Courses | Technitics Consulting
Web Application & Security
Overview
Most of the hacks that happen today start with compromising the target's web-application first. The goal of this specialty domain is to identify professionals with excellent skills in hacking and securing web applications.
Pre-requisites
- In-Depth understanding of Web-Application Architecture.
- Exposure to web application development will add value
- Understanding of Database Management Systems.
- Thorough knowledge of all the OWASP Top-Ten Vulnerabiltiies.
- Experience in Programming.
Web Application Security Boot-camps
You can attend in-depth Web Application Security boot-camps offered by ISAC approved partners.
Program contents:
Introduction to Web Apps & Architecture
Introduction
Components of a web application
Basic Architecture
Static and Dynamic Websites
Web technologies
J2EE, ASP.NET, PHP
Overview of SOAP, XML and Web services
Overview of JSON
Top 10 Web Application Threats
Cross Site Scripting (XSS)
Injection Flaws
Malicious File Execution
Insecure Direct Object Reference
Cross Site Request Forgery (CSRF)
Information Leakage and Improper Error Handling
Broken Authentication and Session Management
Insecure Cryptographic Storage
Insecure Communications
Failure to Restrict URL Access
Web Application Penetration Testing
Information Gathering
Configuration Management Testing
Authentication Testing
Session Management Testing
Authorization Testing
Business Logic Testing
Data Validation Testing
Testing for Denial of Service
Web services testing
AJAX testing
Advanced Application Security
Application Threat Modeling
Securing Coding Secure coding principles for Web applications
Security Policies
Using compiler defense mechanisms
Source code analysis
Code Review (Asp.net & J2EE)
Documentation and Reporting Risks.
Lab exam blueprint
Lab Exam will basically consist of a "Hacking Challenge". The candidate will be provided with a url with specific challenges to achieve.
Objectives:
- To identify all vulnerabilities that are present in the Web-App
- Try to exploit the application in any way you can, to read the contents of a file on the remote system which will be disclosed to you just before the challenge commences.
- If possible, get 'root' / 'Administrator' access on the remote system.
Hands-on recommended
- Web-App Vulnerabiltiy scanners of your choice.
- Firefox with Plugins of your choice.
- Backdoors of your choice.
- Web-Shells
- Metasploit
- Solution Format
At the end of the lab exam, the candidate is supposed to submit a report that explains how exactly the 'Hacking Challenge' was solved. Its expected to be as technical as possible with every single detail mentioned.
Report must include -
- Findings
- The challenges you faced
- All the Critical vulnerabilities that were found
- The exact Penetration Approach, that was used
- Specific answers as required by the lab
You will be given an answer paper on which the above details have to be provided.