NEW SANS Stay Sharp Training - Live Online: Quickly sharpen your skills with 2-day management courses. Save 25% thru tomorrow!

Amsterdam October 2020 - Live Online

Virtual, Central European Summer Time | Mon, Oct 5 - Sat, Oct 10, 2020

SEC542: Web App Penetration Testing and Ethical Hacking

Mon, October 5 - Sat, October 10, 2020

Associated Certification: GIAC Web Application Penetration Tester (GWAPT)

 Watch a free preview of this course

Course Syllabus  ·  36 CPEs  ·   Lab Requirements
Instructor: Bojan Zdrnja  ·  Price: 6,595 EUR

Web applications play a vital role in every modern organization. But, if your organization does not properly test and secure its web apps, adversaries can compromise these applications, damage business functionality, and steal data. Unfortunately, many organizations operate under the mistaken impression that a web application security scanner will reliably discover flaws in their systems.

SEC542 helps students move beyond push-button scanning to professional, thorough, high-value web application penetration testing.

Customers expect web applications to provide significant functionality and data access. Even beyond the importance of customer-facing web applications, internal web applications increasingly represent the most commonly used business tools within any organization. Unfortunately, there is no "patch Tuesday" for custom web applications, so major industry studies find that web application flaws play a major role in significant breaches and intrusions. Adversaries increasingly focus on these high-value targets either by directly abusing public-facing applications or by focusing on web apps as targets after an initial break-in.

Modern cyber defense requires a realistic and thorough understanding of web application security issues. Anyone can learn to sling a few web hacks, but effective web application penetration testing requires something deeper.

SEC542 enables students to assess a web application's security posture and convincingly demonstrate the business impact should attackers exploit the discovered vulnerabilities.

Students will come to understand common web application flaws, as well as how to identify and exploit them with the intent of demonstrating the potential business impact. Along the way, students follow a field-tested and repeatable process to consistently find flaws. Information security professionals often struggle with helping organizations understand risk in terms relatable to business. Executing awesome hacks is of little value if an organization does not take the risk seriously and employ appropriate countermeasures. The goal of SEC542 is to better secure organizations through penetration testing, and not just show off hacking skills. The course will help students demonstrate the true impact of web application flaws not only through exploitation but also through proper documenting and reporting.

In addition to high-quality course content, SEC542 focuses heavily on in-depth, hands-on labs to ensure that students can immediately apply all they learn.

In addition to walking students through a web app penetration through using more than 30 formal hands-on labs, the course culminates in a web application pen test tournament, powered by the SANS NetWars Cyber Range. This Capture the Flag event on the final day brings students into teams to apply their newly acquired command of web application penetration testing techniques in a fun way to hammer home lessons learned.

More

Course Topics

  • Interception Proxies
    • ZAP (Zed Attack Proxy)
    • BurpSuite Professional
  • Common Vulnerabilities

    • SSL/TLS misconfigurations
    • Username harvesting
    • Command Injection
    • SQL Injection
    • Cross-Site Scripting (XSS)
    • Insecure Deserialization
    • XML External Entities (XXE)
    • Local and Remote File Inclusion (LFI / RFI)
    • Cross-Site Request Forgery (CSRF)
  • Open Source Intelligence (OSINT)
  • Target Profiling
  • Application Discovery
  • Authentication and Authorization
  • Session Management Flaws
  • Automated Exploitation

You Will Learn:

  • To apply a repeatable methodology to deliver high-value penetration tests.
  • How to discover and exploit key web application flaws.
  • How to explain the potential impact of web application vulnerabilities.
  • The importance of web application security to an overall security posture.
  • How to wield key web application attack tools more efficiently.
  • How to write web application penetration test reports.

Hide

Notice:

SEC542 students will receive licensing information in the SANS portal account that is linked to their registration. Please ensure that you can access the SANS portal account that is linked to your registration at the start of your course.

If you are registering another individual on behalf of your organization, you must register that individual using the email address that is linked to his or her SANS portal account. That will ensure that the individual can receive licensing information in his or her SANS portal account in order to be prepared with the proper equipment to complete the course (SEC542).

