WAS
Web Application Security

WAS Course Introduction

Most, if not all, companies have been relying on web applications as a primary means of doing business—from communication with prospects to transactions with customers. Web applications have greatly advanced from static web pages to software applications that allows users to retrieve and submit data, interact with the content located on the web pages, and can be personalised based on each user’s preferences. With the emergence of Web 2.0 technologies is a growing avenue of attacks that could impact the confidentiality, integrity and availability of web applications and the sensitive information they collect and process.
This course provides in-depth knowledge of Web Application Security—highlighting and analysing the latest threats and mitigations based on the OWASP Top 10. It explains how to conduct a web application penetration test based on an established methodology—from reconnaissance and mapping to vulnerability discovery and exploitation.

WAS Course Objectives

• To understand how to conduct a web application penetration test
• To understand how to discover and exploit web application vulnerabilities
• To understand the impact of a successful exploit and how to protect against these threats

WAS Course Prerequisite

• None

Target Group

• Web Application Developers
• System/Network Administrators
• IT Auditors
• Information Security Professionals
• Anyone interested in learning about Web Application Security

Course Outline of WAS

Day 1

• Introduction to Web Applications
• The Hypertext Transfer Protocol (HTTP)
• Web Application Security Fundamentals
• OWASP Top 10 Project
• Web Application Penetration Testing Methodology

Day 2

• Reconnaissance
• Whois and Domain Name Services (DNS)
• Information Gathering with Search Engines
• Mapping the Web Server and Application
• Bypassing Client-Side Controls
• Manipulating Traffic with Intercepting Proxies

Day 3

• Broken Authentication and Session Management
• Broken Access Control
• Directory Traversal and File Inclusion
• Unvalidated Redirects and Forwards
• Sensitive Data Exposure
• SQL Injection

Day 4

• Other Injection Flaws
• Cross-Site Scripting (XSS)
• The Browser Exploitation Framework (BeEF)
• Cross-Site Request Forgery (CSRF)
• Business Logic Flaws

Day 5

• Web Server and Application Misconfiguration
• Using Components with Known Vulnerabilities
• Web Server and Application Hardening
• Asynchronous JavaScript and XML (AJAX) Vulnerabilities
• Web Services Vulnerabilities
• Web Application Vulnerability Scanners