Breaking Web Application Security

I am extremely excited to offer this course in security testing to individuals and companies. The goal for the course is to provide students with the information they need to begin performing web application penetration tests professionally; whether they are internal security professionals or wanting to consult on their own. The course is available at security events and to be taught privately at companies. It will also be available in an online format to individuals shortly. Here is what the course is about.

Course Description

Learn how to perform professional penetration tests of web applications from start to finish. The goal of Breaking Web Application Security is to prepare you to scope and perform quality penetration tests of web applications. While the class focuses primarily on the technical skills required for web app testing, you will also learn a number of important skills needed to conduct your own penetration tests. We will discuss how scope an assessment, set a price for the engagement, and write up a statement of work to get hired for the job. You will also receive documents that will support you in this process.

The bulk of the class will be hands on working on target applications. The main target application is OWASP Juice Shop. It was selected because it is more realistic than most deliberately vulnerable applications. Because of this you will be learning how to test an application that actually looks and functions like a real application.  In the end you will walk away with information that you can start using when you get back to the office or to start doing penetration testing on your own.

What you will learn:

  • How to scope the penetration test and create your proposal
  • How to use Burp Suite Professional
  • Discovering application functionality via mapping
  • How to find application vulnerabilities and perform exploitation
  • Write professional reports for your clients

What you will receive:

  • Class virtual machine with tools and target applications
  • Questions to ask when scoping a penetration test
  • Spreadsheet to help calculate an assessment price
  • Template for a statement of work
  • Kick Off Call Agenda
  • Templated services agreement

Student Reviews

“I love that this class gave me a list of action items that I will be able to explore and try immediately. The class was presented in an easy to follow manner that built a great framework to apply on web app pen testing. Thank you!”

Jeff M.

“This is a solid course covering all the stages of application security testing. Jason does a great job bringing his applied experience and knowledge in explaining these topics; the combined materials and lab environment are good resources. I’d recommend this course to anyone wanting to learn more about application security testing.”

Mark C.

“Breaking Web Application Security course by Jason Wood is an excellent training opportunity, whether you are a noob like me, or a veteran to the security space. It covered end to end expectations of performing Penetration Testing, inside your current company, or as a 3rd party consultant. The labs were beneficial to material covered, and he provided resources to continue to expand the knowledge and skills you learned during the course. Highly recommend this training course.”

Steve M.

Course Outline

Day 1

  • Class Overview
  • Introduction to Lab Environment
    • Exercise: VM Walkthrough
  • Technical Foundations
    • HTTP and HTTPS
    • Web Proxies
      • Exercise: Setting up the Proxy
    • Encoding Methods
      • Exercise: Burp Decoder
    • Web Services and APIs
  • Testing Methodology
    • Purpose of Methodology
    • Class Methodology
    • Moving Between Phases
    • Documenting Your Work
  • Pre-Engagement Interactions
    • Scoping a Penetration Test
    • Statement of Work
    • Legal Requirements
    • Kick Off Call
  • Reconnaissance
    • Goals of Reconnaissance
    • Discovering Employees
    • Finding Relevant Information
    • Looking for Source Code
    • Exercise: Recon of MetaTechnix
  • Application Mapping
    • Mapping the Application
    • Exercise: Determining the Tech Stack
    • Using Burp Spider
    • Exercise: Map OWASP Juice Shop
  • Vulnerability Discovery and Exploitation
    • Application Infrastructure
    • Client Side Controls
      • Exercise: Client Side Controls
    • Authentication
      • Exercise: Username Harvesting
      • Exercise: Brute Force Account Login

Day 2

  • Vulnerability Discovery and Exploitation continued
    • Session Management
      • Exercise: JSON Web Tokens
    • Cross Site Request Forgery
      • Exercise: Cross Site Request Forgery
    • Access Control
      • Exercise: Access Control
    • SQL Injection
      • Exercise: SQL Injection
    • Cross Site Scripting
      • Exercise: Cross Site Scripting
    • Application Logic Flaws
      • Exercise: Application Logic Flaws
    • Application Servers
    • Operating System Command Injection
      • Exercise: OS Command Injection
    • Information Disclosure
  • Post Exploitation
    • Client Goals
    • Telling the Story of Risk
    • Combining attacks
  • Reporting
    • What Goes into a Professional Report
    • Structure
    • Evidence
  • Clean Up and Conclusion
    • Post Assessment Clean Up
    • Final Review