Course Syllabus


Bojan Zdrnja
Mon Oct 5th, 2020
9:00 AM - 12:15 PM CEST
1:30 PM - 5:00 PM CEST

Overview

Understanding the attacker's perspective is key to successful web application penetration testing. The course begins by thoroughly examining web technology, including protocols, languages, clients, and server architectures, from the attacker's perspective. We look at collecting open source intelligence (OSINT) specific to data points likely to help exploitation be more successful. We analyze the importance of encryption and HTTPS. Before leaving HTTPS, we dive into the infamous Heartbleed flaw and get our first taste of exploitation with a hands-on lab.

We look at the methodology promoted by OWASP to help ensure the delivery of high-quality assessments, as well as the things necessary for a penetration tester's toolkit. The most important tool, an interception proxy, is introduced through performing the initial configuration steps in OWASP's Zed Attack Proxy (ZAP) and BurpSuite Professional. To complete the course day, we explore aspects of a vulnerable web application using BurpSuite.

CPE/CMU Credits: 6

Topics
  • Overview of the web from a penetration tester's perspective
  • Web application assessment methodologies
  • The penetration tester's toolkit
  • WHOIS and DNS reconnaissance
  • Open source intelligence (OSINT)
  • The HTTP protocol
  • Secure Sockets Layer (SSL) configurations and weaknesses
  • Interception Proxies
  • Proxying SSL through BurpSuite Pro and Zed Attack Proxy
  • Heartbleed exploitation

Bojan Zdrnja
Tue Oct 6th, 2020
9:00 AM - 12:15 PM CEST
1:30 PM - 5:00 PM CEST

Overview

The second day begins with profiling the target(s) to understand the underlying configuration. The collected data is used to build a profile of each server and identify potential configuration flaws. The discussion is underscored through several practical, hands-on labs in which we conduct reconnaissance and use the Shellshock vulnerability to exploit a configuration flaw against in-class targets. The exploitation is an opportunity to get deeper hands-on experience with BurpSuite Pro, cURL, and manual exploitation techniques.

The system's configuration should involve proper logging and monitoring to ensure security-related events are not missed. We will briefly explore logging configuration and basic incident response testing.

We build a map or diagram of the application's pages and features. This phase involves identifying the components, analyzing the relationship between them, and determining how the pieces work together. We then dive deep into the spidering/crawling results, which represents a vital part of the overall penetration test, as well as perform forced browsing to find hidden content in a lab.

Towards the end of the day, we examine different authentication systems, including Basic, Digest, Forms, Windows Integrated and OAuth authentication, and discuss how servers use them and attackers abuse them. We will perform username enumeration and in the final exercise, we will use Burp's fuzzer, Intruder, to guess the password used to successfully authenticate to a web application.

CPE/CMU Credits: 6

Topics
  • Target profiling
  • Collecting server information
  • Logging and Monitoring
  • Learning tools to spider a website
  • Analyzing website contents
  • Brute forcing unlinked files and directories
  • Fuzzing
  • Web authentication mechanisms
  • Username harvesting and password guessing
  • Burp Intruder

Bojan Zdrnja
Wed Oct 7th, 2020
9:00 AM - 12:15 PM CEST
1:30 PM - 5:00 PM CEST

Overview

After ending Day 2 with a successful authentication event, we begin by exploring how web applications track authenticated users and ways to exploit weaknesses in session management. We discuss authentication and authorization bypasses, which can expose sensitive data and business functions to attackers, as well as exploit an authentication flaw in Mutillidae.

We will build on the information identified during the target profiling, spidering, and forced browsing exercises, exploring methods to find and verify vulnerabilities within the application. Students also begin to explore the interactions between the various vulnerabilities.

This course day dives deeply into vital manual testing techniques for vulnerability discovery. We focus on developing in-depth knowledge of interception proxies for web application vulnerability discovery. Many of the most common injection flaws (command injection and local and remote file inclusion are introduced, and followed with lab exercises, to reinforce the discovery and exploitation.

Besides this, a section covers insecure deserialization, a common vulnerability in object-oriented programming languages, where students will exploit a Java insecure deserialization vulnerability in a lab, in order to steal a secret file from a vulnerable web application.

Due to its prevalence and the significant impact generally associated with the flaw, a significant portion of the day is devoted to traditional and blind SQL injection.

