The Internet is full of so many web applications, and no product is 100% perfect. Companies perform functional testing and stress testing to make sure they operate smoothly, but to ensure they are safe and secure you need security testing, through pentests and vulnerability assessments. This course is all about Web Application Penetration Testing and finding security holes in those applications.Through concepts, tools, and lots of practice you will train to find them and use them to make applications more secure. You will be able to use that knowledge in your everyday job, or utilize it to participate in bug bounty programs!
During the course, we will solve some CTF and other challenges available online as a bonus.
Who is this course for?
This course is for anyone who wants to level up their career in application security. The information and knowledge imparted in this course are necessary for anyone who is interested in Bug Bounty hunting, and get their names on halls of fame or earn some rewards from the companies running bounty programs. This course is for you if:
- You want to join bug bounty programs
- You want to perform web application pentesting
- You want to expand your web application hacking arsenal
- You develop applications and want to know how hackers can break them (by breaking them yourself, first)
Why take it NOW?
Currently, there is an immense need of security consultants in the market in order to provide a better security landscape for web applications, and the demand will grow. In times like these, where the applications and APIs are increasing in numbers day by day, the opportunities opened by learning how to test their securities are growing exponentially as well.
There are tons of applications on the internet, and many of their owners provide awards if vulnerabilities and exploitable loopholes of their application are disclosed responsibly. This process is known as Bug Bounty Hunting. But, in order to perform bounty hunting, one needs to know about the concepts of application security, tools to use, and possess the required mindset to perform the testing.
Why this course?
Instead of looking all over the internet to find different topics here and there, you can join this course, which contains information about the security of web applications as well as API. There is an immense need to learn about the security loopholes in application, not only to exploit them but to secure them as well. This course will go over the topic in a comprehensive way.
What tools will you use?
The majority of the tools used in this course will be open source. The information about paid/commercial tools will be provided but not used aggressively during the course. The usage of tools is not limited to what is written in the tool list and there will be much more information available about the tools during the course which can be used for hunting bugs or scanning a web application/API.
A vulnerable environment for practice and exercise will be provided by the instructor. The vulnerable environment is a single machine which contains all the well known vulnerable environments such as DVWA, WebGoat, WebGoat Dot Net version, XVWA Mutillidae, bwaPP, OWASP Security Shepherd, Bricks, custom environment for SQL Injection and Web Services (API). This will decrease the effort needed by the student to install multiple vulnerable environments. This vulnerable environment will be provided as an ova file to import in virtualbox.
Most of the applications will be used for demonstration of vulnerabilities so that proper knowledge and understanding of a particular vulnerability over different languages (java, php, ruby, node, dot net) can be provided.
Hosting your own vulnerable lab for practice anywhere will be taught as well. You will also learn how to substitute Spider and Intruder (available in Burp Pro) with free and open source tools.
- Burp Suite Community Edition
- Kali Linux
- Wayback machine
- Google Dorks
- optiva framework
- tidos framework
Note: Only some tools are written in the course content. There will be more tools and scripts used during the work.
What skills will you gain?
- Bug Bounty Hunting
- Testing for OWASP Top 10 vulnerabilities for Web Apps as well as API
- Using a wide range of security tools
- Security consulting
- Create your own arsenal of security tools
What will you learn about?
- The students will learn about security testing of applications as well as the security testing of APIs.
- The necessary tools to perform security testing or bounty hunting and how to use them
- How to perform WAPT or participate in Bug Bounty Hunting programs.
There will be a demo for all the things mentioned in the course. This course will be hands-on most of the time. For each vulnerability, you will first cover the concept and learn how it works, so that you can understand the vulnerabilities and feel confident enough to improvise and innovate during testing. It will also free you from relying solely on the tools for fire power. After we have that covered, a demo for the vulnerability will be presented, followed by a demo with different tools. This will help you prepare yourself and have the required tools in your arsenal before engaging in a bounty hunt or consulting project.
Course general information:
COURSE IS SELF-PACED, AVAILABLE ON DEMAND
DURATION: 18 hours
CPE POINTS: On completion you get a certificate granting you 18 CPE points.
- Accessible even after you finish the course
- No preset deadlines
- Materials are video, labs, and text
- All videos captioned
What will you need?
- A desktop/laptop with a minimum of 8 GB RAM
- Desktop/Laptop (8GB RAM minimum)
- Kali Linux ova file (64 bit ova file)
- An active github account to host your own personal lab
- Working internet connection
Notes on setup:
- Kali Linux ova file is better to use because the iso file might be messy for some students in setting up as some of the debian packages are deprecated recently due to the shift from python2 to python3. Therefore, it is suggested to use the Kali Linux ova file.
- Virtualbox is preferred as it is free to use. Vmware on the other hand is a commercial product.
What should you know before you join?
- At least a familiarity with using Linux
- The student must be familiar with installing software on their own machine
Your instructor: Mukul Kantiwal
My name is Mukul Kantiwal and I work as a Security Analyst for a privately owned organization. I am listed in the top 100 ranks of hackers across the globe on ringzer0team. I have an experience of 3+ years in the field of Information Security and I have worked on Web Apps, Mobile Apps, API’s, networks, Thick client, RFID, etc. I have recently started a youtube channel named “The Cyber Ground” where I am planning to show different types of techniques and post some tutorials about web application security and API security. Feel free to reach out if you have a topic in mind on which I should prepare some content.
Apart from researching over the things in cyber security domain, I write poetry sometimes and I have a small poetry blog of mine named as poetground (https://www.poetground.com/). If anyone of the reader is interested to post any poetry of theirs, do reach out to me!
