The access to this course is restricted to Hakin9 Premium or IT Pack Premium Subscription

Who is this course for? 

This course is for anyone who wants to level up their career in application security. The information and knowledge imparted in this course are necessary for anyone who is interested in Bug Bounty hunting, and get their names on halls of fame or earn some rewards from the companies running bounty programs. This course is for you if:

• You want to join bug bounty programs
• You want to perform web application pentesting
• You want to expand your web application hacking arsenal
• You develop applications and want to know how hackers can break them (by breaking them yourself, first)

Why take it NOW? 

Currently, there is an immense need of security consultants in the market in order to provide a better security landscape for web applications, and the demand will grow. In times like these, where the applications and APIs are increasing in numbers day by day, the opportunities opened by learning how to test their securities are growing exponentially as well.

There are tons of applications on the internet, and many of their owners provide awards if vulnerabilities and exploitable loopholes of their application are disclosed responsibly. This process is known as Bug Bounty Hunting. But, in order to perform bounty hunting, one needs to know about the concepts of application security, tools to use, and possess the required mindset to perform the testing.

Why this course? 

Instead of looking all over the internet to find different topics here and there, you can join this course, which contains information about the security of web applications as well as API. There is an immense need to learn about the security loopholes in application, not only to exploit them but to secure them as well. This course will go over the topic in a comprehensive way.

What tools will you use?

The majority of the tools used in this course will be open source. The information about paid/commercial tools will be provided but not used aggressively during the course. The usage of tools is not limited to what is written in the tool list and there will be much more information available about the tools  during the course which can be used for hunting bugs or scanning a web application/API. 

A vulnerable environment for practice and exercise will be provided by the instructor. The vulnerable environment is a single machine which contains all the well known vulnerable environments such as DVWA, WebGoat, WebGoat Dot Net version, XVWA Mutillidae, bwaPP, OWASP Security Shepherd, Bricks, custom environment for SQL Injection and Web Services (API). This will decrease the effort needed by the student to install multiple vulnerable environments. This vulnerable environment will be  provided as an ova file to import in virtualbox.

Most of the applications will be used for demonstration of vulnerabilities so that proper knowledge and understanding of a particular vulnerability over different languages (java, php, ruby, node, dot net) can be provided.

Hosting your own vulnerable lab for practice anywhere will be taught as well. You will also learn how to substitute Spider and Intruder (available in Burp Pro) with free and open source tools.

Course toolbox: 

• Burp Suite Community Edition
• ZAP
• HUD
• Kali Linux
• gobuster
• dirbuster
• fuzzdb
• metasploit
• skipfish
• nikto
• wfuzz
• sqlmap
• nmap
• whatweb
• sparta
• hydra
• arjun
• BeEF
• Wapiti
• Amass
• Sublist3r
• Knockpy
• Eyewitness
• Wayback machine
• Google Dorks
• RedHawk
• galileo
• blackwidow
• xssstrike
• wascan
• optiva framework
• rapidscan
• fuxploider
• paramspider
• jexboss
• w3af
• tidos framework

Note: Only some tools are written in the course content. There will be more tools and scripts used during the work.

What skills will you gain?

• Bug Bounty Hunting
• Testing for OWASP Top 10 vulnerabilities for Web Apps as well as API
• Using a wide range of security tools
• Security consulting
• Create your own arsenal of security tools

What will you learn about?

• The students will learn about security testing of applications as well as the security testing of APIs.
• The necessary tools to perform security testing or bounty hunting and how to use them
• How to perform WAPT or participate in Bug Bounty Hunting programs.

There will be a demo for all the things mentioned in the course. This course will be hands-on most of the time. For each vulnerability, you will first cover the concept and learn how it works, so that you can understand the vulnerabilities and feel confident enough to improvise and innovate during testing. It will also free you from relying solely on the tools for fire power. After we have that covered, a demo for the vulnerability will be presented, followed by a demo with different tools. This will help you prepare yourself and have the required tools in your arsenal before engaging in a bounty hunt or consulting project.

This course was developed in 2020. 

Course format: 

• Self-paced
• Pre-recorded
• Accessible even after you finish the course
• No preset deadlines
• Materials are video, labs, and text
• All videos captioned

What will you need?

• A desktop/laptop with a minimum of 8 GB RAM
• Desktop/Laptop (8GB RAM minimum)
• Virtualbox/VMware 
• Kali Linux ova file (64 bit ova file)
• An active github account to host your own personal lab
• Working internet connection

Notes on setup: 

• Kali Linux ova file is better to use because the iso file might be messy for some students in setting up as some of the debian packages are deprecated recently due to the shift from python2 to python3. Therefore, it is suggested to use the Kali Linux ova file.
• Virtualbox is preferred as it is free to use. Vmware on the other hand is a commercial product.

