SEC542: Web App Penetration Testing and Ethical Hacking

GIAC Web Application Penetration Tester (GWAPT)
GIAC Web Application Penetration Tester (GWAPT)
  • In Person (6 days)
  • Online
36 CPEs
SEC542 enables students to assess a web application's security posture and convincingly demonstrate the business impact should attackers exploit the discovered vulnerabilities. You will practice the art of exploiting web applications to find flaws in your enterprise's web apps. You'll learn about the attacker's tools and methods and, through detailed hands-on exercises, you will learn a best practice process for web application penetration testing, inject SQL into back-end databases to learn how attackers exfiltrate sensitive data, and utilize cross-site scripting attacks to dominate a target infrastructure. 30+ Hands-on Labs

What You Will Learn

If your organization does not properly test and secure its web applications, adversaries can compromise these apps, damage business functionality, and steal data. Unfortunately, many organizations operate under the mistaken impression that a web application security scanner will reliably discover flaws in their systems.

SEC542 helps students move beyond push-button scanning to professional, thorough, high-value web application penetration testing.

Customers expect web applications to provide significant functionality and data access. Even beyond the importance of customer-facing web applications, internal web applications increasingly represent the most commonly used business tools within any organization. Unfortunately, there is no "patch Tuesday" for custom web applications, so major industry studies find that web application flaws play a major role in significant breaches and intrusions. Adversaries increasingly focus on these high-value targets, either by directly abusing public-facing applications or by focusing on web apps as targets after an initial break-in.

SEC542 enables students to assess a web application's security posture and convincingly demonstrate the business impact should attackers exploit discovered vulnerabilities.

Modern cyber defense requires a realistic and thorough understanding of web application security issues. Anyone can learn to sling a few web hacks, but effective web application penetration testing requires something deeper.

SEC542 gives novice students the information and skills to become expert penetration testers with practice and fills in all the foundational gaps for individuals with some penetration testing background.

Students will come to understand common web application flaws, as well as how to identify and exploit them, focusing on the potential business impact. The course guides students through a proven, repeatable process tailored for comprehensive web application assessments. This systematic approach equips students with skills for conducting evaluations that not only identify security issues but also demonstrate their implications for business. This course aims to enhance organizational security by building skilled penetration testers. It emphasizes not just the technical aspects of hacking, but also the importance of thorough documentation and reporting to convey the significance of web application vulnerabilities.

In addition to high-quality course content, SEC542 focuses heavily on in-depth, hands-on labs and capstone capture the flag (CTF) event to ensure that students can immediately apply all they learn.

In addition to walking students through web app penetration using more than 30 formal hands-on labs, the course culminates in a web application pen test tournament, powered by the SANS Netwars cyber range. This Capture-the-Flag event groups students into teams to apply their newly acquired command of web application penetration testing techniques in a fun way that hammers home the lessons learned throughout the course.

Course Topics

  • Interception Proxies
    • ZAP (Zed Attack Proxy)
    • BurpSuite Professional
  • Common Vulnerabilities
    • SSL/TLS Misconfigurations
    • Username Harvesting
    • Password Spraying
    • Authorization Flaws (Direct Object Reference)
    • Command Injection
    • SQL Injection
    • Cross-Site Scripting (XSS)
    • Server-Side Request Forgery (SSRF)
    • Insecure Deserialization
    • XML External Entities (XXE)
    • Local and Remote File Inclusion (LFI / RFI)
    • Cross-Site Request Forgery (CSRF)
    • XML External Entities (XXE)
    • Logic Flaws
  • Information Gathering
    • Target Profiling
    • Application Discovery
    • Virtual Host Discovery
    • Vulnerability Scanning
  • Authentication and Authorization
  • Session Management Flaws
  • Automated Exploitation

Business Takeaways:

  • Apply a repeatable methodology to deliver high-value penetration tests
  • Discover and exploit key web application flaws
  • Explain the potential impact of web application vulnerabilities
  • Convey the importance of web application security to an overall security posture
  • Wield key web application attack tools efficiently
  • How to write web application penetration test reports

You Will Be Able To:

