Web Application Pen Testing Hands-On Immersion

Overview

In the first half of 2008, five million Web sites were compromised by automated SQL injection attacks. The hackers' goal was to inject links to malicious content in order to infect the users of the Web application. These automated attacks do not show any sign of stopping and will likely visit your Web applications in the near future. Don't want to be a part of the statistics? Performing runtime testing is essential to making your Web site secure. Developer 538 is a two-day course focusing on up-to-date, hands-on testing of Web application security.

This fast-paced course is ideal for students who have a basic understanding of Web application security vulnerabilities and testing methodologies and are looking to refresh and upgrade their skill set in pen testing Web applications. It is also well suited to infrastructure pen testers who are expanding testing scope to Web applications. If you are going to be testing Web applications in the next few months, this course will help you brush up on your Web application security testing knowledge. Whatever your level is, it will give you confidence to know that you have the hands-on experience to perform testing against common vulnerabilities.

This action-packed, two-day course has a strong, hands-on focus -- exercises are designed to give you experience with real-world vulnerabilities. Throughout the two days, you will be using various testing concepts to test vulnerable Web applications. The target applications are as realistic as possible. The labs are structured so both novices and intermediate students can enjoy the learning experience.

Sampling of Topics

• Who should attend
  • Infrastructure penetration testers who are trying to expand into pen testing Web applications
  • Developers who are interested in testing their applications against common vulnerabilities
  • QA testers who are responsible for testing security vulnerabilities in applications
  • Information security professionals with some background in hacker exploits

• Sampling of exercises
  • Web Fingerprinting
  • Input Manipulation
  • Blind SQL Injection
  • Non-obvious Session Issues
  • Brute Forcing Credentials
  • Cross-Site Scripting
  • Code Review

Laptop

Students attending this course are required to bring their own laptops that are properly configured. There is not enough time in class to help you install your laptop; your laptop must be properly installed and configured before you come to class.

Minimum hardware requirements:

• 1GHz processor
• 512MB RAM (1GB highly recommended)
• 3GB free hard disk space
• CD-ROM drive
• An unused USB slot

A laptop with Windows 2000, XP, or Vista is required with the latest Service Packs and patches. You should install the following software on the computer:

• Java Runtime Environment (JRE) - please download from http://www.sun.com
• Firefox browser (version 3)
• Microsoft .NET framework runtime 1.1 (some of the testing tools require it)
• Install Switchproxy extension in Firefox (see below)

Please install VMware Player or VMware Workstation on the laptop. (GSX and ESX will not work.) VMware player can be downloaded for free at http://www.vmware.com.

Switchproxy is a Firefox extension and can be installed from https://addons.mozilla.org/en-US/firefox/addon/125. Surf to the URL with Firefox and then click on the "Add to Firefox" button on the page.

At the beginning of class you will be given a Linux bootable CD. This CD will be booted within VMware as a virtual image. You must have ability to disable the host firewall (Windows firewall or other third party firewall) and anti-virus running on your desktop. This usually means you need to have administrative privilege on the machine. The Windows host and Linux host need to talk to each other through the VMware network interface. A firewall could disallow such communication and render some of the exercises unsuccessful.