WEB APPLICATIONPENETRATION TESTINGVERSION 2The most practical and comprehensive training course on web application pentestingeLearnSecurity has been chosen by students in over 140 countries in the worldand by leading organizations such as:

INTRODUCTIONCOURSE GOALSThe Web Application Penetration Testing course (WAPT) is an online, self-pacedtraining course that provides all the advanced skills necessary to carry out a thoroughand professional penetration test against modern web applications.Thanks to the extensive use of Hera Lab and the coverage of the latest research inthe web application security field, the WAPT course is not only the most practicaltraining course on the subject but also the most up to date.This course, although based on the offensive approach, provides advice and bestpractices to solve security issues detected during a penetration test.COURSE ORGANIZATIONThe training course is completely self-paced with interactive slides and videos thatstudents can access online without any limitation. Students have lifetime access tothe training material.Students can study from home, office or anywhere an internet connection isavailable.This course, Web Application Penetration Testing v2, is integrated with Hera Labs:the most sophisticated virtual lab in IT Security. A minimum of 60 hours is advised.For more intensive use, 120 hours may be necessary. The Hera Lab provides adedicated and isolated environment where a student can practice topics seen in thecourse.Course Home Page:

INTRODUCTIONTARGET AUDIENCE AND PRE-REQUISITESThe WAPT training course benefits the career of penetration testers and IT Securitypersonnel in charge of defending their organization’s web applications.This course allows organizations of all sizes to assess and mitigate the risks their webapplications are exposed to, by building strong, practical in-house skills.Penetration testing companies can now train their teams with a comprehensive andpractical training course without having to deploy internal labs that are oftenoutdated and not backed by solid theoretical material.A student who wants to enroll in the course must possess a solid understanding ofweb applications and web application security models.No programming skills are required. However, snippets of JavaScript/HTML/PHPcode will be used during the course.WILL I GET A CERTIFICATE?The WAPT course leads to the eWPT certification.The certification can be obtained by successfully completingthe requirements, which is a practical penetration test examthat consists of complex, real-world web application that ishosted in our eLearnSecurity Hera Labs.An eWPT voucher is included in all the plans of the WAPT course.Course Home Page:

INTRODUCTIONORGANIZATION OF CONTENTSThe student is provided with a suggested learning path to ensure the maximumsuccess rate at the minimum effort. Module 1: Penetration Testing ProcessModule 2: Introduction to Web ApplicationsModule 3: Information GatheringModule 4: Cross-Site ScriptingModule 5: SQL InjectionModule 6: Authentication and AuthorizationModule 7: Session SecurityModule 8: Flash SecurityModule 9: HTML5Module 10: File and Resource AttacksModule 11: Other AttacksModule 12: Web ServicesModule 13: XPathCourse Home Page:

WEB APPLICATION PENETRATION TESTINGMODULE 1: PENETRATION TESTING PROCESSThis module helps the penetration tester gain confidence with the processes andlegal matters involved in a penetration testing engagement.Students will learn methodologies and the best practice for reporting in order tobecome a confident and professional penetration tester.This is a wealth of information that will be useful throughout the entire career of apenetration tester.1. Introduction1.1. Pre-engagement1.1.1. Rules of Engagement1.1.1.1. Goal1.1.1.2. Scope of engagement1.1.2. Timetable1.1.3. Liabilities and Responsibilities1.1.3.1. Non-disclosure agreements1.1.3.2. Emergency Plan1.1.4. Allowed Techniques1.1.5. Deliverables1.2. Methodologies1.2.1. PTES1.2.2. OWASP Testing Guide1.3. Reporting1.3.1. What do clients want?1.3.2. Writing the report1.3.2.1. Reporting Phase1.3.2.2. Understanding your audience1.3.2.3. Report StructureExecutive SummaryRisk Exposure over timeSuccessful attacks by typeVulnerabilities by causeVulnerability ReportRemediation Report1.3.3. Report templates and guidesCourse Home Page:

