exploit vulnerabilities in modern web frameworks, technologies, and backends
- Skills to test and exploit specific technologies such as HTTP/2, Web Sockets, and Node.js
- How to evaluate and find vulnerabilities in the many uses of encryption within modern web applications
- Skills to test and evaluate mobile backends and web services used in an enterprise
- Methods to recognize and bypass custom developer, web framework, and Web Application Firewall defenses
You Will Be Able To
- Perform advanced Local File Include (LFI)/Remote File Include (RFI), Blind SQL injection (SQLi), and Cross-Site Scripting (XSS) combined with Cross-Site Request Forger (XSRF) discovery and exploitation
- Exploit advanced vulnerabilities common to most backend language like Mass Assignments, Type Juggling, and Object Serialization
- Understand the special testing methods for content management systems such as SharePoint and WordPress
- Identify and exploit encryption implementations within web applications and frameworks
- Discover XML Entity and XPath vulnerabilities in SOAP or REST web services and other datastores
- Use tools and techniques to work with and exploit HTTP/2 and Web Sockets
- Identify and bypass Web Application Firewalls and application filtering techniques to exploit the system
What You Will Receive
- A copy of the SEC642 Slingshot VM, which includes some of the latest and greatest open-source penetration testing tools for web application testing and Burp Suite Pro
- A six-course session booklet that includes course slides, student notes, and multiple hands-on exercises for each day
Syllabus (36 CPEs)Download PDF
As applications and their vulnerabilities become more complex, penetration testers have to be able to handle advanced targets. We'll start the course with a warm-up pen test of a small application using Cross-Site Scripting based on the Document Object Model (DOM) to steal and use a Cross-site Request Forgery (CSRF) token. After our review of this exercise, we will explore some of the more advanced techniques for NoSQL Injection server-based flaws in MongoDB. We will then take a stab at Server-Side Request Forgery (SSRF), Lightweight Directory Access Protocol (LDAP) injection attacks, and Security Markup (SAML) Single Sign On (SSO) privilege escalation. HTTP Desynchronization attacks are also known as request smuggling, which can allow for Web Application Firewall (WAF) bypass. After discovering the flaws, we will work through various ways to exploit these flaws beyond the typical methods used these days. These advanced techniques will help penetration testers find ways to demonstrate these vulnerabilities to their organization through advanced and custom exploitation.
Activated the Burp Suite Pro license for training
- Getting warmed up with DOM-XSS
- Exploiting SSRF
- Exploiting LDAP injection
- Exploiting NoSQL injection
- HTTP desynchronization attacks
- Attacking SAML
- Review of the testing methodology
- Using Burp Suite in a web penetration test
- DOM-XSS to steal and use a CSRF token
- Discovering and exploiting SSRF
- Discovering and exploiting LDAP injection
- Discovering and exploiting NoSQL injection
- Using HTTP desynchronization attacks
- Performing privilege escalation in SAML SSO
- Learning advanced exploitation techniques
Cryptographic weaknesses are a major area of web application vulnerabilities, yet very few penetration testers have the skill to investigate, attack, and exploit these flaws. When we investigate web application crypto attacks, we typically target the implementation and use of cryptography in modern web applications. Many popular web programming languages or development frameworks make encryption services available to the developer. However, they often do not protect encrypted data from being attacked, or they enable the developer to use cryptography only weakly. These implementation mistakes are going to be our focus in this section, as opposed to the exploitation of deficiencies in the cryptographic algorithms themselves. We will also explore the various ways applications use encryption and hashing insecurely. Students will learn techniques ranging from identifying types of encryption to exploiting various flaws within encryption or hashing techniques.
- Discovering and exploiting hash length extension attacks
- Exploiting weak keys chosen by the backend system
- Attacking stream ciphers
- Discovering and exploiting ECB Shuffling in web applications
- Discovering and exploiting CBC Bit Flipping in web applications
- Discovering and exploiting Padding Oracle Attack in web applications
- Identifying the cryptography used in the web application
- Identifying and exploiting hash length extension attacks
- Analyzing and attacking the encryption keys
- Exploiting stream cipher IV collisions
- Exploiting Electronic Codebook (ECB) Mode Ciphers with block shuffling
- Exploiting Cipher Block Chaining (CBC) Mode with bit flipping
- Vulnerabilities in PKCS#7 padding implementations
Web applications are no longer limited to the traditional HTML-based interfaces. Web services and mobile applications have become more common and are regularly being used to attack clients and organizations. As such, it has become very important that penetration testers understand how to evaluate the security of these systems. We will explore various techniques to discover flaws within the applications and backend systems. These techniques will make use of tools such as Burp Suite and other automated toolsets. We'll use lab exercises to explore the newer protocols of HTTP/2 and WebSockets, exploiting flaws exposed within each of them. We'll then examine a mobile backend, Representational State Transfer (REST) and Simple Object Access Protocol (SOAP) Application Programming Interfaces ( APIs), Graph Query Language (GraphQL), XML XPath injection, and XML External Entity (XXE) attacks.
