Web Application Security Testing

Duration: 7 Days, 42+ hrs. | Instructor-led Classroom | 70%+ Hands-On

Cloud based Lab | ‘Web Application Security Defender’ Certificate Attempt

Aligned with OWASP Top 10 (2017) Risk, Testing Guide (v4) & Recommended Practices

Hack2Secure’s Workshop on Web Application Security Testing provides hands-on exposure using
Simulated Lab Environment required for understanding and ‘manual’ analysis of different Web
Security Risk and Attack vectors.
Scoped around OWASP Top 10 (2017) Web Application Security Risk and Security Testing Guide,
these intensive practical oriented sessions provide deep-dive on required testing tips and tricks to
evaluate, test and assess Web Application Security flaws.

Key Take Away

 Injection Attacks | SQL, Command, OS Inj.  Web Reconnaissance
 Cross Site Scripting (XSS)  Google Hacking
 Cross Site Request Forgery (XSRF)  Spidering, Finger Printing & Scanning
 Broken Authentication & Access Control  Web Application Filters & Firewalls
 Session Management and related Attacks  Burp Suite & Zed Attack Proxy (ZAP)
 Vulnerable External Entities (XXE)  Nmap, NetCat, Recon-Ng
 Client-Side Attacks  XSSer, SqlMap, Nikto, W3af

What You Will Receive Schedule

 Instructor Led Class Room Sessions  Schedule
 Soft Deliverables  Duration: 42+ Hrs | 7 Days
 Slides, E-books, Reference Materials
 Date: 21st May 2018 – 27th May 2018
 Complementary access to Self-Paced Sessions
 Time: 10:30 AM – 5:30 PM
 WASD Cert Attempt Voucher
 1 Attempt, 6 months Validity  Venue
 Globally Delivered & Proctored across Pearson
Aloft Bengaluru Cessna Business Park
VUE Test Centers
Cessna Business Park, Sarjapur – Marathahalli Outer
 Online Lab Access Ring Road, Kadubeesanahalli, Bellandur Post,
 Cloud Based | 30 Days Access Bengaluru, Karnataka 560103
 Opportunity to present Security Google Map: https://goo.gl/maps/ywFGStZh1F72
Article/Whitepaper
 To be published On H2S Portal  Other (Inclusions)
 Training Completion Certificate  Tea, snacks, Lunch Buffet
 Post Session Technical Support  Goodies!!
 Email based with Instructor
For more details, www.hack2secure.com | training@hack2secure.com

Program Scope & Curriculum
Module#1: Building the Base Module#5: Session Management
[Concepts, Processes & Methodologies]  “Sessions” & Tracking Methods
 Web Application Security: Introduction  Attacks on Sessions
 Proxy Servers o Fixation, Hijacking, Tampering
o Burp Suite, Zed Attack Proxy (ZAP)  Securing Cookies & Headers
 HTTP Protocol  Cross Site Request Forgery
o History, Versions, Status Codes o About, how it happens, Attack Scenarios
o Request & Response Analysis o Myths & Defensive Measures
 SSL/TLS Protocol  CSRF Tokens, Double Submitted
o PKI: Introduction, Digital Certificates Cookies
o About SSL/TLS, Handshake Process
o Testing methods
Module#6: Injection Attacks
 About OWASP  SQL Query: Primer
o Top 10 Web Application Security Risk  SQL Injection (SQLi)
 Root Cause, Practical Analysis o About, Root Cause, Types & Analysis
 Recommended Best Practices o Different Attack Scenarios
o Application Security Testing Framework o Automated Tool: SQLMap
o Web Application Testing Guide  Command Injection:
 Component & Scope o About, Root Cause, Attack Scenarios
 [Local/Remote] File Inclusion Vulnerability
Module#2: Casual Leakage Points
[Reconnaissance] Module#7: Cross Site Scripting (XSS)
 Importance of Information Gathering  Same Origin Policy, Document Object Model
o DNS Protocol: Overview, Analysis & Scan  XSS
 Open Source Intelligence o Overview, Types & Analysis
o Different Attack Scenarios
 Exploring Google Search (Google Hacking)
o Automated Tool: XSSer
o Keywords & Filters, Hacking Database
 HTML Injection
 Website Mirroring: Httrack
o About, Root Cause, Attack Scenarios
 Exploring Internet Connected Devices: Shodan
 Tools: TheHarvester, Recon-Ng Module#8: Web Services & APIs
 Web Services
Module#3: Looking for Entry Point
o About, Security Testing Requirements
[Scanning, Fingerprinting & Spidering]  Explore JSON & AJAX
 Web Scanning: Identify Ports & Services o Usage and Features
o NMap, Nikto  Web Security Attacks with SOAP Queries
 Fingerprinting, Spidering/Crawling o SQLi & Command Injection
 Web Application Fuzzing: Directory Browsing  XSS in AJAX & JSON Objects
Module#4: Analyzing A.A.A. Concerns Module#9: Web Filters and Firewall (WAF)
 Authentication  Web Application Defenses: Filtering & Firewall
o About, Types, Different Schemes  Filtering:
o Password Policies, Cracking Passwords o .NET & ESAPI Filtering Options
 Authorization  Web Firewall: Types, Detection, Attack methods
o About, Access Control Types
o Privilege Escalation Attack
Module#10: Buffer Overflow Attacks
o Insecure Direct Object References
 Stack & Heap Overflow
 Accountability
 Format String Vulnerability
o About, Secure Logging Practices

