logo

Mastering Modern Web Penetration Testing (CS8517)

We will cover web hacking techniques so you can explore the attack vectors during penetration tests. The course encompasses the latest technologies such as OAuth 2.0, Web API testing methodologies and XML vectors used by hackers. Some lesser discussed attack vectors such as RPO (relative path overwrite), DOM clobbering, PHP Object Injection and etc. has been covered in this course.

We'll explain various old school techniques in depth such as XSS, CSRF, SQL Injection through the ever-dependable SQLMap and reconnaissance.

Websites nowadays provide APIs to allow integration with third party applications, thereby exposing a lot of attack surface, we cover testing of these APIs using real-life examples.

This course will be a great benefit and will help you prepare fully secure applications.

Pohađajte naše hacking/cyber defense obuke u Beogradu, putem virtuelne učionice (online, uživo) ili u vašim prostorijama (on-site).

Specijalni popusti se odobravaju prilikom prijave više učesnika koji istovremeno pohađaju obuku iz vaše kompanije, državni i neprofitni sektor, itd. Kontaktirajte nas da biste saznali više.

Termini obuke

Trajanje obuke: 
3 dana / 21 sat

Privatni trening

On-site / Online
Minimalan broj polaznika: 3
3 dana / 21 sat
Cena na zahtev
srpski ili engleski
Plan obuke: 

Module 1: Common Security Protocols

  • SOP
  • CORS
  • URL encoding – percent encoding
  • Double encoding
  • Base64 encoding
  • Summary

Module 2: Information Gathering

  • Information gathering techniques
  • Enumerating Domains, Files, and Resources
  • Fierce
  • theHarvester
  • SubBrute
  • CeWL
  • DirBuster
  • WhatWeb
  • Shodan
  • DNSdumpster
  • Reverse IP Lookup – YouGetSignal
  • Pentest-Tools
  • Google Advanced Search
  • Summary

Module 3: Cross-Site Scripting

  • Reflected XSS
  • Stored XSS
  • Flash-based XSS – ExternalInterface.call()
  • HttpOnly and secure cookie flags
  • DOM-based XSS
  • XSS exploitation – The BeEF
  • Summary

Module 4: Cross-Site Request Forgery

  • Introducing CSRF
  • Exploiting POST-request based CSRF
  • How developers prevent CSRF?
  • PayPal's CSRF vulnerability to change phone numbers
  • Exploiting CSRF in JSON requests
  • Using XSS to steal anti-CSRF tokens
  • Exploring pseudo anti-CSRF tokens
  • Flash comes to the rescue
  • Summary

Module 5: Exploiting SQL Injection

  • Installation of SQLMap under Kali Linux
  • Introduction to SQLMap
  • Dumping the data – in an error-based scenario
  • SQLMap and URL rewriting
  • Speeding up the process!
  • Dumping the data – in blind and time-based scenarios
  • Reading and writing files
  • Handling injections in a POST request
  • SQL injection inside a login-based portal
  • SQL shell
  • Command shell
  • Evasion – tamper scripts
  • Configuring with proxies
  • Summary

Module 6: File Upload Vulnerabilities

  • Introducing file upload vulnerability
  • Remote code execution
  • The return of XSS
  • Denial of Service
  • Bypassing upload protections
  • MIME content type verification bypass
  • Summary

Module 7: Metasploit and Web

  • Discovering Metasploit modules
  • Interacting with Msfconsole
  • Using Auxiliary Modules related to Web Applications
  • Understanding WMAP – Metasploit's Web Application Security Scanner
  • Generating Web backdoor payload with Metasploit
  • Summary

Module 8: XML Attacks

  • XML 101 – the basics
  • XXE attack
  • XML quadratic blowup
  • Summary

Module 9: Emerging Attack Vectors

  • Server Side Request Forgery
  • Insecure Direct Object Reference
  • DOM clobbering
  • Relative Path Overwrite
  • UI redressing
  • PHP Object Injection
  • Summary

Module 10: OAuth 2.0 Security

  • Introducing the OAuth 2.0 model
  • Receiving grants
  • Exploiting OAuth for fun and profit
  • Summary

Module 11: API Testing Methodology

  • Understanding REST APIs
  • Setting up the testing environment
  • Learning the API
  • Basic methodology to test developer APIs
  • Summary
Benefiti: 
  • Video snimak predavanja u periodu od 180 dana posle kraja obuke

  • Pristup laboratorijama u toku trajanja kursa
  • Materijal u elektronskom obliku

  • Sertifikat o pohađanju kursa

Kontaktirajte nas za više informacija o ceni:

Eccentrix
Office: +381 11 71 38 192
Mobile: +381 69 3138 100
E-mail: Ivana.Velickovic@eccentrix.rs

Milutina Milankovića 9đ,
11070 Novi Beograd
www.eccentrix.rs

Eccentrix
Office: +381 11 71 38 192
Mobile: +381 65 2390 001
E-mail: Jelena.Der@eccentrix.rs

Milutina Milankovića 9đ,
11070 Novi Beograd
www.eccentrix.rs