CPE/CMU Credits: 6

Topics
  • Session management and attacks
  • Authentication and authorization bypass
  • Mutillidae
  • Command Injection
  • Directory traversal
  • Local File Inclusion (LFI)
  • Remote File Inclusion (RFI)
  • Insecure Deserialization
  • SQL injection
  • Blind SQL injection
  • Error-based SQL injection
  • Exploiting SQL injection
  • SQL injection tools: sqlmap

Bojan Zdrnja
Thu Oct 8th, 2020
9:00 AM - 12:15 PM CEST
1:30 PM - 5:00 PM CEST

Overview

On day four, students continue exploring injection flaws. We cover methods to discover key vulnerabilities within web applications, such as XML External Entities (XXE). After XXE, the rest of the day spends time introducing Cross-Site Scripting (XSS) vulnerabilities, including reflected, stored and DOM-based XSS vulnerabilities. Manual discovery methods are employed during hands-on labs.

Day 4 also introduces BeEF to students, which is used in a lab. The course continues with a detailed discussion of AJAX as we explore how it enlarges the attack surface leveraged by penetration testers. We also analyze how AJAX is affected by other vulnerabilities already covered in depth earlier in the course.

Finally, the day ends with a lab in which an AJAX web application is exploited, and finally hooked with BeEF for total control.

CPE/CMU Credits: 6

Topics
  • XML External Entity (XXE)
  • Cross-Site Scripting (XSS)
  • Browser Exploitation Framework (BeEF)
  • AJAX
  • XML and JSON
  • Document Object Model (DOM)
  • API attacks
  • Data attacks

Bojan Zdrnja
Fri Oct 9th, 2020
9:00 AM - 12:15 PM CEST
1:30 PM - 5:00 PM CEST

Overview

On the fifth day, we launch actual exploits against real-world applications, expanding our foothold within the application, and extending it to the network on which it resides. As penetration testers, we specifically focus on ways to leverage previously discovered vulnerabilities to gain further access, highlighting the cyclical nature of web application penetration testing.

During our exploitation phase, we expand our use of tools such as ZAP and BurpSuite Pro, plus complement them with further use of sqlmap and Metasploit to help craft exploits against various web applications. We launch SQL injection and Cross-Site Request Forgery attacks, amongst others. In class we exploit these flaws to perform data theft, hijack sessions, deface a website, get shells, pivot against connected networks, and much more. Through various forms of exploitation, the student gains a keen understanding of the potential business impact of these flaws to an organization.

While the whole course is geared towards understanding how web application vulnerabilities work and how they can be exploited, on day five we also introduce the active scanner component in BurpSuite Pro.

To position students to take their skills to the next level, the last lab of day 5 looks at an instance where a Metasploit module fails to exploit a vulnerability that has been confirmed to exist in the target web application. We explore a process to research the flaw, manually exploit the vulnerability, and then reconfigure the Metasploit module to successfully gain a shell. This exercise gives students necessary skills to dig deeper when automated tools fail.

We wrap up course instruction by reviewing how to prepare for penetration testing assessments and important post assessment activities, such as report writing.

CPE/CMU Credits: 6

Topics
  • Cross-Site Request Forgery (CSRF)
  • Python for web app penetration testing
  • WPScan
  • ExploitDB
  • BurpSuite Pro scanner
  • Metasploit
  • When tools fail
  • Business of Penetration Testing:

    • Preparation
    • Methodology
    • Post Assessment and Reporting

Bojan Zdrnja
Sat Oct 10th, 2020
9:00 AM - 12:15 PM CEST
1:30 PM - 5:00 PM CEST

Overview

On day six, students form teams and compete in a web application penetration testing tournament. This NetWars-powered Capture the Flag exercise provides students an opportunity to wield their newly developed or further honed skills to answer questions, complete missions, and exfiltrate data, applying skills gained throughout the course. The style of challenge and integrated hint system allows students of various skill levels to both enjoy a game environment and solidify the skills learned in class.

CPE/CMU Credits: 6

Additional Information

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.

Baseline Hardware Requirements

  • CPU: 64-bit Intel i5/i7 2.0+ GHz processor
  • BIOS: Enabled "Intel-VT"
  • USB: 3.0 Type-A Port
  • RAM: 8GB RAM (4GB min)
  • Hard Drive Free Space: 30 GB Free Space
  • Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.

Additional Hardware Requirements

The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

Network, Wireless Connection: A wireless 82.11 B, G, N or AC network adapter is required.

