The most practical and comprehensive training

course on Web App Penetration testing

WAPT in pills:
Self-paced, online, flexible access
1000+ interactive slides
4+ hours of video materials
Learn the most advanced Web
Application Attacks
Integrated with Coliseum Lab
24 Educational Coliseum labs
16 real world web applications to
pentest in Coliseum Lab
Learn newest HTML5 Attacks
Dedicated BeEF Manual
Leads to 100% practical eWPT
certification
Prepares for real world Web App
Penetration testing job

eLearnSecurity has been chosen by

students in 113 countries in the
world and by leading organization
such as:

The Web Application Penetration Testing course (WAPT) is the online, self-paced
training course that provides all the necessary advanced skills to carry out a
thorough and professional penetration test against modern web applications.
Thanks to the extensive use of Coliseum Lab and the coverage of the latest
researches in the web application security field, the WAPT course is not only the
most practical training course on the subject but also the most up to date.
The course, although based on the offensive approach, contains, for each
chapter, advices and best practices to solve the security issues detected during
the penetration test.

The WAPT training course benefits the career of penetration testers and IT
Security personnel in charge of defending their organization web applications.
This course allows organizations of all sizes assess and mitigate the risk at which
their web applications are exposed, by building strong, practical in-house skills.
Penetration testing companies can train their teams with a comprehensive and
practical training course without having to deploy internal labs that are often
outdated and not backed by solid theoretical material
The student willing to enroll in the course must possess a solid understanding of
web applications and web application security models. No programming skills
are required, however snippets of Javascript/HTML/PHP code will be used
during the course.

The WAPT course leads to the eWPT certification.

The certification can be obtained by successfully
completing the requirements of a 100% practical
exam consisting in a penetration test of a real
world complex web application hosted in our
eLearnSecurity Hera labs.

An eWPT voucher is included in all the plans of the WAPT course.

The WAPT course is integrated with Coliseum Lab: the most advanced virtual lab
on web application security available today, with sandboxed vulnerable web
applications run on-the-fly within the eLearnSecurity cloud infrastructure.
Only a web browser and an internet connection are required to access the lab.
Each sandbox will be exclusive and dedicated to the student. The student will be
able to start, stop and reset each scenario at any time.
WAPT course comes with 40 different labs in two different typologies:

Educational labs
These are guided scenarios with small tasks to be performed in order to
understand in practice what has been studied in theory. These labs
contain step by step instructions in PDF manuals. Educational labs are
available in all the modules of the WAPT course.
There are 24 different educational labs available in WAPT

Penetration testing labs

The Penetration testing labs are included in the Coliseum WAPT package
(former WAS360) featuring 16 different website scenarios modeled after
real world websites that the student will encounter during his career.
The student will perform penetration tests against these increasing
difficult scenario to self-assess and practice the acquired testing skills
during the training course.
By successfully completing all the labs in this package the student will
have acquired enough experience to attempt the certification exam.
There are 16 different educational labs available in WAPT

The number of labs available for this training course increases over time as
new updates are available and as new scenarios are added on the platform.
Please refer to the course home page for an up to date list of labs.

The student is provided with a suggested learning path to ensure the maximum
success rate and the minimum effort.

- Module 1: Introduction Web Application Essentials

- Module 2: Penetration Testing Process

- Module 3: Information Gathering
- Module 4: Cross Site Scripting

- Module 5: SQL Injection

- Module 6: Session Security and Attacks

Module 7: Flash security

Module 8: Authentication
Module 9: HTML5 and New Frontiers
Module 10: Common Vulnerabilities
Module 11: Web Services

- Module 12 : XPath Injection

- Module 13 : Va & Exploitation tools
All modules come in slides + video format. Modules can be accessed from within the
eLearnSecurity Members area.
Labs are referenced within the slides in order to suggest the correct learning path to
follow.

