Information Security Training web security testing workshop

WEB APPLICATION SECURITY TESTING

7 DAYS | HANDS-ON | LAPTOP REQUIRED | 42 CPEs

OWASP WAST GUIDE SCOPE | GWAPT & WASD CURRICULUM

Hack2Secure’s Workshop on Web Application Security Testing provides hands-on exposure using both Real-Time scenarios and Simulated Lab environment to required Tools and Techniques on different Web Security Risk and Attack vectors.

Scoped around OWASP Security Testing Guide, these intensive practical sessions provides deep-dive on required practical tips and tricks to evaluate, test and assess Security of Web Application. It also covers OWASP Top10 Web Security Risk from analysis, Testing and defense best practices prospect.

This workshop also covers scope of Vendor Independent Web Application Security Certification programs like GWAPT [GIAC’s Web Application Pentester] & WASD [Hack2Secure's Web Application Security Defender]. 

This program primarily utilizes tools like Burp Suite, Zed Attack Proxy (ZAP), Nmap, Metasploit Framework (from Web Security prospect), FuzzDb, Nikto, W3af, SQLMAP, XSSer, BeEF etc along with number of other Web Security Assessment Scripts & Tools.

Alignment/Coverage

Certification Programs

  • WASD : Hack2Secure's Web Application Security Defender
  • GWAPT : GIAC's Web Application Penetration Tester

Security Standards & Practices

  • OWASP Testing Guide (v4)
  • NIST 800-115 : Technical Guide to Information Security Testing and Assessment
  • PCI DSS Penetration Testing Requirements

Key Take-Away

  • Active and Passive Reconnaissance methods
  • Google Hacking and Deep-Web
  • SSL/TLS Handshake and Testing methods
  • Scanning, Fingerprinting and Spidering
  • Authentication, Authorization and Accountability
  • Session Management & related Attacks
  • Cross Site Request Forgery
  • Python and Java Script for Security Testers SQL Injection
  • Local and Remote File Inclusion Vulnerabilities
  • Cross Site Scripting
  • Format String Vulnerabilities
  • Web Application Filters & Firewalls
  • W3af, Nikto, Metasploit Framework
  • BeEF, XSSer, SQLmap, Nmap, Recon-ng
  • Burp Suite and Zed Attack Proxy (ZAP)

Workshop Agenda

** For more detailed Agenda & LAB Scope, look into WAST Workshop Reference Guide **

Module#1: Building the Base [Concepts, Processes and Methodologies]

  • Understanding the Web, Web 2.0 & Web Sockets 
  • Web Application Security: Current Approach, WAPT
  • Introducing Web Proxies: Burp Suite & ZAP
  • HTTP Protocol: History, Versions, Request Methods, Status Codes 
  • HTTPS Protocol: Introduction, SSL/TLS Handshake, Testing Methods 
  • Vulnerability Case Study: HeartBleed

Module#2: Casual Leakage Points [Reconnaissance]

  • Why Information Gathering
  • DNS Protocol: Overview, Working, Zone Transfers 
  • Open Source Intelligence
  • Exploring Google Search: Keywords & Filters, Google Hacking Database (GHDB)
  • Exploring Deep-Web
  • Information Leakage from Public Sources
  • Website Mirroring

Module#3: Looking for Entry Point [Scanning, Fingerprinting & Spidering]

  • Scanning: Identifying Services & Configurations
  • Fingerprinting Web Server
  • Software Configuration level flaws
  • Vulnerability Case Study: ShellShock
  • Spidering/Crawling
  • Fuzzing: About, What to Look for
  • Directory Browsing

Module#4: Analysing A.A.A. Concerns

  • About Authentication, Different Schemes
  • Username Harvesting
  • Side Channel & Timing Attacks
  • Browser Cache Weakness
  • Cracking Weak Passwords
  • Single Sign-On
  • About Authorization
  • Insecure Direct Object References 
  • Directory Traversal Attacks
  • About Accountability
  • Error Code Analysis
  • Security best Practices for A.A.A.

