Security Testing Diploma

Web Application Pen-testing

Module 1

  1. Web Application (In)security
  2. Setting up a web application pentesting platform
  3. Installing vulnerable apps
  4. Burpsuite basics
  5. Analyzing traffic over HTTP
  6. Analyzing traffic over HTTPs

Module 2

  1. Understanding the HTTP protocol
  2. HTTP Headers
  3. Attacking HTTP Basic & Digest authentication
  4. Conducting a brute force attack

Module 3

  1. Analyzing the attack surface
  2. Information gathering
  3. Finding hidden URLs with dirbuster
  4. Identifying weak SSL certificates

Module 4

  1. Cross-Site Scripting (XSS) – Reflected, Stored and DOM based
  2. HTML Injection
  3. Broken Authentication and Session Management
  4. Insecure Direct Object References Cross-Site Request Forgery (CSRF)
  5. Insufficient Transport Layer Protection
  6. Unvalidated Redirects and Forwards
  7. Cross Origin resource sharing
  8. Command Injection vulnerabilities
  9. Local file inclusion vulnerability
  10. Remote file inclusion vulnerability
  11. Insecure Direct object reference
  12. HTTP Response splitting
  13. SQL injection
  14. Attaching session management
  15. HTTP Response header injection
  16. Improper exception handling
  17. Server side code disclosure
  18. Chaining XSS with other attacks
  19. Targeting Reset password functionality
  20. Business logic flaws

Module 5

  1. Securing Web apps
  2. Applying input validation
  3. IP Whitelisting
  4. Implementing access controls
  5. Removing HTTP headers
  6. Preventing CSRF with tokens
  7. Setting login limits
  8. Removing server configuration errors
  9. Identifying & fixing business logic issues