During this introductory

module the student will
understand the basics of
Web applications.
An in-depth coverage of the
Same Origin Policy in its
latest developments and the
Cookie RFC 6525 2011 will
help experienced and nonexperienced penetration
testers gain critical
foundational skills useful for
the rest of the training
course.
At the end of the module
the student will become
familiar with Burp Suite and
its basic configuration.
Its a light necessary
introduction for an heavily
practical, advanced training
course.

1. Introduction
1.1. HTTP Protocol Basics
1.1.1. Header and Body
1.1.2. Requests
1.1.3. Responses
1.2. Encoding
1.2.1. Introduction
1.2.2. Charsets
1.2.2.1. ASCII Charset
1.2.2.2. Unicode Charset
1.2.3. Charset vs. Charset Encoding
1.2.3.1. Encoding in Latin-1
1.2.3.2. Encoding in Unicode
1.2.4. Encoding in HTML
1.2.5. URL Encoding
1.2.6. HTML Entities (HTML Encoding)
1.2.7. Base64
1.3. Same Origin (SOP)
1.3.1. Introduction
1.3.2. Origin
1.3.3. What does Sop protect from?
1.3.4. How SOP works
1.3.5. Exceptions
1.3.5.1. Window.location
1.3.5.1.1. Examples
1.3.5.1.2. Security Issues
1.3.5.2. Document.domain
1.3.5.3. Cross window messaging
1.3.5.4. Cross Origin Resource Sharing
1.4. Cookies
1.4.1. Cookies Domain
1.4.1.1. Specified Cookie domain
1.4.1.2. Unspecified Cookie domain
1.4.1.3. Internet Explorer exception
1.4.2. Inspecting the cookie protocol
1.4.2.1. Correct cookie installation
1.4.2.2. Incorrect cookie installation
1.5. Sessions
1.6. Web Application Proxies
1.6.1. Burp Proxy Configuration

This module helps

Penetration tester gain
confidence with the
processes and legal matters
involved in a penetration
testing engagement.
The student will learn the
methodologies and the
reporting best practice in
order to become a confident
and professional
penetration tester.
This is a wealth of
information useful
throughout the entire career
of a penetration tester.

2. Penetration Testing Process

2.1. Pre-engagement
2.1.1. Rules of engagement
2.1.1.1. The goal and scope
2.1.1.1.1. Goal
2.1.1.1.2. Scope of engagement
2.1.1.2. Time-table
2.1.1.3. Liabilities and responsibilities
2.1.1.3.1. NDA
2.1.1.3.2. The Emergency plan
2.1.1.4. The allowed techniques
2.1.1.5. The deliverables
2.2. Methodologies
2.2.1. PTES
2.2.2. OSSTMM
2.2.3. OWASP Testing Guide
2.3. Reporting

3. Information Gathering
3.1. Gathering Information on Target
Let the Penetration test
3.1.1. Finding Owner, IP addresses,
start.
Emails
3.1.2. WHOIS
3.1.3. DNS
Every penetration test
3.1.3.1. Nslookup
begins with the Information
3.2. Infrastructure
gathering phase.
3.2.1. Fingerprinting the Web Server
3.2.1.1. Modules
3.2.2. Enumerating subdomains
This is where a penetration
3.2.2.1. Bing
tester understands the
3.2.2.2. Subdomainer
application under a
3.2.2.3. Zone Transfer
functional point of view and
3.2.3. Finding Virtual Hosts
3.2.3.1. Hostmap
collects useful information
3.3. Fingerprinting Frameworks and
for the following phases of
Applications
the engagement.
3.3.1. Fingerprinting Third-Party Add-Ons
3.4. Fingerprinting Custom Applications
3.4.1. Mapping the Attack Surface
A multitude of techniques
3.5. Enumerating Resources
will be used in order to
3.5.1. Crawling the Website
collect behavioral,
3.5.2. Finding Hidden Files
3.5.2.1. Back Up and Source Code File
functional, applicative and
3.5.3.
Enumerating Users Accounts with
infrastructural information.
Burp
3.5.4. Attack Preparation: Spotting the
The student will use a
differences
3.6. Relevant Information through
variety of tools to retrieve
Misconfiguration
readily available information
3.6.1. Directory Listing
from the target.
3.6.2. Log and Configuration Files
3.7. Google Hacking
Coliseum Labs included in this module

The most widespread web

application vulnerability will
be dissected and studied in
all its parts.
At first you will be provided
with theoretical explanation.
This understanding will help
you in the exploitation and
remediation process. Later
you will master all the
techniques to find XSS
vulnerabilities through black
box testing.