- Playing with WebSockets in SocketToMe
- Discovering weaknesses in H2O's HTTP/2 implementation
- Wireshark stream extraction to interact with a mobile server
- Exploiting a REST API
- Exploring and exploiting a GraphQL service
- Exploring and exploiting XML XPath injection
- Exploring and exploiting XXE attacks
WebSocket protocol issues and vulnerabilities
New HTTP/2 and HTTP/3 protocol issues and penetration testing
- Interacting with a mobile application backend
- SOAP and REST web services
- Penetration testing of web services
- GraphQL services
- XML Xpath injection
- XML External Entities (XXE)
- Mass assignments
- Template injections
- Testing for and abusing SSJIs
- Authentication bypasses with type confusions
- PHP deserialization lab
- PHAR deserialization lab
- Web architectures
- MVC and its architecture components
- Modern PHP
- PHP deserialization bugs
- Deserialization through PHAR
This course section continues the topics of the previous section with web frameworks. We start with Ruby- and Rack-based applications such as Sinatra and Ruby on Rails. Developers can improperly set up the Rack-based applications, and as part of that misconfiguration, we explore the abuse of the middleware layer using Ruby deserialization techniques. Next we'll look at the Java Language and all its complexity. Some maintain that the Java language is a mature, enterprise language, while others claim it to be a complete security failure. Students will review Java's security features and its security failings to discover, assess, and exploit Java Applications. The section features a walkthrough on how to construct Java attacks through Reflection, Serialization Issues, RMI, and the use of Java-Jar-based payloads.
While the Modern Framework Sections ends in Java, students will continue on to the next topic on bypassing application protections. Applications today are using more security controls to help prevent attacks. These controls, such as Web Application Firewalls and filtering techniques, make it more difficult for penetration testers during their testing. The controls block many of the automated tools and simple techniques used to discover flaws. Students will use HTML5, UNICODE, and other encodings that enable discovery techniques to work within the protected application. In the final part of the class, we will abuse a PHP Language feature that uses operating system commands to do its work. Manipulating interpreter functionality like this can yield system compromise, and we demonstrate this in our final lab.
- Rack Cookie Deserialization lab
- Elasticsearch and Groovy Sandboxing lab
- Building Java Payloads
- Java Deserialization lab
- Testing and fingerprinting defense based on difficult-to-defend web vulnerabilities
- Working through XSS defenses compound data URIs
- Bypassing SQL injection defense with custom tamper scripts in sqlmap
- RCE Bypass through PHP and its Mail() function
- Ruby and Rack applications
- Java, Java Gadgets, and Java Payloads
- Java Payload Weaponization
- Java serialization
- Fingerprinting the defense techniques used
- Learning how HTML5 injections work
- Using UNICODE, CTYPEs, and Data URIs to bypass restrictions
- Bypassing a Web Application Firewall's best-defended vulnerabilities, XSS and SQLi
- Bypassing application restrictions
In this final course section you will be placed on a network and given the opportunity to complete an entire penetration test. The goal is for you to explore the techniques, tools, and methodology you will have learned during the previous five course section. You'll be able to use these skills against a realistic extranet and intranet. At the end of the challenge, you will provide a verbal report of the findings and methodology you followed to complete it. Students will be provided with a virtual machine that contains the SEC642 Slingshot Virtual Machine with Burp Suite Pro installed. You will be able to use this both in the class and after leaving and returning to your jobs.
This course assumes that you have a solid understanding of web penetration techniques and methodologies. You should be familiar with the HTTP protocol, HTML, and web applications. A minimum or one to two years of web penetration testing experience, successful completion of the GWAPT certification, or having attended the SEC542 course would fulfill these prerequisites.
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
- x64-compatible 2.0 GHz CPU minimum or higher
- At least 20 GB of hard drive space
- At least 4 GB of RAM, preferably 8 GB of RAM
Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
VMware: Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on their website.
Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
VMware Workstation Pro and VMware Player on Windows 10 are not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class if they are enabled on your system by following instructions in this document.
IMPORTANT NOTE: While not usually necessary for this class, you may be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.
During the hands-on exercises, you will be connecting to the classroom network. While perpetration of any attack is contrary to exercise rules and SANS ethics policy, your laptop might nevertheless be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.
By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 to 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take for you to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"SANS SEC642: Advanced Web Application Penetration Testing, Ethical Hacking, and Exploitation Techniques picks up where other courses end. We explore modern applications, modern protocols, and modern attacks. We examine in detail the tools and techniques used to identify and exploit vulnerabilities in new ways. We truly take penetration testing of web applications to a whole new and more advanced level in this class. I have always found that giving back to the information security community has benefited my career more than anything else has. This is how we pay it forward. We hope that you enjoy this course as much as we did writing it!" - Adrien de Beaupre
"SEC642 is a fantastic course that teaches advanced techniques. Adrien de Beaupre is one of the best instructors I've had, and I will certainly take more courses he teaches in the future." - Walt Carruth, Real Page