Training

This is custom heading element

Web applications have gained superiority over desktop applications due to ease of distribution and have been widely accepted.

In addition, a significant number of applications that are open to the internet are web applications. Even desktop and mobile applications that are not web applications use the HTTP protocol, which is an important part of the web application architecture.

Web applications have a multi-layered architecture, which in turn makes web application infrastructures more complex than ordinary desktop applications.

For all these reasons, web applications are one of the favorite targets of attackers.

In the web application penetration testing training, the participants learn about the vulnerabilities that may be encountered in the web applications, how they can identify these vulnerabilities and the methods of remediating them.

Web application penetration testing training also aims to provide the background knowledge for to potential mobile application pentesters about the web technologies and their vulnerabilities.

web

Training Details

Prerequisites

Participants should have fundamental knowledge of the web technologies (such as HTML, Javascript, a web application development language) and database technologies (such as SQL structure).

Training Content

  • Web Application Architecture
    • Web browser
      • HTML
        • Important HTML Tags
        • HTML Encoding
      • Javascript
        • Encode
        • Obfuscate
        • To Minify-Beautify
        • Debugging Javascript
        • jQuery
      • CSS and Other Files
      • Applet
    • Web Server
    • Application Server
    • Databases and Other Systems
  • Network Service Applications
    • TCP/IP Model
    • UDP
    • A Simple http Service Example
    • DNS
  • HTTP Protocol
    • Methods
    • Status Codes
      • Security-Important Response Headers
    • User Authentication Methods (Basic, NTLM, etc.)
    • Headers
      • Cookie and Its Usage
  • HTTPS Protocol
    • Concepts of Cryptography
    • Symmetric and Asymmetric Cryptography
    • Hybrid Encryption (SSL)
    • Technical Description of the Certificate
    • Certificate Controls
    • Man In the Middle (MITM) Methods
  • Attacks on the Web Server Layer
  • XSS (Cross Site Scripting) Vulnerabilities
    • Reflected XSS Vulnerabilities
    • Stored XSS Vulnerabilities
    • DOM Based XSS Vulnerabilities
  • Access Control Vulnerabilities
    • Vertical Unauthorized Access
    • Horizontal Unauthorized Access
    • User Enumeration
    • Other Access Control Vulnerabilities
    • Insecure Access to Static Content
  • Directory Traversal Vulnerabilities
  • Bypassing Client-Side Controls
  • Local/Remote File Inclusion
  • Application Server Management Vulnerabilities
  • Session Management Vulnerabilities
    • Session Fixation
    • Session Parameter Randomness Analysis
    • Safe Logout Function Errors
  • Cookie Risks
    • Cookie Features
    • Resident Cookie
  • File Upload Risks
  • CSRF Attacks
  • Redirection Vulnerabilities
  • URL and Referer Headers
  • HTML Comment
  • Application Server Layer Injection Vulnerabilities
    • (Operating System) Command Injection
    • Code Injection
  • SQL Injection Attacks
    • Why SQL Injection Works
    • Blind SQL Injection
    • Using Sqlmap
  • XPATH, LDAP, SMTP Injection
  • Web Services
    • SOAP Injection
  • Logic Errors and Abuse Scenarios
    • Abusing Message Sending Function
    • File Upload Errors
    • Resource-Consuming Functions
    • Vertical Unauthorized Access
    • Horizontal Unauthorized Access
    • User Enumeration
    • Access to Content
    • Insufficient Password Policy
  • Load Testing with Jmeter (DDOS Attack Method)
  • Compromising the Operating System
    • SQL Injection Scenario
    • Directory Traversal Scenario
    • File Upload Scenario
  • Web Applications Penetration Testing Methodology
    • Mapping Application Content
    • Application Functionality and Technology Analysis
    • Session Management Tests
    • User Autentication Tests
    • Bypassing Client-Side Controls
    • Access Control Tests
    • Fuzzing All Parameters
    • Application-Specific Attack Vector Tests
    • Logic Errors
    • Other Server Layer Tests
  • Secure Software Development Methodologies
    • Touchpoints, SDL, CLASP
    • Functionality and Risk Assessment
  • Use of Burp Suit Modules
    • Target
    • Proxy Settings
    • Proxy History
    • Spider
    • Scanner
    • Intruder
    • Repeater
    • sequencer
    • Decoder
    • Comparer
    • Extender
    • Backend Scanning
    • Using Macros
      • Bypassing CSRF Control
      • Bypassing Other Limiting Controls

Duration: 3 Days

Location: Istanbul

  • All participants are entitled to CERTIFICATE OF PARTICIPATION
  • Participants who successfully complete the assessment exam / CTF cases are entitled to TRAINING CERTIFICATION