What should you know before you join?

• At least a familiarity with using Linux
• The student must be familiar with installing software on their own machine

Installing virtualbox and setting it up to work along with the course. The links and documentation will be provided by the instructor.

Covered topics: 

• Kali Linux installation/ova file import
• Importing the vulnerable machine prepared by the instructor
• Setting up Burp Suite
• OWASP Top 10 Overview
• OWASP Testing Guide
• HTTP and HTTPS for web application pentests
• Setting up Burp and Zap to work against HTTPS and HTTP communication
• Testing for HTTP methods
• Response headers and what they mean
• Testing using Burp and testing using Zap in practice
• Differences between Burp and Zap
• Combining Burp Community Edition and Zap to get results as if you were using Burp Pro
• Google Dorks to find vulnerable domains instantly. Combining the dorks with tools to provide a better and faster result.
• Wayback machine
• All the different tools and techniques for finding subdomains

Practical lab: 

• Target skills and knowledge:  Machine setup, Proxy certificate installed on the browser, Spider results on Burp,  old archive result of any website.
• Technique to use - mentioned alongside in the course
• Report - Screenshot of the final output only
• Setting up the lab and testing the connection; Testing Burp, Zap, and Spider.

Workload: 2.5 to 3 hours 

Covered topics: 

• Classic SQL Injection
• Blind SQL Injection
• Boolean SQL Injection
• Using SQLMap
• Using SQLmate to help sqlmap
• NoSQL Injection
• Username and password enum nosql
• Nosqlmap
• SSTI
• IDOR
• LFI/RFI attacks
• File upload
• Time based injection
• Broken access control
• Host header injection
• Command injection
• Killing the process in node leading to denial of service attacks. (Injection attack  in node)
• How to find the parameters for attacks.
• Use nmap, Bust the directories and use the bust result with proxy for manual tests.
• Performing an automated scan using skipfish and wapiti.
• Going old school-Correct way of using w3af framework. (Old but gold)
• Using redhawk, zoom and arachni.
• Taking help from blackwidow- the lady  avenger in action.
• Using open-source tools for scanning the application.
• Solving some of the challenges of online CTF as per the time.

Practical lab: 

• Target skills and knowledge: Boolean injection on WebGoat, sqlmap result against DVWA showing database, broken auth on WebGoat, result of lfi as shown in the class, directory bust on proxy
• Technique – will be shown in the class
• Outcome – screenshot of final result of all goals to be included in the document

Workload: 2.5 hours

Covered topics: 

• XSS-Reflected, Stored
• XSS-DOM
• Using beef and other automated tools for help
• login CSRF, logout CSRF
• CSRF in reality by creating a link
• XXE
• Xpath Injection
• SSRF
• Session flaws
• Captcha Bypass and captcha reading
• Parameter tampering
• HTML Injection
• Session management issues
• Security misconfiguration
• Unvalidated redirect
• LDAP attack on a vulnerable version
• PHP Object  Injection
• Using shodan to find the targets
• Demonstration of various tools and their usage mentioned as per the course details (and even more than the ones mentioned)
• Using metasploit and optiva 
• Exploiting jboss vulnerabilities
• Exploiting file upload vulnerabilities
• A great friend – tidos
• Brute Force attacks
• Buffer overflow in web
• Primer on buffer overflow (not part of web application directly but it is required for understanding the concept)
• Information about the bug bounty platforms and how to work on them

Practical lab: 

• Target skills and knowledge: DOM XSS, CSRF through a link, XXE, captcha bypass, php object injection, setting up metasploit for web applications, bruteforce username and password
• Technique – will be shown in the class
• Outcome – Screenshots of final result of all goals to be included in the document

Workload: 3 hours

Covered topics: 

• API1: Broken object level authorization
• API2: Broken authentication
• API3: Excessive data exposure
• API4: Rate limiting & Lack of resources
• API5: Broken function level authorization
• API6: Mass assignment
• API7: Security misconfiguration
• API8: Injection
• API9: Improper asset management
• API10: Insufficient logging
• WSDL Enumeration
• Billion Laughs
• XPATH injection
• Command injection
• Cross Site Tracing
• SQLi
• XXE
• Cross Origin Resource Sharing
• JSON Web token bypass

Practical lab: 

• Target skills and knowledge: XML external entity result, Parsed wsdl file, Injection, Cross site tracing, JWT leakage, the difference between IDOR and BOLA, Information leakage resulting in login on the application
• Technique – will be shown in class
• Outcome – Screenshot of the goals, difference between IDOR and BOLA, Screenshot of the complete process from information leakage resulting in login

Workload: 2.5 hours