4. XSS
4.1. Cross site scripting
4.1.1. Basics
4.2. Anatomy of a XSS exploitation
4.3. The three types of XSS
4.3.1. Reflected XSS
4.3.2. Persistent XSS
4.3.3. DOM-based XSS
4.4. Finding XSS
4.4.1. Finding XSS in PHP code
4.5. XSS Exploitation
4.5.1. XSS, Browsers and same origin policy
4.5.2. Real world attacks
4.5.2.1. Cookie stealing through XSS
4.5.2.2. Defacement
4.6. Advanced phishing attacks

Coliseum Labs included in this module

This module will contain the

most advanced techniques to
find and exploit SQL Injections.
From the explanation of the
most basic SQL injection up to
the most advanced.
Advanced methods will be
taught with real world
examples and the best tools
will be demonstrated on real
targets.
You will not just be able to
dump remote databases but
also get root on the remote
machine through advanced
SQL Injection techniques.

5. SQL Injection
5.1. Introduction to SQL Injection
5.1.1. Dangers of a SQL Injection
5.1.2. How SQL Injection works
5.2. How to find SQL injections
5.2.1. How to find SQL injections
5.2.2. Finding Blind SQL Injections
5.3. SQL Injection Exploitation
5.3.1. Exploiting Union SQL Injections
5.4. Exploiting Error Based SQL Injections
5.4.1. Dumping database data
5.4.2. Reading remote file system
5.4.3. Accessing the remote network
5.5. Exploiting Blind SQL Injection
5.5.1. Optimized Blind SQL Injections
5.5.2. Time Based SQL Injections
5.6. Tools
5.6.1. Advanced SQLmap usage and
other tools
5.6.2. Tools taxonomy

Coliseum Labs included in this module

Session related vulnerabilities

will be the subject of this
module with extensive
coverage of the most common
attacking patterns.
Code samples on how to
prevent session attacks are
provided in PHP, Java and .NET
At the end of the module the
student will master offensive
as well as defensive
procedures related to session
management within web
applications.

6. Session Security
6.1. Weakness of Session Identifier
6.2. Understanding Session Hijacking
6.2.1. Session Hijacking Introduction
6.2.2. Session Hijacking through XSS
6.2.2.1. Preventing Session Hijacking
through XSS
6.2.2.2. PHP
6.2.2.3. Java
6.2.2.4. .NET
6.2.3. Session Hijacking through Packet
Sniffing
6.2.4. Session Hijacking through Access
to the Web Server
6.2.4.1. PHP
6.2.4.2. Java
6.2.4.3. .NET
6.3. Session Fixation
6.3.1. Session Fixation Attacks
6.3.2. Preventing Session Fixation
6.3.2.1. PHP
6.3.2.2. .NET
6.3.2.3. Java