WEB APPLICATION PENETRATION TESTINGMODULE 2: INTRODUCTION TO WEB APPLICATIONSDuring this introductory module, the student will learn and understand the basics ofweb applications.In-depth coverage of the Same Origin Policy and cookies will help both experiencedand non-experienced penetration testers gain critical foundational skills useful forthe rest of the training course.At the end of the module, the student will become familiar with tools such as BurpSuite and OWASP ZAP.This module is an important introduction necessary for a heavily-practical, advancedcourse.Hera Labs are included in this module2. Introduction to Web Applications2.1. HTTP/S Protocol Basics2.1.1. HTTP Request2.1.2. HTTP Response2.1.3. HTTP Header Field Definitions2.1.4. HTTPS2.2. Encoding2.2.1. Introduction2.2.2. Charset2.2.2.1. ASCII2.2.2.2. Unicode2.2.3. Charset vs. Charset Encoding2.2.3.1. Unicode Encoding2.2.3.2. HTML EncodingHTML Entries2.2.3.3. URL Encoding (percent encoding) Base642.3. Same Origin2.3.1. Origin definition2.3.2. What does SOP protect from?2.3.3. How SOP works2.3.4. Exceptions2.3.4.1. Windows.location2.3.4.2. Document.domain2.3.4.3. Cross window messaging2.3.4.4. Cross Origin Resource SharingCourse Home Page:

WEB APPLICATION PENETRATION TESTING2.4. Cookies2.4.1. Cookies Domain2.4.1.1. Specified cookie domain2.4.1.2. Unspecified cookie domain2.4.1.3. Internet Explorer Exception2.4.2. Inspecting the Cookie Protocol2.4.2.1. Login2.4.2.2. Set-Cookie2.4.2.3. Cookie2.4.3. Cookie Installation2.4.3.1. Correct cookie installation2.4.3.2. Incorrect cookie installation2.5. Sessions2.6. Web Application Proxies2.6.1. Burp Suite2.6.2. OWASP ZAPANDROID PENTESTINGMODULE 3: INFORMATION GATHERINGEvery penetration test begins with the Information Gathering phase. This is where apentester understands the application under a functional point of view and collectsuseful information for the following phases of the engagement.A multitude of techniques will be used to collect behavioral, functional, applicative,and infrastructural information.The students will use a variety of tools to retrieve readily-available information fromthe target.Hera Labs are included in this module3. Information Gathering3.1. Gathering information on your target3.1.1. Finding owner, IP, and emails3.1.1.1. WhoisCommand lineWeb-based tool3.1.1.2. DNS3.1.1.3. NslookupFind target ISPNetcraftCourse Home Page:

WEB APPLICATION PENETRATION TESTING3.2. Infrastructure3.2.1. Fingerprinting the web server3.2.1.1. Netcat3.2.1.2. WhatWeb3.2.1.3. Wappalyzer3.2.1.4. Web server modules3.2.2. Enumerating subdomains3.2.2.1. Netcraft3.2.2.2. Google3.2.2.3. Subbrute3.2.2.4. Dnsrecon3.2.2.5. TheHarvester3.2.2.6. Zone transfer3.2.3. Finding virtual hosts3.3. Fingerprinting frameworks and applications3.3.1. Third party add-ons3.3.2. Mapping results3.4. Fingerprinting custom applications3.4.1. Burp target crawler3.4.2. Creating a functional graph3.4.3. Mapping the attack surface3.4.3.1. Client side validation3.4.3.2. Database interactionANDROID PENTESTING3.4.3.3. Ile uploading and downloading3.4.3.4. Display of user-supplied data3.4.3.5. Redirections3.4.3.6. Access control and login-protected pages3.4.3.7. Error messages3.4.3.8. Charting3.5. Enumerating resources3.5.1. Crawling the website3.5.2. Finding hidden files3.5.2.1. Back up and source code3.5.2.2. Enumerating users accounts3.5.2.3. Map3.6. Relevant information through misconfigurations3.6.1. Directory listing3.6.2. Log and configuration files3.6.3. HTTP verbs and file upload3.7. Google hackingCourse Home Page:

WEB APPLICATION PENETRATION TESTING3.7.1. Search operators3.8. Shodan HQMODULE 4: CROSS-SITE SCRIPTINGIn this module, the most widespread web application vulnerability will be dissectedand studied in depth.At first, you are provided with a theoretical explanation—this understanding will helpyou in the exploitation and remediation process.Later, you will have the opportunity master all the techniques to find XSSvulnerabilities through black box testing.Hera Labs are included in this module4. Cross-Site Scripting4.1. Cross-Site Scripting4.1.1. Basics4.2. Anatomy of an XSS Exploitation4.3. The three types of XSS4.3.1. Reflected XSS4.3.2. Persistent XSS4.3.3. DOM-based XSS4.4. Finding XSS4.4.1. Finding XSS in PHP code4.5. XSS Exploitation4.5.1. XSS and Browsers4.5.2. XSS Attacks4.5.2.1. Cookie Stealing through XSS4.5.2.2. Defacement4.5.2.3. XSS for advanced phishing attacks4.5.2.4. BeEF4.6. Mitigation4.6.1. Input Validation4.6.2. Context-Aware output encoding4.6.3. Never trust user inputCourse Home Page:

WEB APPLICATION PENETRATION TESTINGMODULE 5: SQL INJECTIONThis module will contain the most advanced techniques in finding and exploiting SQLinjections, from the explanation of the most basic SQL injection up to the mostadvanced.Advanced methods will be taught with real-world examples using the best tools, anddemonstrated on real targets.You will not just be able to dump remote databases but also get root on the remotemachine through advanced SQL Injection techniques.5. SQL Injection5.1. Introduction to SQL Injections5.1.1. SQL Statements5.1.1.1. SELECT5.1.1.2. UNION5.1.2. SQL Queries inside web applications5.1.3. Vulnerable dynamic queries5.1.4. How dangerous is a SQL Injection5.1.5. SQLi attacks classification5.1.5.1. In-band SQLi5.1.5.2. Error-based SQLi5.1.5.3. Blind SQLi5.2. Finding SQL Injections5.2.1. Simple SQL Injection scenario5.2.2. SQL errors in web applications5.2.3. Boolean-based detection5.2.3.1. Example5.3. Exploiting In-band SQL Injections5.3.1. First scenario5.3.2. In-band attack challenges5.3.3. Enumerating the number of fields in a query5.3.3.1. Different DBMS UNION mismatch errors5.3.4. Blind enumeration5.3.5. Identifying field types5.3.6. Dumping the database content5.4. Exploiting Error-based SQL Injections5.4.1. MS SQL Server Error-based exploitation5.4.2. The CAST TechniqueCourse Home Page:

WEB APPLICATION PENETRATION TESTING5.4.3. Finding the DBMS version5.4.4. Dumping the database data5.4.4.1. Finding the current username5.4.4.2. Finding readable databases5.4.4.3. Enumerating database tables5.4.4.4. Enumerating columns5.4.4.5. Dumping data5.4.5. Video – Error-based SQLi5.4.6. MySQL Error-based SQLi5.4.7. PostgreSQL Error-based SQLi5.4.8. Developing Error-based SQLi Payloads5.5. Exploiting blind SQLi5.5.1. String extraction5.5.2. Detecting the current user5.5.3. Scripting blind SQLi data dump5.5.4. Exploiting blind SQLi5.5.4.1. String extraction5.5.5. Optimize blind SQLi5.5.6. Time-based blind SQLi5.6. SQLMap5.6.1. Basic syntax5.6.2. Extracting the database banner5.6.3. Information Gathering5.6.4. Extracting the Database5.6.5. Extracting the Schema5.6.6. Video – SQL Injection5.6.7. Video – SQLMap5.6.8. SQLMap Advanced Usage5.6.8.1. Forcing the DBMS5.6.8.2. Fine tuning the payloads5.6.8.3. Aggressiveness and load5.6.9. Conclusions5.7. Mitigation Strategies5.7.1. Prepare statement5.7.1.1. Implementation5.7.2. Type casting5.7.3. Input validation5.8. From SQLi to Server Takeover5.8.1. Advanced MySQL Exploitation5.8.1.1. xp cmdshellCourse Home Page:

WEB APPLICATION PENETRATION TESTING5.8.1.2. Internet Network Host Enumeration5.8.1.3. Port Scanning5.8.1.4. Reading the File System5.8.1.5. Uploading Files5.8.1.6. Storing Command Results into a Temporary Table5.8.2. Advanced MySQL Exploitation5.8.2.1. Reading the File System5.8.2.2. Uploading Files5.8.2.3. Executing Shell Commands5.8.3. ConclusionsMODULE 6: AUTHENTICATION AND AUTHORIZATIONAny application with a minimum of complexity requires authentication at some point.The chances are that the authentication mechanisms in place are not sufficient or aresimply broken, exposing the organization to serious security issues leading to acomplete compromise of the web application and the data it stores.In this module, the student will learn the most common authentication mechanisms,their weaknesses and the related attacks: from inadequate password policies toweaknesses in the implementation of common features.Hera Labs are included in this module6. Authentication and Authorization6.1. Introduction6.1.1. Authentication vs. Authorization6.1.2. Authentication factors6.1.2.1. Single-factor authentication6.1.2.2. Two-factor authentication6.2. Common Vulnerabilities6.2.1. Credentials over unencrypted channel6.2.2. Inadequate password policy6.2.2.1. Dictionary attacks6.2.2.2. Brute force attacks6.2.2.3. Defending from inadequate password policyStrong password policyStoring hashesLockout/Blocking requestsCourse Home Page:

WEB APPLICATION PENETRATION TESTING6.2.3. User enumeration6.2.3.1. Via error messages6.2.3.2. Via website behavior6.2.3.3. Via timing attacks6.2.3.4. Taking advantage of user enumeration6.2.4. Default or easily-guessable user accounts6.2.5. The remember me functionality6.2.5.1. Cache browser method6.2.5.2. Cookie method6.2.5.3. Web storage method6.2.5.4. Best defensive techniques6.2.6. Password reset feature6.2.6.1. Easily guessable answers6.2.6.2. Unlimited attempts6.2.6.3. Password reset link6.2.7. Logout weaknesses6.2.7.1. Incorrect session destruction6.2.8. CAPTCHA6.3. Bypassing Authorization6.3.1. Insecure direct object references6.3.1.1. Best defensive techniques6.3.2. Missing function level access control6.3.3. Parameter modification6.3.3.1. Vulnerable web application6.3.4. Incorrect redirection6.3.4.1. Redirect to protect contents6.3.4.2. Best defensive techniques6.3.5. SessionID prediction6.3.6. SQL Injections6.3.7. Local file inclusion and path traversalMODULE 7: SESSION SECURITYSession-related vulnerabilities, along with extensive coverage of the most commonattacking patterns are the subject of this module.Code samples on how to prevent session attacks are provided in PHP, Java and .NET.At the end of the module, the student will master offensive as well as defensiveprocedures related to session management within web applications.Course Home Page:

WEB APPLICATION PENETRATION TESTINGHera Labs are included in this module7. Session Security7.1. Weaknesses of the session identifier7.2. Session hijacking7.2.1. Session Hijacking via XSS7.2.1.1. Exploit session hijacking via XSS7.2.1.2. Preventing session hijacking via XSSPHPJava.NET7.2.2. Session Hijacking via Packet Sniffing7.2.3. Session Hijacking via access to the web server7.3. Session Fixation7.3.1. Attacks7.3.1.1. Set the SessionID7.3.1.2. Force the victim7.3.1.3. Vulnerable web application7.3.2. Preventing Session Fixation7.4. Cross-Site Request Forgeries7.4.1. Finding CSRF7.4.2. Exploiting CSRF7.4.3. Preventing CSRFMODULE 8: FLASH SECURITY AND ATTACKSFlash, although a dying technology, is still present on millions of websites.Flash files can expose a web application and its users to a number of security risks,which are covered in this module.The student will first study the Flash security model and its pitfalls, and move on tousing the most recent tools to find and exploit vulnerabilities in Flash files. Afterhaving studied this module, students will never look at SWF files the same way.8. Flash Security and Attacks8.1. Introduction8.1.1. Actionscript8.1.1.1. Compiling and decompiling8.1.2. Embedding Flash in HTMLCourse Home Page:

WEB APPLICATION PENETRATION TESTING8.1.2.1. The allowScriptAccess attribute8.1.3. Passing arguments to Flash files8.1.3.1. Direct reference8.1.3.2. Flash embedded in HTML8.1.3.3. FlashArgs attribute8.2. Flash Security Model8.2.1. Sandboxes8.2.2. Stakeholders8.2.2.1. Administrative role8.2.2.2. User role8.2.2.3. Website role8.2.2.4. URL policy file8.2.2.5. Author role8.2.3. Calling JavaScript from ActionScript8.2.4. Calling ActionScript from JavaScript8.2.5. Method NavigateToURL8.2.6. Local shared object8.3. Flash Vulnerabilities8.3.1. Flash parameter injection8.3.2. Fuzzing Flash with SWFInvestigator8.3.3. Finding hardcoded sensitive information8.4. Pentesting Flash Applications8.4.1. Analyzing client-side components8.4.2. Identifying communication protocol8.4.3. Analyzing server-side componentsMODULE 9: HTML5This module provides an extremely in-depth coverage of all the attack vectors andweaknesses introduced by drafted as well as finalized W3C new standards andprotocols.We will go through the most important elements of HTML5 and especially the newCORS paradigm that completely changes the way the SOP is applied to most modernweb applications. By mastering this module in theory and practice, the student willpossess an arsenal of penetration testing techniques that are still unknown to thevast majority of penetration testers.A number of Hera labs are available to practice topics covered within this module.This module will also bring a penetration tester’s skills to the next level with next-Course Home Page:

WEB APPLICATION PENETRATION TESTINGgeneration attack vectors that are going to affect web applications for the nextdecade.Hera Labs are included in this module9. HTML59.1. Cross-Origin Resource Sharing9.1.1. Same Origin Policy issues9.1.2. Cross-Domain Policy in Flash9.1.3. Cross-Origin Resource Sharing9.1.3.1. Cross-Origin Ajax requests9.1.3.2. RequestsSimple requestPreflighted requestRequest with credentials9.1.3.3. Access Control Access-Control-Expose-HeadersHeader Request-Headers9.2. Cross-Windows Messaging9.2.1. Relationship between windows9.2.2. Sending messages9.2.3. Receiving messages9.2.4. Security issues9.2.4.1. Cross-Domain XSS9.3. Web Storage9.3.1. Different storages9.3.1.1. Local storage9.3.1.2. Session storage9.3.2. Local storage APIs9.3.2.1. Adding an item9.3.2.2. Retrieving an item9.3.2.3. Removing an item9.3.2.4. Removing all itemsCourse Home Page:

WEB APPLICATION PENETRATION TESTING9.3.3. SessionStorage APIs9.3.4. Security Issues9.3.4.1. Stealing local storage via JS9.4. WebSocket9.4.1. Real-time applications using HTTP9.4.2. WebSocket – a new W3C standard9.4.2.1. Benefits9.4.3. WebSocket API9.4.4. Security Issues9.5. Sandboxed frames9.5.1. Security issues before HTML59.5.1.1. Redirection9.5.1.2. Accessing the parent document from iframe9.5.2. HTML5 sandbox attributeMODULE 10: FILE AND RESOURCE ATTACKSDuring this module, the student will practice a number of vulnerabilities that affectweb application files and resources.The student will learn how to identify and exploit path traversal, file inclusion andunrestricted file upload vulnerabilities.Hera Labs are included in this module10. File and Resource Attacks10.1. Path Traversal10.1.1. Path conversion10.1.2. Encoding10.1.3. Best defensive techniques10.2. File Inclusion Vulnerabilities10.2.1. Local File Inclusion (LFI)10.2.2. Remote File Inclusion (RFI)10.3. Unrestricted File Upload10.3.1. Vulnerable web application10.3.1.1. The attack10.3.2. Best defensive techniques10.3.2.1. Filtering based on file contentCourse Home Page:

WEB APPLICATION PENETRATION TESTINGMODULE 11: OTHER ATTACKS AND VULNERABILITIESDuring this module, the student will practice a number of vulnerabilities that, despitebeing less known or publicized, are still affecting a number of web applications acrossmany different programming languages and platforms.Advanced clickjacking attacks are covered in depth with real-world examples anddissected real-world attacks.The level of depth and the amount of practical sessions during this module willprovide even seasoned penetration testers with new ways to break the security oftheir targets.Hera Labs are included in this module11. Other Attacks11.1. Clickjacking11.1.1. Understanding Clickjacking11.1.2. Feasibility study11.1.2.1. Case 1: Clickjacking is possible11.1.2.2. Case 2: Clickjacking is not possible11.1.3. Building of a malicious web page11.1.4. Spreading the malicious link11.1.5. Waiting for the victim click11.1.6. Best defensive techniques11.1.6.1. The old school11.1.6.2. Using HTTP header X-Frame-Options11.1.7. Likejacking in Facebook11.1.8. Cursorjacking11.2. HTTP Response Splitting11.2.1. Typical vulnerable scenario11.2.2. XSS through HTTP response splitting11.2.3. Bypassing Same Origin Policy11.2.3.1. Attack explained11.2.3.2. Best defensive techniques11.2.3.3. Defense in PHP11.3. Business Logic Flow11.3.1. Vulnerable web application11.3.2. Best defensive techniques11.4. Denial of ServicesCourse Home Page:

WEB APPLICATION PENETRATION TESTING11.4.1. Different DoS attacks11.4.1.1. DoS due to huge number of requests11.4.1.2. DoS due to greedy pages11.4.2. Best defensive techniquesMODULE 12: WEB SERVICESProfessional penetration testers should master all aspects related to web servicestesting.Web services nowadays are the data and logic provider for a variety of thin and thickclients, from web application clients to mobile applications.During this highly in-depth module, the student will first become familiar with webservices paradigms and protocols and then learn all the most important relatedsecurity issues.WSDL and SOAP testing will be covered not only in theory but also in practice in ourHera Lab.Hera Labs are included in this module12. Web Services12.1. Introduction12.2. Web Services Implementations12.2.1. XML-RPC12.2.2. JSON-RPC12.2.3. SOAP12.2.4. RESTful12.3. The WSDL Language12.3.1. Interaction between client and server12.3.2. Objects in the WSDL12.3.2.1. Binding12.3.2.2. PortType12.3.2.3. Operation12.3.2.4. Interface12.3.2.5. Message12.3.3. SOAP in action12.3.4. Further reading12.4. AttacksCourse Home Page:

WEB APPLICATION PENETRATION TESTING12.4.1. WSDL Disclosure12.4.1.1. Google hacking12.4.1.2. Discovering WSDL files12.4.1.3. Public Web Services12.4.2. WSDL Scanning12.4.2.1. Attack in action12.4.3. SOAPAction Spoofing12.4.3.1. Prerequisites for the attack12.4.3.2. Attack in action12.4.3.3. Best defensive techniques12.4.4. SQLi through SOAP messages12.4.4.1. Best defensive techniquesMODULE 13: XPATH INJECTIONXPath is the XML standard that allows web applications to query XML databases.In this module, the student will learn advanced XPath injection techniques, in theoryand practice in Hera lab.Hera Labs are included in this module13. XPath Injection13.1. XML Documents and Databases13.2. XPath13.2.1. XPath expression and syntax13.2.2. XPath vs. SQL13.3. Detecting XPath Injection13.3.1. Error-based injection13.3.2. Blind injection13.3.2.1. Detect true condition13.3.2.2. Detect false condition13.3.3. Exploitation13.3.3.1. Bypass XPath query13.3.3.2. Extracting the XML document structure13.3.3.3. Finding out the root node13.3.3.4. Finding the first child node name13.3.3.5. Finding the content of a node13.4. Best Defensive TechniquesCourse Home Page:

We are eLearnSecurity.Based in Santa Clara, California, and with offices in Pisa, Italy, and Dubai, UAE,Caendra Inc. is a trusted source of IT security skills for IT professionals andcorporations of all sizes. Caendra Inc. is the Silicon Valley-based company behind theeLearnSecurity brand.eLearnSecurity has proven to be a leading innovator in the field of practical securitytraining, with best of breed virtualization technology, in-house projects such asColiseum Web Application Security Framework and Hera Network Security Lab,which has changed the way students learn and practice new skills.Contact

and non-experienced penetration testers gain critical foundational skills useful for the rest of the training course. At the end of the module, the student will become familiar with tools such as Burp Suite and OWASP ZAP. This module is an important introduction necessary for a heavily-pract