The Best Cybersecurity Training in the World - No Travel Required! Learn More

Healthcare Cyber Security Summit

San Francisco, CA | Wed, Dec 3 - Wed, Dec 10, 2014
This event is over,
but there are more training opportunities.

SEC542: Web App Penetration Testing and Ethical Hacking

Fri, December 5 - Wed, December 10, 2014

Day after day, SEC542 proved to be the best training I've ever taken. Great content, easy-to-follow lab instructions, lots of fun, and the instructor, Eric Conrad, is just fantastic! SANS is super!

Mike Arakji, Dept. of Fiscal

Web app attacks have always been a mystery to me. How do they work? How can I detect them and stop them? SEC542 has answered those questions within the first three days!

Danny Eddy, ADM

Web applications play a vital role in every modern organization. This becomes apparent when adversaries compromise these applications, damage business functionality and steal data.

Unfortunately, many organizations operate under the mistaken impression that a web application security scanner will reliably discover flaws in their systems. SEC542 helps students move beyond push-button penetration testing to professional web application penetration testing that finds flaws before the adversaries discover and abuse them.

Customers expect web applications to provide significant functionality and data access. Even beyond the importance of customer-facing web applications, internal web applications increasingly represent the most commonly used tools within any organization. Unfortunately, there is no "patch Tuesday" for custom web applications, so, not surprisingly, every major industry study finds that web application flaws play a major role in significant breaches and intrusions. Adversaries increasingly focus on these high-value targets either by directly abusing public-facing applications or by focusing on web apps as targets after an initial break-in.

Modern cyber defense requires a realistic and thorough understanding of web application security issues. Anyone can learn to sling a few web hacks, but web application penetration testing requires something deeper. SEC542 will enable students to capably assess a web application's security posture and convincingly demonstrate the impact of inadequate security that plagues most organizations. Students will come to understand major web application flaws and their exploitation and, most importantly, learn a field-tested and repeatable process to consistently find these flaws and convey what they have learned to their organizations.


Even technically gifted security geeks often struggle with helping organizations understand risk in terms relatable to business. Much of the art of penetration testing has less to do with learning how adversaries are breaking in than it does with convincing an organization to take the risk seriously and employ appropriate countermeasures. The goal of SEC542 is to better secure organizations through penetration testing, and not just show off hacking skills. The course will help you demonstrate the true impact of web application flaws through exploitation.

Beyond high-quality course content, SEC542 focuses heavily on hands-on exercises to ensure that students can immediately apply all they learn. The world-class team of seasoned security professionals who serve as SEC542 instructors ensures that you will be taught by someone who is both a gifted instructor and a skilled practitioner. In addition to more than 30 formal hands-on labs throughout the course, there is also a Capture the Flag event on the final day during which students work in teams to perform a web application penetration test from start to finish.

Course Topics

  • Interception Proxies
  • SQL Injection
  • Blind SQL Injection
  • Reflected Cross-Site Scripting (XSS)
  • Stored Cross-Site Scripting (XSS)
  • Local File Inclusion (LFI)
  • Remote File Inclusion (RFI)
  • Cross-Site Request Forgery (CSRF/XSRF)

You Will Learn:

  • To apply a repeatable methodology to deliver high-value penetration tests.
  • How to discover and exploit key web application flaws.
  • How to explain the potential impact of web application vulnerabilities.
  • The importance of web application security to an overall security posture.
  • How to wield key web application attack tools more efficiently.


Course Syllabus

Eric Conrad
Fri Dec 5th, 2014
9:00 AM - 5:00 PM


Understanding the attacker's perspective is key to successful web application penetration testing. The course begins by thoroughly examining web technology, including protocols, languages, clients and server architectures, from the attacker's perspective. We will also examine different authentication systems, including Basic, Digest, Forms and Windows Integrated authentication, and discuss how servers use them and attackers abuse them.

We then turn to the four steps that make up our process for conducting web application penetration tests: reconnaissance, mapping, discovery and exploitation. During the next few days, we will delve into each of these steps more deeply. On the first day we review the fundamental principles of each phase and discuss how we will use them together as a cyclical attack process. We will then cover the types of penetration testing and what pieces need to be part of a report. To complete the course day, we will explore and learn JavaScript from an attacker's perspective.

CPE/CMU Credits: 6

  • Overview of the web from a penetration tester's perspective
  • Exploring the various servers and clients
  • Discussion of the various web architectures
  • Discovering how session state works
  • Discussion of the different types of vulnerabilities
  • Defining a web application test scope and process
  • Defining types of penetration testing

Eric Conrad
Sat Dec 6th, 2014
9:00 AM - 5:00 PM


The second day starts the actual penetration testing process, beginning with the reconnaissance and mapping phases. Reconnaissance includes gathering publicly available information regarding the target application and organization, identifying the machines that support our target application and building a profile of each server, including the operating system, specific software and configuration. Our discussion will be augmented by practical, hands-on exercises in which we conduct reconnaissance against an in-class target.