Additional Software Requirements

  • Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class.
  • If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
  • Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
  • VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • General security practitioners
  • Penetration testers
  • Ethical hackers
  • Web application developers
  • Website designers, architects, and developers

Use this sample training request letter, or elements of it, to justify the time and budget required to complete SANS training to your manager. Simply copy and paste text into an email to your manager, then make any necessary adjustments to personalize the information.

SEC542 assumes students have a basic working knowledge of the Linux command line.

Other Courses People Have Taken

Courses that lead in to SEC542:

Courses that are good follow-ups to SEC542:

  • Course media that includes both web application attack tools, as well as many vulnerable web applications for testing and training within the classroom and beyond
  • Audio recordings of the course to review material after class
  • A custom virtual machine tailored specifically for web application penetration testing, with all labs installed locally so they can be repeated even after the course
  • Apply OWASP's methodology to your web application penetration tests to ensure they are consistent, reproducible, rigorous, and under quality control.
  • Analyze the results from automated web testing tools to validate findings, determine their business impact, and eliminate false positives.
  • Manually discover key web application flaws.
  • Use Python to create testing and exploitation scripts during a penetration test.
  • Discover and exploit SQL Injection flaws to determine true risk to the victim organization.
  • Understand and exploit insecure deserialization vulnerabilities with ysoserial and similar tools.
  • Create configurations and test payloads within other web attacks.
  • Fuzz potential inputs for injection attacks.
  • Explain the impact of exploitation of web application flaws.
  • Analyze traffic between the client and the server application using tools such as the Zed Attack Proxy and BurpSuite Pro to find security issues within the client-side application code.
  • Manually discover and exploit Cross-Site Request Forgery (CSRF) attacks.
  • Use the Browser Exploitation Framework (BeEF) to hook victim browsers, attack client software and the network, and evaluate the potential impact that XSS flaws have within an application.
  • Perform two complete web penetration tests, one during the five days of course instruction, and the other during the Capture the Flag exercise.

SANS SEC542 employs hands-on labs throughout the course to further students' understanding of web application penetration concepts. Some of the many hands-on labs in the course include:

  • DNS Harvesting and Virtual Host Discovery
  • Authentication Bypass
  • Heartbleed Exploitation
  • Insecure Deserialization
  • Reflected and Persistent XSS Attacks
  • DOM-Based XSS Attacks
  • Spidering and Forced Browsing
  • WPScan
  • SQL Injection
  • Blind SQL Injection
  • CSRF Exploitation
  • XML External Entities
  • Metasploit for Web Application Attacks
  • Exploiting Shellshock
  • Leveraging the sqlmap tool
  • BeEF and Browser Exploitation
  • Username Harvesting
  • Password Guessing Attacks
  • HTML Injection
  • Remote File Inclusion
  • Local File Inclusion
  • OS Command Injection
  • Drupalgeddon and Drupalgeddon 2 Exploitation
  • BurpSuite Professional Scanner
  • Python for Web Application Pen Testers
  • Troubleshooting when automated tools fail
  • Extensive use of both BurpSuite Pro and ZAP throughout the course

"This course taught me to truly focus on the methodology while performing a pen test. During the Capture the Flag event, I realized how much time can be wasted if you fail to respect your methodology." - Sean Rosado, RavenEye

"SEC542 provides rapid exposure to a variety of tools and techniques invaluable to recon on target site." - Gareth Grindle, QA Ltd.

"As a developer, SEC542 opens my eyes to vulnerabilities I should be protecting against." - Timothy Phelps, Georgia Farm Bureau

"Network defenders traditionally view the security landscape from inside the castle walls, but SEC542 took me around the 'fortress' and helped me better conceptualize the target value of web applications." - Ryan Tomcik, Sony Corporation of America

Author Statement

Students routinely show up to SEC542 having been demoralized by their organization's web application vulnerability scanner. Sitting on the business end of these scanners, students regularly attest to 1,000+ pages of output littered with false positives. One of the most rewarding aspects of teaching SEC542 is seeing and hearing those very same students' enthusiasm for applying the skills they have learned through the week to the applications they are responsible for securing. They intrinsically knew the push-button approach to penetration testing was failing them, but lacked the knowledge and skill to ably and efficiently perform any other style of assessment. We are happy to say that SEC542 remedies this problem. Students walk away from class with a deep knowledge of key web application flaws and how to discover and exploit them, as well as how to present these findings in an impactful way. - Eric Conrad, Timothy McKenzie, and Bojan Zdrnja