Coliseum Labs included in this module

10

7. Flash
7.1. Introduction
Flash, although a dying
7.1.1. Actionscript
technology, is still present on
7.1.1.1. Compiling and
decompiling
millions of websites online.
7.1.2. Embedding Flash in HTML
7.1.2.1. The allowScriptAccess
Flash files can expose a web
Attribute
application and its users to a
7.1.3. Passing arguments to Flash Files
7.2. Flash Security model
number of security risks that
7.2.1. Sandboxes
will be covered within this
7.2.2. Stakeholders
module.
7.2.2.1. Administration Role
7.2.2.2. User role
7.2.2.3. Website role
The student will first study the
7.2.2.4. URL policy file
Flash security model and its
7.2.2.5. Author role
pitfalls.
7.2.3. Calling Javascript from
Actionscript
7.2.4.
Calling
Actionscript from
Then will use the most recent
Javascript
tools to find and exploit
7.2.5. Method NavigateToURL
vulnerabilities in Flash files.
7.2.6. Local Shared Objects
7.3. Flash Vulnerabilities
7.3.1. Flash parameter injection
After having studied this
7.3.2. Fuzzing Flash with
module, students will never
SWFInvestigator
look at SWF files the same
7.3.3. Finding Hardcoded sensitive
information
way.
7.4. Pentesting Flash Applications
7.4.1. Analyzing client side components
7.4.2. Identifying communication
protocol
7.4.3. Analyzing server side
components
Coliseum Labs included in this module

11

Any application with a minimum

of complexity requires
authentication at some point.
Chances are that the
authentication mechanisms in
place are not sufficient or are
simply broken, exposing the
organization at serious security
issues leading to a complete
compromise of the web
application and the data it stores.
During this module the student
will learn the most common
authentication mechanisms, their
weaknesses and the related
attacks.
From Inadequate password
policies to weaknesses in the
implementation of common
features.

12

8. Authentication
8.1. Introduction
8.1.1. Authentication vs. Authorization
8.1.2. Authentication factors
8.1.2.1. Single-factor
Authentication
8.1.2.2. Two-factor Authentication
8.2. Common Vulnerabilities
8.2.1. Credentials Over Unencrypted
Channel
8.2.2. Inadequate Password Policy
8.2.2.1. Dictionary Attack
8.2.2.2. Brute Force Attack
8.2.2.3. Preventing Inadequate
Password Policy
8.2.2.3.1. Strong Passwords
8.2.2.3.2. Storing Hashes
8.2.2.3.3. Blocking Requests
8.2.3. User Enumeration
8.2.3.1. Examples
8.2.3.2. Taking Advantage of User
Enumeration
8.2.4. Default or (easily) Guessable User
Accounts
8.2.4.1. Typical default credentials
8.2.4.2. Default User Accounts
8.2.5. Remember me feature
8.2.5.1. Cache Browser Method
8.2.5.2. Cookie Method
8.2.5.3. Web Storage method
8.2.5.4. Best defensive techniques
8.2.6. Password reset
8.2.6.1. Easily guessable answers
8.2.6.2. Unlimited Attempts
8.2.6.3. Password reset link
8.2.6.3.1. Guessable
8.2.6.3.2. Recyclable
8.2.6.3.3. Predictable
8.2.6.4. Secret questions
8.2.7. Logout Weaknesses
8.2.7.1. Incorrect Session
Destruction
8.3. Bypassing Authentication
8.3.1. Direct page request (Forced
browsing)

8.3.1.1. Best defensive techniques

8.3.2. Parameter modification
8.3.2.1. An example of vulnerable
web application
8.3.2.2. Best defensive techniques
8.3.3. Incorrect Redirection
8.3.3.1. Using redirect to protect
contents
8.3.3.2. Are the contents really
protected?
8.3.3.3. A typical vulnerable
WebApp
8.3.3.4. Best defensive techniques
8.3.4. SessionID prediction
8.3.5. SQL Injection
8.3.5.1. A vulnerable authentication
form
8.3.5.2. Exploitation through SQL
Injection
Coliseum Labs included in this module

13

This module is an extremely indepth coverage of all the

attack vectors and weaknesses
introduced by drafted as well
as finalized W3C new
standards and protocols.
We will go through the most
important elements of HTML5
and especially the new CORS
paradigm that completely
changes the way the SOP is
applied to most modern web
applications.
By mastering this module in
theory and practice the
student will possess an arsenal
of penetration testing
techniques that are still
unknown to the vast majority
of penetration testers.
A number of Coliseum labs are
available to practice all the
aspects covered within this
module.
This module brings
penetration testers skills to the
next level with next generation
attack vectors that are going to
affect web applications for the
next decade.