  • Apply OWASP's methodology to your web application penetration tests to ensure they are consistent, reproducible, rigorous, and under quality control.
  • Assess both traditional server-based web applications, as well as modern AJAX-heavy applications that interact with APIs.
  • Analyze the results from automated web testing tools to validate findings, determine their business impact, and eliminate false positives.
  • Manually discover key web application flaws.
  • Use Python to create testing and exploitation scripts during a penetration test.
  • Discover and exploit SQL Injection flaws to determine true risk to the victim organization.
  • Understand and exploit insecure deserialization vulnerabilities with ysoserial and similar tools.
  • Create configurations and test payloads within other web attacks.
  • Fuzz potential inputs for injection attacks with ZAP, Burp's Intruder and ffuf.
  • Explain the impact of exploitation of web application flaws.
  • Analyze traffic between the client and the server application using tools such as the Zed Attack Proxy and BurpSuite Pro to find security issues.
  • Leverage resources, such as the browser's developer tools, to assess findings within the client-side application code.
  • Manually discover and exploit vulnerabilities such as Command Injection, Cross-Site Request Forgery (CSRF), Server-Side Request Forgery (SSRF), and more.
  • Learn strategies and techniques to discover and exploit blind injection flaws.
  • Use the Browser Exploitation Framework (BeEF) to hook victim browsers, attack client software and the network, and evaluate the potential impact that XSS flaws have within an application.
  • Use the Nuclei tool to perform scans of target web sites/servers.
  • Perform two complete web penetration tests, one during the first five sections of course instruction, and the other during the Capture the Flag exercise.

Hands-On Training

SANS SEC542 employs hands-on labs throughout the course to further students' understanding of web application penetration concepts. Some of the many hands-on labs in the course include:

  • Introducing Interception Proxies
  • DNS Harvesting and Virtual Host Discovery
  • Authentication Bypass
  • BurpSuite Pro's Sequencer
  • Insecure Deserialization
  • Reflected and Persistent XSS Attacks
  • DOM-Based XSS Attacks
  • Spidering and Forced Browsing
  • Testing HTTPS
  • Fuzzing
  • Vulnerability Scanning
  • WPScan
  • SQL Injection
  • Blind SQL Injection
  • Server-Side Request Forgery
  • CSRF Exploitation
  • XML External Entities
  • File Upload and Webshells
  • Metasploit for Web Application Attacks
  • Leveraging the sqlmap tool
  • BeEF and Browser Exploitation
  • Username Harvesting
  • Password Guessing Attacks
  • JSON Web Token (JWT) Attacks
  • Flask Session Cookies
  • HTML Injection
  • Remote File Inclusion
  • Local File Inclusion
  • OS Command Injection
  • Drupalgeddon and Drupalgeddon 2 Exploitation
  • Python for Web Application Pen Testers
  • Troubleshooting when automated tools fail
  • Extensive use of both BurpSuite Pro and ZAP throughout the course

What You Will Receive

  • Course media that includes both web application attack tools, as well as many vulnerable web applications for testing and training within the classroom and beyond
  • Audio recordings of the course to review material after class
  • A custom virtual machine tailored specifically for web application penetration testing, with all labs installed locally so they can be repeated even after the course

Syllabus (36 CPEs)

Download PDF
  • Overview

    Successful web application penetration testing hinges on understanding the attacker's perspective. This course begins with an in-depth look at foundational web technologies from this viewpoint, covering protocols, languages, clients, and server architectures. Special emphasis is placed on techniques for DNS reconnaissance, including the discovery and analysis of virtual hosts, as well as understanding the nuances of the HTTP protocol, such as HTTP response and cookie security controls, and HTTP methods.

    A key component of the course is the OWASP-developed assessment methodology, which plays a pivotal role in delivering high-quality assessments. Essential tools in a penetration tester's toolkit are discussed, with a particular focus on interception proxies. Students are guided through the initial configuration of important tools like the Zed Attack Proxy (ZAP) and BurpSuite Professional. Both tools are extensively used for proxying SSL traffic and exploring vulnerable web applications.

    Section one also delves into the intricacies of Secure Sockets Layer (SSL) configurations, highlighting common weaknesses. It guides students through the process of target discovery and profiling, utilizing tools like cURL, nmap, and testssl.sh for content discovery and spidering/crawling of web applications. Hands-on labs provide practical experience in reconnaissance to identify potential configuration flaws and build a comprehensive profile of each server

    Topics
    • Overview of the web from a penetration tester's perspective
    • Web application assessment methodologies
    • The penetration tester's toolkit
    • Interception proxies
    • Proxying SSL through BurpSuite Pro and Zed Attack Proxy
    • DNS reconnaissance
    • Virtual host discovery
    • The HTTP protocol
      • HTTP response security controls
      • Cookie security controls
      • HTTP methods
    • Secure Sockets Layer (SSL) configurations and weaknesses
    • Target discovery and profiling
    • Content Discovery: Spidering/Crawling
  • Overview

    This section of the course continues the information gathering process, introducing essential techniques such as fuzzing, vulnerability scanning, and forced browsing. These methods, complementing the initial steps discussed in the previous section, are crucial for acquiring the comprehensive details needed to effectively analyze vulnerabilities in web applications. Emphasizing the significance of this phase in the penetration testing process, the course includes many hands-on labs. These labs are designed to enhance students' proficiency with essential tools such as interception proxies and command line utilities like ffuf, ensuring a comprehensive understanding of both the theory and practice of these advanced testing methods.

