|
 Introduction to Web Application Penetration Testing:
Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software. (Source: Payment Card Industry (PCI) Data Security Standard).
A web application penetration test is a critical method of evaluating the security of a web application. This test simulates an attack from a malicious source and may involve active exploitation of security vulnerabilities.
The deliverables of the penetration test usually include:
- findings of the test
- assessment of the potential impact,
- technical solutions.
The primary objective of the penetration test is to determine:
- the feasibility of an attack, and
- the business impact of a successful malicious exploit.
Syllabus Outline
The outline of the course syllabus is as under:
- Information Gathering
- Testing: Spiders, robots, and Crawlers
- Search engine discovery/Reconnaissance
- Identification of application entry points
- Testing for Web Application Fingerprint
- Application Discovery
- Analysis of Error Codes
- Configuration Management Testing
- SSL/TLS Testing
- DB Listener Testing
- Infrastructure configuration management testing
- Application configuration management testing
- Testing for File extensions handling
- Old, backup and unreferenced files
- Infrastructure and Application Admin Interfaces
- Testing for HTTP Methods and XST
- Authentication Testing
- Credentials transport over an encrypted channel
- Testing for user enumeration
- Default or guessable (dictionary) user account
- Testing For Brute Force
- Testing for Bypassing authentication schema
- Testing for Vulnerable remember password and password reset
- Testing for Logout and Browser Cache Management
- Testing for Captcha
- Testing for Multiple factors Authentication
- Testing for Race Conditions
- Session Management Testing
- Testing for Session Management Schema
- Testing for Cookies attributes
- Testing for Session Fixation
- Testing for Exposed Session Variables
- Testing for CSRF
- Authorization testing
- Testing for path traversal
- Testing for bypassing authorization schema
- Testing for Privilege Escalation
- Business logic testing
- Data Validation Testing
- Testing for Reflected Cross Site Scripting
- Testing for Stored Cross Site Scripting
- Testing for DOM based Cross Site Scripting
- Testing for Cross Site Flashing
- SQL Injection
- Oracle Testing
- MySQL Testing
- SQL Server Testing
- MS Access Testing
- Testing PostgreSQL
- LDAP Injection
- ORM Injection
- XML Injection
- SSI Injection
- XPath Injection
- IMAP/SMTP Injection
- Code Injection
- OS Commanding
- Buffer overflow Testing
- Heap overflow
- Stack overflow
- Format string
- Incubated vulnerability testing
- Testing for HTTP Splitting/Smuggling
- Denial of Service Testing
- Testing for SQL Wildcard Attacks
- Locking Customer Accounts
- Buffer Overflows
- User Specified Object Allocation
- User Input as a Loop Counter
- Writing User Provided Data to Disk
- Failure to Release Resources
- Storing too Much Data in Session
- Web Services Testing
- WS Information Gathering
- Testing WSDL
- XML Structural Testing
- XML Content-level Testing
- HTTP GET parameters/REST Testing
- SOAP attachments
- Replay Testing
- AJAX Testing
- AJAX Vulnerabilities
- Testing For AJAX
Course Delivery
Data64 Official Courseware is currently not provided for this course. Reference material is provided in electronic form.
This course is currently available in online mode for Indian citizens residing in India.
* The discounted student fee is for persons below 25 years of age who are pursuing a graduation or post graduation degree course at a recognized college / university. Please send a photocopy of your college or university identity card along with your application form.
Course participants are eligible to attend a one day extensive training session at Pune.
|
Web Application Penetration Testing