Installing virtualbox and setting it up to work along with the course. The links and documentation will be provided by the instructor.
Application security and setting up the lab
In order to move along with the instructor, it is necessary for everyone to be on the same page. Therefore, setting up the lab and its usage is important. We will also have an overview of OWASP Top 10 and the OWASP Testing Guide to set the foundation for practical testing in later modules.
- Kali Linux installation/ova file import
- Importing the vulnerable machine prepared by the instructor
- Setting up Burp Suite
- OWASP Top 10 Overview
- OWASP Testing Guide
- HTTP and HTTPS for web application pentests
- Setting up Burp and Zap to work against HTTPS and HTTP communication
- Testing for HTTP methods
- Response headers and what they mean
- Testing using Burp and testing using Zap in practice
- Differences between Burp and Zap
- Combining Burp Community Edition and Zap to get results as if you were using Burp Pro
- Google Dorks to find vulnerable domains instantly. Combining the dorks with tools to provide a better and faster result.
- Wayback machine
- All the different tools and techniques for finding subdomains
- Target skills and knowledge: Machine setup, Proxy certificate installed on the browser, Spider results on Burp, old archive result of any website.
- Technique to use - mentioned alongside in the course
- Report - Screenshot of the final output only
- Setting up the lab and testing the connection; Testing Burp, Zap, and Spider.
Workload: 2.5 to 3 hours
OWASP TOP 10 - Part 1
In this module, you will get started with the OWASP Top 10, specifically, you will train in depth with various forms of injection. This set of vulnerabilities is very common and comes in many shapes and sizes. We will use a variety of tools to perform multiple injection attacks, starting with SQL and finishing with command injection. We'll also take some time to solve CTF challenges using these vulnerabilities.
- Classic SQL Injection
- Blind SQL Injection
- Boolean SQL Injection
- Using SQLMap
- Using SQLmate to help sqlmap
- NoSQL Injection
- Username and password enum nosql
- LFI/RFI attacks
- File upload
- Time based injection
- Broken access control
- Host header injection
- Command injection
- Killing the process in node leading to denial of service attacks. (Injection attack in node)
- How to find the parameters for attacks.
- Use nmap, Bust the directories and use the bust result with proxy for manual tests.
- Performing an automated scan using skipfish and wapiti.
- Going old school-Correct way of using w3af framework. (Old but gold)
- Using redhawk, zoom and arachni.
- Taking help from blackwidow- the lady avenger in action.
- Using open-source tools for scanning the application.
- Solving some of the challenges of online CTF as per the time.
- Target skills and knowledge: Boolean injection on WebGoat, sqlmap result against DVWA showing database, broken auth on WebGoat, result of lfi as shown in the class, directory bust on proxy
- Technique – will be shown in the class
- Outcome – screenshot of final result of all goals to be included in the document
Workload: 2.5 hours
OWASP top 10 - Part 2
In this module, you will continue to train your testing skill with the OWASP Top 10. We'll look on the advanced aspects of attacks like XSS, XXE, brute forcing, buffer overflow, and many more - using a variety of tools to find, test, and exploit these vulnerabilities.
This is where the fun really takes off!
- XSS-Reflected, Stored
- Using beef and other automated tools for help
- login CSRF, logout CSRF
- CSRF in reality by creating a link
- Xpath Injection
- Session flaws
- Captcha Bypass and captcha reading
- Parameter tampering
- HTML Injection
- Session management issues
- Security misconfiguration
- Unvalidated redirect
- LDAP attack on a vulnerable version
- PHP Object Injection
- Using shodan to find the targets
- Demonstration of various tools and their usage mentioned as per the course details (and even more than the ones mentioned)
- Using metasploit and optiva
- Exploiting jboss vulnerabilities
- Exploiting file upload vulnerabilities
- A great friend – tidos
- Brute Force attacks
- Buffer overflow in web
- Primer on buffer overflow (not part of web application directly but it is required for understanding the concept)
- Information about the bug bounty platforms and how to work on them
- Target skills and knowledge: DOM XSS, CSRF through a link, XXE, captcha bypass, php object injection, setting up metasploit for web applications, bruteforce username and password
- Technique – will be shown in the class
- Outcome – Screenshots of final result of all goals to be included in the document
Workload: 3 hours
API Security (API Top 10)
In this module, you will see how to test API security.
We will go through the OWASP API Top 10, diving deep into each vulnerability to understand it and exploit it. Other advanced techniques for attacking the API will be presented here as well, such as XPATH injection.
- API1: Broken object level authorization
- API2: Broken authentication
- API3: Excessive data exposure
- API4: Rate limiting & Lack of resources
- API5: Broken function level authorization
- API6: Mass assignment
- API7: Security misconfiguration
- API8: Injection
- API9: Improper asset management
- API10: Insufficient logging
- WSDL Enumeration
- Billion Laughs
- XPATH injection
- Command injection
- Cross Site Tracing
- Cross Origin Resource Sharing
- JSON Web token bypass
- Target skills and knowledge: XML external entity result, Parsed wsdl file, Injection, Cross site tracing, JWT leakage, the difference between IDOR and BOLA, Information leakage resulting in login on the application
- Technique – will be shown in class
- Outcome – Screenshot of the goals, difference between IDOR and BOLA, Screenshot of the complete process from information leakage resulting in login
Workload: 2.5 hours
Multiple choice test, 25 questions.
To pass the course you need to pass all module assignments.
If you have any questions, please contact our eLearning Manager Marta at [email protected].