    As vulnerability scanning and forced browsing progress, the course next addresses key elements of web application assessments: authentication, authorization, and session management. Students are introduced to a range of authentication mechanisms, including Basic, Digest, Forms, Windows Integrated, SAML, and OAuth. The course not only explains the workings of these technologies but also delves into various attack vectors associated with them. Practical exercises include username enumeration, password guessing, and leveraging both interception proxies and command-line fuzzers. Additionally, a dedicated lab utilizing Burp Suite's Sequencer feature provides hands-on experience in identifying predictable session identifiers, a key skill in assessing session security.

    Topics
    • Fuzzing
    • Information Leakage
    • Burp Professional's Vulnerability Scanning
    • Content Discovery: Forced Browsing
    • Finding unlinked content with ZAP and ffuf
    • Web authentication mechanisms
    • Federated Identity and Access Protocols (SAML and OAuth)
    • JWTs and Flask Session Cookies
    • Username harvesting and password guessing
    • Session management and attacks
    • Burp sequencer
  • Overview

    Section 3 of the course delves into authentication and authorization bypasses, illustrating how these vulnerabilities can expose sensitive data and business functions to attackers. It wraps up with a hands-on lab where students exploit authentication and authorization flaws in Mutillidae, providing practical experience in identifying and leveraging such weaknesses.

    At this point in the course, we consider that the results of vulnerability scans should be available. Students will work with common vulnerabilities and investigate those that necessitate manual, human intervention. This phase leverages the knowledge gained from earlier exercises in target profiling, spidering, and forced browsing, enhancing students' abilities to uncover and validate vulnerabilities within an application.

    A significant focus is placed on manual testing techniques for vulnerability discovery, particularly using interception proxies. The course introduces various common injection flaws, including command injection, local file inclusion (LFI), and remote file inclusion (RFI), each complemented by lab exercises for practical application and reinforcement of the concepts.

    In addition, the course covers the intricate topic of insecure deserialization in object-oriented programming languages. Through the accompanying lab, students will exploit a Java insecure deserialization vulnerability to extract a secret file from a vulnerable web application, demonstrating the complexity and impact of chaining vulnerabilities.

    A substantial portion of this section is dedicated to SQL injection, given its prevalence and the significant impact it can have. This includes traditional and blind SQL injection, error-based SQL injection, and the exploitation of these vulnerabilities. Students will learn both the theoretical aspects and practical application, including the use of specialized tools like sqlmap, to master this critical area of web application penetration testing.

    Topics
    • Authentication and authorization bypass
    • Command injection: Blind and Non-Blind
    • Directory traversal
    • Local File Inclusion (LFI)
    • Remote File Inclusion (RFI)
    • Insecure Deserialization
    • SQL injection
    • Blind SQL injection
    • Error-based SQL injection
    • Exploiting SQL injection
    • SQL injection tools: sqlmap
  • Overview

    Section four advances the exploration of injection flaws, with a focus on Cross-Site Scripting (XSS) vulnerabilities, encompassing reflected, stored, and DOM-based XSS. The section emphasizes manual discovery methods through hands-on labs, where students utilize developer tools in browsers to analyze client-side JavaScript in modern web applications.

    This section also introduces the Browser Exploitation Framework (BeEF), a tool used in multiple labs. The course delves into AJAX, examining how it extends the attack surface for penetration testers and interacts with other vulnerabilities previously covered.

    The use of tools like Postman and SOAPUI are reviewed with respect to working with REST (Representational State Transfer) and SOAP (Simple Object Access Protocol) APIs, providing insights into these web services. Section four concludes with an in-depth look at server-side request forgery (SSRF) and XML external entities (XXE), each accompanied by a lab exercise. The SSRF lab, in particular, demonstrates the chaining of multiple vulnerabilities, integrating concepts and techniques learned earlier in the course.

    Topics
    • Cross-Site Scripting (XSS)
    • Browser Exploitation Framework (BeEF)
    • AJAX
    • XML and JSON
    • Document Object Model (DOM)
    • API attacks
    • Data attacks
    • REST and SOAP
    • Prototype Pollution
    • Server-Side Request Forgery (SSRF)
    • XML External Entity (XXE)
  • Overview

    Section five escalates the course to actual exploitation of real-world applications, demonstrating how to expand a foothold within an application and extend it to the network it resides on. This part of the course emphasizes leveraging previously discovered vulnerabilities to gain deeper access, underscoring the cyclical nature of web application penetration testing.