In the mapping phase, we will build a map or diagram of the application. This involves identifying the components, analyzing the relationship between them and determining how the pieces work together. We will specifically consider how the session management system works within an application, which will help us identify potential vulnerabilities during sections that follow.

CPE/CMU Credits: 6

  • Discovering the infrastructure within the application
  • Identifying the machines and operating systems
  • Secure Sockets Layer (SSL) configurations and weaknesses
  • Exploring virtual hosting and its impact on testing
  • Learning methods to identify load balancers
  • Software configuration discovery
  • Exploring external information sources
  • Google hacking
  • Learning tools to spider a website
  • Scripting to automate web requests and spidering
  • Application flow charting
  • Relationship analysis within an application
  • JavaScript for the attacker

Eric Conrad
Sun Dec 7th, 2014
9:00 AM - 5:00 PM


This section continues to explore our methodology with the discovery phase. We will build on the information started the previous day, exploring methods to find and verify vulnerabilities within the application. Students will also begin to explore the interactions between the various vulnerabilities.

The primary topic on this course day will be manual testing techniques for vulnerability discovery. To facilitate manual testing, we kick off the day with an introduction to Python and a hands-on exercise working with it.

In addition to custom scripts, we will focus on developing in-depth knowledge of interception proxies for web application vulnerability discovery. A highlight of the day will be spending significant time working with both traditional and blind SQL injection flaws.

Throughout the discovery phase, we will explore both manual and automated methods of discovering vulnerabilities within applications and discuss the circumstances under which each is appropriate.

CPE/CMU Credits: 6

  • Vulnerability discovery overview
  • Creating custom scripts for penetration testing
  • Python for penetration testing
  • Web app vulnerabilities and manual verification techniques
  • Interception proxies
  • Fiddler
  • Zed Attack Proxy (ZAP)
  • Burp Suite
  • Information leakage and directory browsing
  • Username harvesting
  • Command Injection
  • Directory traversal
  • SQL injection
  • Blind SQL injection

Eric Conrad
Mon Dec 8th, 2014
9:00 AM - 5:00 PM


On day four, students will continue exploring the discovery phase of the methodology. We will cover methods to discover key vulnerabilities within web applications, such as Cross-Site Scripting and Cross-Site Request Forgery. Manual discovery methods will be employed during hands-on exercises.

The course day will also include a detailed discussion of AJAX that will explore how it enlarges the attack surface leveraged by penetration testers. We will also explore how AJAX is affected by the vulnerabilities already explored.

After detailing the various vulnerabilities and manual discovery methods, day four will conclude with a review of various automated web application vulnerability scanners, such as Skipfish and w3af, to complement our previous coverage of Burp Suite.

CPE/CMU Credits: 6

  • Cross-Site Scripting (XSS)
  • Cross-Site Scripting discovery
  • Cross-Site Request Forgery (CSRF)
  • Session flaws
  • Session fixation
  • AJAX
  • Logic attacks
  • API attacks
  • Data binding attacks
  • patproxy
  • Automated web application scanners
  • skipfish
  • w3af

Eric Conrad
Tue Dec 9th, 2014
9:00 AM - 5:00 PM


On the fifth day we will launch actual exploits against real-world applications, building on the previous three steps, expanding our foothold within the application, and extending it to the network on which it resides. As penetration testers, we will specifically focus on ways to leverage previously discovered vulnerabilities to gain further access, highlighting the cyclical nature of the four-step attack methodology.

During our exploitation, we will use tools such as the Burp Suite and Paros Proxy to help craft exploits against real-world applications like Wordpress and AWStats. We will launch an SQL injection attack against Wordpress, intercepting real transactions and modifying them. We will use cross-site scripting attacks against phpMyAdmin and phpBB to steal cookies and sessions from other users.

We will also explore the use of attack frameworks, such as AttackAPI and Browser Exploitation Framework (BeEF). We will discuss how the frameworks can help strengthen our testing process, gain access to browser history, port scan internal networks and search for other vulnerable web applications through zombie browsers.

We will also explore multiple exploit attacks. Students will build complex attack series to gain much greater access within the web applications. By fully uncovering vulnerabilities within applications using the same resources as attackers, we can provide organizations with the best assessment possible.

CPE/CMU Credits: 6

  • Exploring methods to zombify browsers
  • Discussing using zombies to port scan or attack internal networks
  • Exploring attack frameworks
  • Browser Exploitation Framework (BeEF)
  • Walking through an entire attack scenario
  • Exploiting the various vulnerabilities discovered
  • Leveraging attacks to gain access to the system
  • How to pivot our attacks through a web application
  • Understanding methods of interacting with a server through SQL injection
  • Exploiting applications to steal cookies
  • Executing commands through web application vulnerabilities

Eric Conrad
Wed Dec 10th, 2014
9:00 AM - 5:00 PM


On day six of the course students will be placed on a network and given the opportunity to complete an entire penetration test. The goal of this Capture the Flag event is for students to explore the techniques, tools and methodology they have learned over the last five days. They will be able to use these ideas and methods against a realistic intranet application. At the end of the day, students will provide a verbal report of the findings and methodology they followed to complete the test.