14

9. HTML5 and New Frontiers

9.1. Cross Origin Resource Sharing (CORS)
9.1.1. Same Origin Policy Issue
9.1.2. Cross-Domain Policy in Flash
9.1.3. Cross Origin Resource Sharing
9.1.3.1. Cross Origin Ajax Request
9.1.3.2. Cross Origin Requests
9.1.3.2.1. Simple Requests
9.1.3.2.2. Preflighted requests
9.1.3.2.3. Request with Credentials
9.1.3.3. Control Access Headers
9.1.3.3.1. Header Access-ControlAllow-Origin
9.1.3.3.2. Header Access-ControlAllow-Credentials
9.1.3.3.3. Header Access-ControlAllow-Headers
9.1.3.3.4. Header Access-ControlAllow-Methods
9.1.3.3.5. Header Access-ControlMax-Age
9.1.3.3.6. Header Access-ControlExpose-Headers
9.1.3.3.7. Header Origin
9.1.3.3.8. Header Access-ControlRequest-Method
9.1.3.3.9. Header Access-ControlRequest-Headers
9.2. Cross Windows Messaging
9.2.1. Relationship between windows
9.2.2. Sending Messages
9.2.3. Receiving Messages
9.2.4. Security Issues
9.3. Web Storage
9.3.1. Different Storages
9.3.1.1. Local Storage
9.3.1.2. Session Storage
9.3.2. Local Storage APIs
9.3.2.1. Adding an Item
9.3.2.2. Retrieving an Item
9.3.2.3. Removing an Item
9.3.2.4. Removing all Items
9.3.3. SessionStorage APIs
9.3.4. Security Issues
9.4. Web Sockets

9.4.1. Real Time Applications Using

HTTP
9.4.2. WebSocket
9.4.2.1. Features
9.4.2.2. Benefits
9.4.2.3. APIs
9.5. Sandboxed frames
9.5.1. Security Issues before HTML5
9.5.1.1. Redirection
9.5.1.1.1. Example
9.5.1.1.2. Preventing
9.5.1.2. Accessing the Parent
Document from iframe
9.5.2. HTML5 sandbox attribute
Coliseum Labs included in this module

15

During this module the student

will practice a number of
vulnerabilities that, despite
being less known or publicized,
are still affecting a number of
web applications across many
different programming
languages and platforms.
Advanced clickjacking attacks
are covered in depth with real
world examples and dissected
real world attacks.
The level of depth and the
amount of practical sessions
during this module will provide
even seasoned penetration
testers with new ways to break
the security of their targets.

16

10. Common Vulnerabilities

10.1. OWASP A4 - Insecure Direct Object
Reference
10.1.1. Examples
10.1.1.1. References to file system
10.1.1.2. References to DB Keys
10.2. OWASP A8 Failure to restrict URL
access
10.3. Path Traversal
10.3.1. Path Convention
10.3.1.1. Encoding
10.3.2. Best defensive techniques
10.4. File Inclusion
10.4.1. Local File Inclusion
10.4.2. Remote File Inclusion
10.5. Unrestricted File Upload
10.5.1. A vulnerable Web Application
10.5.2. Best defensive techniques
10.5.2.1. Filtering based on file
content
10.6. Clickjacking
10.6.1. Understanding Clickjacking
10.6.1.1. Feasibility study
10.6.1.1.1. Case1: possible
10.6.1.1.2. Case2: not possible
10.6.1.2. Building Malicious Web
Pages
10.6.1.3. Spreading the Malicious
Link
10.6.1.4. Waiting for the victim
10.6.1.5. Best defensive
techniques
10.6.1.5.1. The Old School
10.6.1.5.2. HTTP header X-FrameOptions
10.6.2. Likejacking in Facebook
10.6.3. Cursorjacking
10.7. HTTP Response splitting
10.7.1. A typical Scenario
10.7.2. XSS through HTTP Response
splitting
10.8. Header Injection
10.8.1. Bypassing Same Origin Policy
10.8.1.1. Attack explained
10.8.1.2. Best defensive

techniques
10.9. Logical Flaws
10.9.1. A vulnerable Web Application
10.9.2. Best defensive techniques
10.10. Denial of Services
10.10.1. Different DoS Attacks
10.10.1.1. Request bombing
10.10.1.2. Greedy Pages
10.10.2. Best defensive techniques
Coliseum Labs included in this module