    The section acknowledges that modern web applications are often inadequately monitored, presenting opportunities for attackers to exploit vulnerabilities undetected. To address this, the course briefly looks into logging configuration and basic incident response testing, emphasizing the importance of proper monitoring for security events.

    A focused discussion on the OWASP Top 10 for Large Language Models (LLM) provides insights into common vulnerabilities in web applications utilizing LLM technology.

    In the exploitation phase, the course expands on the use of tools such as ZAP, BurpSuite Pro, sqlmap, and Metasploit to craft exploits against various web applications. Students engage in practical exercises, launching SQL injection and Cross-Site Request Forgery attacks, among others. These exercises include data theft, session hijacking, website defacement, shell gaining, network pivoting, and more, offering a comprehensive understanding of the potential business impacts of these flaws.

    Students are also introduced to Nuclei, a modern, open-source vulnerability scanner popular among bug bounty hunters, in a lab that combines its use with Metasploit.

    The final lab of section five presents a challenging scenario where a Metasploit module fails to exploit a confirmed vulnerability. Students learn to research the flaw, manually exploit it, and then modify the Metasploit module to successfully gain a shell, equipping them with skills to go beyond automated tools.

    The course concludes with guidance on preparing for penetration testing assessments and essential post-assessment activities, including report writing.

    Topics
    • Cross-Site Request Forgery (CSRF)
    • Logic Flaws
    • Logging and monitoring
    • Python for web app penetration testing
    • WPScan
    • ExploitDB
    • BurpSuite Pro scanner
    • Nuclei
    • Metasploit
    • When tools fail
    • Business of Penetration Testing:
      • Preparation
      • Post Assessment and Reporting
  • Overview

    During section six, students form teams and compete in a web application penetration testing tournament. This Netwars-powered Capture-the-Flag exercise provides students an opportunity to wield their newly developed or further-honed skills to answer questions, complete missions, and exfiltrate data, applying skills gained throughout the course. The style of challenge and integrated hint system allows students of various skill levels to both enjoy a game environment and solidify the skills learned in class.

GIAC Web Application Penetration Tester

The GIAC Web Application Penetration Tester (GWAPT) certification validates a practitioner's ability to better secure organizations through penetration testing and a thorough understanding of web application security issues. GWAPT certification holders have demonstrated knowledge of web application exploits and penetration testing methodology.

  • Web application overview, authentication attacks, and configuration testing
  • Web application session management, SQL injection attacks, and testing tools
  • Cross site request forgery and scripting, client injection attack, reconnaissance and mapping
More Certification Details

Prerequisites

SEC542 assumes students have a basic working knowledge of the Linux command line.

Courses that lead in to SEC542:

Courses that are good follow-ups to SEC542:

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY SEC542 SYSTEM HARDWARE REQUIREMENTS

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 8GB of RAM or more is required.
  • 50GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.

MANDATORY SEC542 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS

  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org

Author Statement

Students routinely show up to SEC542 having been demoralized by their organization's web application vulnerability scanner. Sitting on the business end of these scanners, students regularly attest to 1,000+ pages of output littered with false positives. One of the most rewarding aspects of teaching SEC542 is seeing and hearing those very same students' enthusiasm for applying the skills they have learned through the week to the applications they are responsible for securing. They intrinsically knew the push-button approach to penetration testing was failing them, but lacked the knowledge and skill to ably and efficiently perform any other style of assessment. We are happy to say that SEC542 remedies this problem. Students walk away from class with a deep knowledge of key web application flaws and how to discover and exploit them, as well as how to present these findings in an impactful way.

- Eric Conrad, Timothy McKenzie, and Bojan Zdrnja

"Eric Conrad was awesome. The real life experiences he shared really helped us understand the content."

- Hadis Ali, AWS

Reviews

This course taught me to truly focus on the methodology while performing a pen test. During the Capture the Flag event, I realized how much time can be wasted if you fail to respect your methodology.
Sean Rosado
RavenEye
As a developer, SEC542 is exactly the kind of course I needed. It showed us what the bad guys look for, which helps protect our software.
Derrick Jackson
Magellan Midstream
SEC542 provides rapid exposure to a variety of tools and techniques invaluable to recon on target site.
Gareth Grindle
QA Ltd.

    Register for SEC542

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

    Loading...