Students will be provided with a virtual machine that contains the SamuraiWTF web penetration testing environment. They will be able to use this both in the class and when they return to their jobs after completing the course.

CPE/CMU Credits: 6

Additional Information

Security 542 requires a Windows, Linux or Macintosh computer with the following minimum hardware requirements:

  • CPU: 2.0+ processor
  • RAM: 4 GB or higher
  • 15 GB free hard disk space
  • USB port
  • DVD ROM drive
  • Ethernet adapter (A wired connection is required in class. If your laptop supports only wireless, please make sure to bring an Ethernet adapter with you.)

Please install the following software on the computer:

  • VMware Workstation 9, Player 5, or Fusion 5 (or newer)

You must have the ability to disable the host firewall (Windows firewall or other third-party firewall), antivirus programs, or other security software running on your desktop. This usually means you need to have administrative privileges on the machine.

DO NOT plan on just killing your antivirus service or processes, because most antivirus tools still function even when their associated services and processes have been terminated.

If you have additional questions about the laptop specifications, please contact

  • General security practitioners
  • Penetration testers
  • Ethical hackers
  • Web application developers
  • Website designers and architects

SEC542 assumes students have a basic working knowledge of the Linux command line.

Other Courses People Have Taken

Courses that lead in to SEC542:

Courses that are good follow-ups to SEC542:

  • Course media that includes both web application attack tools, as well as many vulnerable web applications for testing and training within the classroom and beyond
  • Audio recordings of the course to review material after class
  • A custom virtual machine tailored specifically for web application penetration testing
  • Apply a detailed, four-step methodology to your web application penetration tests: reconnaissance, mapping, discovery and exploitation.
  • Analyze the results from automated web testing tools to remove false positives and validate findings.
  • Manually discover key web application flaws.
  • Use Python to create testing and exploitation scripts during a penetration test.
  • Create configurations and test payloads within other web attacks.
  • Fuzz potential inputs for injection attacks.
  • Explain the impact of exploitation of web application flaws.
  • Analyze traffic between the client and the server application using tools such as Ratproxy and Zed Attack Proxy to find security issues within the client-side application code.
  • Manually discover and exploit Cross Site Requst Forgery attacks.
  • Use Browser Exploitation Framework (BeEF) to hook victim browsers, attack the client software and network and evaluate the potential impact XSS flaws have within an application.
  • Perform a complete web penetration test during the Capture the Flag exercise to bring techniques and tools together into a comprehensive test.

SANS SEC542 employs hands-on labs throughout the course to further students' understanding of web application penetration concepts. Some of the many hands-on labs in the course include:

  • Assessing Web Authentication
  • Heartbleed exploitation
  • Mobile Application MITM
  • Reflective XSS Attacks
  • Persistent XSS Attacks
  • SQL Injection
  • Blind SQL Injection
  • CSRF Exploitation
  • Authentication Bypass
  • BeEF and Browser Exploitation
  • Session Hijacking
  • Username Harvesting
  • HTML Injection
  • Remote File Inclusion
  • Local File Inclusion
  • OS Command Injection
  • w3af
  • ratproxy
  • skipfish
  • Python for Web Application Penetration Testers
  • Penetration Testing with JavaScript
  • Extensive use of both Burp Suite and ZAP throughout the course

"This course taught me to truly focus on the methodology while performing a pen test. During the Capture the Flag event, I realized how much time can be wasted if you fail to respect your methodology." - Sean Rosado, RavenEye

"The SEC542 tools and course presentation are top-notch. I will be using this material extensively." - Jeremy Pierson, Academy Mortgage

"SEC542 provides rapid exposure to a variety of tools and techniques invaluable to recon on target site." - Gareth Grindle, QA Ltd.

"With the infinite tools used for web application penetration, SEC542 helps you understand/use the best tools for your environment." - Linh Sithihao, UT South Western Medical Center

"Every class gives you invaluable information from real-world testing you cannot find in a book." - David Fava, The Boeing Company

Author Statement

Students routinely show up to SEC542 having been demoralized by their organization's web application vulnerability scanner. Sitting on the business end of these scanners, students regularly attest to 1,000+ pages of output littered with false positives. One of the most rewarding aspects of teaching SEC542 is seeing and hearing those very same students' enthusiasm for applying the skills they have learned through the week to the applications they are responsible for securing. They intrinsically knew the push-button approach to penetration testing was failing them, but lacked the knowledge and skill to ably and efficiently perform any other style of assessment. We are happy to say that SEC542 remedies this problem. Students walk away from class with a deep knowledge of key web application flaws and how to discover and exploit them, as well as how to present these findings in an impactful way. - Seth Misenar and Eric Conrad