17

11. Web Services

11.1. Introduction
Professional penetration
11.2. Why using Web Services
testers should master all
11.2.1. Standardized Protocols
aspects related to web services
11.2.1.1. HTTP
11.2.1.2. XML
testing.
11.2.1.3. SOAP
11.2.2. Interoperability between
Web services are nowadays
different Applications
the data and logic provider for
11.2.3. Exposing Services
11.3. Description of a Web Service
a variety of thin and thick
11.3.1. The WSDL Language
clients, from web application
11.3.2. Interaction between Client and
clients to mobile applications.
Web Service
11.3.3. Object in WSDL 1.1
11.3.3.1. Binding
During this highly in depth
11.3.3.2. PortType
module the student will first
11.3.3.3. Message
become familiar with web
11.3.3.4. Operation
11.4. Attacks
services paradigms and
11.4.1. WSDL Disclosure
protocols and then learn all the
11.4.1.1. WSDL Google Hacking
most important related
11.4.1.2. WSDL Scanning
security issues.
11.4.2. SOAP Action Spoofing
11.4.2.1. Pre-requirements
11.4.2.2. Attack in action
WSDL and SOAP testing will be
11.4.2.3. Best defensive
covered not only in theory but
techniques
also in practice in our Coliseum
11.4.3. SQL Injection through SOAP
messages
Lab.
11.4.3.1. Best defensive techniques
Coliseum Labs included in this module

18

Xpath is the XML standard that

allows web applications to
query XML databases.
In this module the student will
learn advanced XPath injection
techniques, in theory and
practice in the Coliseum.

12. XPath
12.1. XML Documents and Databases
12.2. XPath
12.3. XPath vs. SQL
12.3.1. No comment statements
12.3.2. Case Sensitive
12.4. Detecting XPath Injection
12.4.1. Error Based Injection
12.4.2. Blind Injection
12.4.2.1. Detect True
12.4.2.2. Detect False

Coliseum Labs included in this module

19

In this module the student will

learn how to use Open source
and commercial tools to find
and exploit all the
vulnerabilities studied and
practiced during the training
course.

13. VA & Exploitation Tools

13.1. Acunetix
13.1.1. VA
13.1.2. Exploitation
13.2. Netsparker
13.2.1. VA
13.2.2. Exploitation
13.3. W3af
13.3.1. VA
13.3.2. Exploitation
13.4. BeEF
13.4.1. Architecture
13.4.2. User Interface
13.4.3. Communication Server (CS)
13.4.4. Zombie
13.4.5. Hooking Example
13.4.5.1. BeEF Commands
13.4.5.2. Browser Commands
13.4.5.3. Host Commands
13.4.5.4. Network Commands
13.4.5.5. Exploits Commands
13.4.6. XSSrays
13.4.7. Requester
13.4.8. Tunneling Proxy
13.4.8.1. Configuring a tunneling
Proxy
13.4.9. Metasploit Integration

All tools can be practiced within the Coliseum Lab

20

About eLearnSecurity
Based in Pisa, Italy, eLearnSecurity is a leading provider of IT security and
penetration testing courses for IT professionals. eLearnSecurity advances the
careers of IT security professionals by providing affordable top-level instruction. We
use engaging eLearning and the most effective mix of theory, practice and
methodology in IT security all with real-world lessons that students can
immediately apply to build relevant skills and keep their companies data and
systems safe. For more information, visit http://www.elearnsecurity.com.

2013 eLearnSecurity S.R.L

Via Matteucci 36/38
56124 Pisa, Italy

21