Module#5: Session Management

  • Stateless Nature of HTTP
  • Introducing “Sessions” & Tracking Methods
  • Session Tokens or SessionID: Analysis & Exploring Randomness
  • Session Fixation, Hijacking, Tampering, Splitting & Smuggling
  • Securing Cookies: Flags & Attributes
  • Cross Site Request Forgery

Module#6: Python & Java Script for PenTesters

  • Python & Java Script: Primer
  • Crafting HTTP Request & Attack scenarios with Python & Java Script [LAB]

Module#7: Injection Attacks

  • Command Injection: About, Root Cause
  • [Local/Remote] File Inclusion Vulnerability
  • SQL Query: Primer
  • SQL Injection (SQLi): About, Root Cause, Analysis, Types & Attack Scope

Module#8: Cross Site Scripting (XSS)

  • Document Object Model (DOM)
  • XSS: Overview, How it Works, Types, Testing Methods & Attack Scope
  • Same Origin Policy
  • HTML Injection
  • XSS with POST
  • AJAX: Overview, XMLHttpRequest, Mash-Ups, Libraries/Frameworks & related Flaws, Exploring Attack Surfaces
  • JSON: Overview, Attacks
  • XSS on AJAX JSON Objects

Module#9: Buffer Overflow Attacks

  • Heap & Stack Overflow
  • Format String Vulnerabilities [LAB]

Module#10: Scanners & Frameworks

  • W3af [LAB]
  • Metasploit Framework [LAB]

Module#11: Web Application Filters and Firewall (WAF)

  • Web Application Defences: Filtering & Firewall
  • Filtering: .NET & ESAPI Filtering Options
  • Web Firewall: Types, Detection & Attack methods

** For more detailed Agenda & LAB Scope, look into WAST Workshop Reference Guide **

Who should Attend this Workshop?

Security Team

  • Security Engineers and Testers
  • Application/Software Penetration Testers
  • Application/Software Security Analyst
  • Security Consultants
  • Auditors, Product Security Office
  • Security Mangers

Software Development Team

  • Application/Software Developers
  • Quality Assurance Team
  • Application/Software Architects
  • Software Consultants
  • Research Engineers
  • Team Leads, Technical Mangers

Students [Technical Stream], Looking to pursue Career in Web Application Security Assessment/Testing

Anyone, Who wants to evaluate his skills in Web Application Security Assessment/Testing

WORKSHOP REGISTRATION PROCEDURE 

For WAST_03

Batch Date: July 20-22,26-29

FOR WAST_02

Batch Date: June 20-22,29-30 & July 01-02

What to Expect?

  • 7 Days of intensive, deep-dive, hands-on practice sessions
  • Dedicated Lab Setup for each Student
  • Complementary attempt to WASD Exam
  • Slide-deck & Lab-guide
  • Training & CPE Certificate from Hack2Secure
  • Lunch & Snacks
  • Goodies (Surprises!!)

What NOT to Expect?

  • Deep-dive to Information Security Basic concepts, apart from scoped curriculum
  • Providing deep-dive on any Web Programming Language or Technology
  • Any distribution of License or Key of Commercial Security Tools
  • Job Opportunity (But, it will be easy to find with this curriculum and skill-set)
  • Travel, Accommodation
  • Breakfast & Dinner

Requirements/Pre-requisites

  • Basic knowledge of UNIX & WINDOWS Operating System and Command line operations
  • Working Knowledge of Web related Concepts, basic functionality of Protocols especially HTTP
  • Basic understanding of web technologies and programming languages

Must Have

  • Students need to bring their Laptop to access Lab environment

Min. Laptop Configuration

Operating System: Windows 7, 8, 8.1, 10, Unix (Ubuntu)
RAM: Min. 4 GB (Recommended)
Modern Browser: Chrome, Firefox …
Ethernet Port (Must Have)

Software: VMware Player or Workstation

LAB Environment

  • Virtual Machine based dedicated practice environment for individuals
  • Lab environment contain all pre-installed essential Scripts & Tools, accessible via SSH, RDP and VNC interfaces
  • Lab environment contains required Open-Source Tools for in-depth exploration
  • Target Servers will also be provided in form of Virtual Machines, as part of content take-away for further exploration
  • All required (open-source) security tools will be provided at the end of the session for further practice

Download Now

Web Application Security Testing [WAST] Reference Guide

Web Application Security Testing Workshop Schedule

Batch# Duration When Where WASD Attempt More Details
WAST_BLR_02 7 Days June 20-22,29-30 & July 01-02 H2S, Bangalore Included (Complementary) Email us: training@hack2secure.com
Batch# Duration When Where WASD Attempt More Details
WAST_BLR_03 7 Days July 20-22,26-29 H2S, Bangalore Included (Complementary) Email us: training@hack2secure.com
Learn More

About Web Application Security Defender (WASD) Exam

Enquire Now

More Details & Queries

    Book an Exam  Contact Us  Enquire Now !