For more details, www.hack2secure.com | training@hack2secure.com

Who Should Attend
 Working Professional  Software/Application Development Team
o Looking to explore and adopt o QE/QA, Leads
Web/Software Security Testing o Developers
Practices  Looking to get awareness on
o Looking to learn Web/Software different Web/Software Attack
Security Testing Tools, Techniques & Scenarios
Practices o Analyst, Architects, Consultants
 Fresh College Graduate / Student  Looking to explore Web
o Looking to learn skills & build Security Risk & Impact analysis
career in Web Security Domain  Security Team/Office
 Anyone o Security Practitioners
o Looking to explore Web Security o Penetration Testers, Ethical Hackers
concerns and attack scenarios o Engineers, Analyst

Pre-Requisites
 Good to Have
o Basic Working knowledge of the Linux Command Line
o Basic Awareness on different Web Security Attacks

Online Lab Layout

Cloud Based | Independent Setup for Each Participant | Accessible for 30 Days

SSH (In & Out)

RDP (In & Out)

Vulnerable Web Server Linux Machine Candidate Machine

(Target Machine) (Client/Attacker)
Candidates Needs to bring their Laptop to access Online Lab Environment
Recommended System Hardware
 4 GB RAM or higher | CPU: 2.0+ Processor | 10 GB Free Hard Disk Space | Wireless Adapter | USB Port
 Any Windows, Linux or Macintosh Computer
Software
 Any SSH Client, like Putty
 Any Application to make Remote Desktop Connection (RDP)

For more details, www.hack2secure.com | training@hack2secure.com

Web Application Security Defender
Evaluate your Web Security Essential Knowledge & Skills

Globally Available | Proctored | 180 mins. | 90 MCQ | Passing Grade: 60% | Exam Language: English

Web Application Security Defender (WASD) Certificate program evaluates individual's

implementation level skills required for Web Application Security Assessment. This program
ensures candidate's awareness on Application Security Challenges, Risk, Tools, Techniques and
methodologies along with hands-on practical level knowledge and skill-sets.

WASD is based on Application Security Industry Standards and Best Practices and ensures
Knowledge and Understanding of Secure Web Application Assessment requirements. It walks
through different phases/domains of Application Security Testing and provide required practical
strategies and methodologies to evaluate Security at every level.

Benefits Attempt to WASD Exam is

 Validates your practical expertise and included as part of Web
knowledge in Web Application Security
Assessment
Application Security
 Get Global Recognition and Credibility Testing Training Program
 Ensures Real Time skills required to handle from Hack2Secure
Web Application Security Risk
 Demonstrate knowledge of Industry 1 Attempt | 6 months Voucher Validity
Standards and Best Practices
Delivered globally at Pearson VUE
 Ensures effective skills to measure and
Authorized Test Centres
implement Security Controls

To Schedule WASD Exam,

www.pearsonvue.com/hack2secure
For more details, visit www.hack2secure.com/wasd
www.hack2secure.com | certificate@hack2secure.com
About Hack2Secure
Hack2Secure excels in “Information Security” Domain and offers
customised IT Security programs, including Training, Services and
Solutions. Our programs are designed by industry experts and
tailored as per specific needs. We help students, professionals
and companies with knowledge, tools and guidance required to
be at forefront of a vital and rapidly changing IT industry.

InfoSec Training & Certification

Hack2Secure excels in delivering intensive, immersion security
programs designed to master practical steps necessary for
defending systems against the dangerous security threats.
Our wide range of fully customizable training sessions allow
individual to explore different aspects of Information Security as
per Industry requirements and Best Practices.
All H2S training programs are accompanied with globally
delivered and Proctored, Professional Certification Program with
PearsonVUE.
End-to-End InfoSec Services
Hack2Secure offers IT Security Professional Services to provide ways to stay ahead of Security
Threats through adaptive and proactive Security methods like
 Evaluating & Implementing Secure Software Development Life Cycle within an organization
 Secure Application Design Review, Threat Modeling
 Application Security Testing
 Network/Infrastructure Risk Assessment
 Consultation

hack2secure Hack2Secure featured as:

25 FASTEST GROWING CYBER SECURITY
COMPANIES IN INDIA
+91 900 81 786 76 Source: The CEO Magazine, India
+91 900 83 786 76
10 BEST SECURITY COMPANIES in INDIA: 2017
Source: Silicon Review Magazine, India

EXCELLENCE IN SECURITY TRAINING

PROGRAMMES
Source: GDS Review Magazine

www.hack2secure.com | info@hack2secure.com