Professional Documents
Culture Documents
Syllabus WAPT
Syllabus WAPT
Syllabus WAPT
WAPT in pills:
Self-paced, online, flexible access
1000+ interactive slides
4+ hours of video materials
Learn the most advanced Web
Application Attacks
Integrated with Coliseum Lab
24 Educational Coliseum labs
16 real world web applications to
pentest in Coliseum Lab
Learn newest HTML5 Attacks
Dedicated BeEF Manual
Leads to 100% practical eWPT
certification
Prepares for real world Web App
Penetration testing job
The Web Application Penetration Testing course (WAPT) is the online, self-paced
training course that provides all the necessary advanced skills to carry out a
thorough and professional penetration test against modern web applications.
Thanks to the extensive use of Coliseum Lab and the coverage of the latest
researches in the web application security field, the WAPT course is not only the
most practical training course on the subject but also the most up to date.
The course, although based on the offensive approach, contains, for each
chapter, advices and best practices to solve the security issues detected during
the penetration test.
The WAPT training course benefits the career of penetration testers and IT
Security personnel in charge of defending their organization web applications.
This course allows organizations of all sizes assess and mitigate the risk at which
their web applications are exposed, by building strong, practical in-house skills.
Penetration testing companies can train their teams with a comprehensive and
practical training course without having to deploy internal labs that are often
outdated and not backed by solid theoretical material
The student willing to enroll in the course must possess a solid understanding of
web applications and web application security models. No programming skills
are required, however snippets of Javascript/HTML/PHP code will be used
during the course.
The WAPT course is integrated with Coliseum Lab: the most advanced virtual lab
on web application security available today, with sandboxed vulnerable web
applications run on-the-fly within the eLearnSecurity cloud infrastructure.
Only a web browser and an internet connection are required to access the lab.
Each sandbox will be exclusive and dedicated to the student. The student will be
able to start, stop and reset each scenario at any time.
WAPT course comes with 40 different labs in two different typologies:
Educational labs
These are guided scenarios with small tasks to be performed in order to
understand in practice what has been studied in theory. These labs
contain step by step instructions in PDF manuals. Educational labs are
available in all the modules of the WAPT course.
There are 24 different educational labs available in WAPT
The number of labs available for this training course increases over time as
new updates are available and as new scenarios are added on the platform.
Please refer to the course home page for an up to date list of labs.
The student is provided with a suggested learning path to ensure the maximum
success rate and the minimum effort.
1. Introduction
1.1. HTTP Protocol Basics
1.1.1. Header and Body
1.1.2. Requests
1.1.3. Responses
1.2. Encoding
1.2.1. Introduction
1.2.2. Charsets
1.2.2.1. ASCII Charset
1.2.2.2. Unicode Charset
1.2.3. Charset vs. Charset Encoding
1.2.3.1. Encoding in Latin-1
1.2.3.2. Encoding in Unicode
1.2.4. Encoding in HTML
1.2.5. URL Encoding
1.2.6. HTML Entities (HTML Encoding)
1.2.7. Base64
1.3. Same Origin (SOP)
1.3.1. Introduction
1.3.2. Origin
1.3.3. What does Sop protect from?
1.3.4. How SOP works
1.3.5. Exceptions
1.3.5.1. Window.location
1.3.5.1.1. Examples
1.3.5.1.2. Security Issues
1.3.5.2. Document.domain
1.3.5.3. Cross window messaging
1.3.5.4. Cross Origin Resource Sharing
1.4. Cookies
1.4.1. Cookies Domain
1.4.1.1. Specified Cookie domain
1.4.1.2. Unspecified Cookie domain
1.4.1.3. Internet Explorer exception
1.4.2. Inspecting the cookie protocol
1.4.2.1. Correct cookie installation
1.4.2.2. Incorrect cookie installation
1.5. Sessions
1.6. Web Application Proxies
1.6.1. Burp Proxy Configuration
3. Information Gathering
3.1. Gathering Information on Target
Let the Penetration test
3.1.1. Finding Owner, IP addresses,
start.
Emails
3.1.2. WHOIS
3.1.3. DNS
Every penetration test
3.1.3.1. Nslookup
begins with the Information
3.2. Infrastructure
gathering phase.
3.2.1. Fingerprinting the Web Server
3.2.1.1. Modules
3.2.2. Enumerating subdomains
This is where a penetration
3.2.2.1. Bing
tester understands the
3.2.2.2. Subdomainer
application under a
3.2.2.3. Zone Transfer
functional point of view and
3.2.3. Finding Virtual Hosts
3.2.3.1. Hostmap
collects useful information
3.3. Fingerprinting Frameworks and
for the following phases of
Applications
the engagement.
3.3.1. Fingerprinting Third-Party Add-Ons
3.4. Fingerprinting Custom Applications
3.4.1. Mapping the Attack Surface
A multitude of techniques
3.5. Enumerating Resources
will be used in order to
3.5.1. Crawling the Website
collect behavioral,
3.5.2. Finding Hidden Files
3.5.2.1. Back Up and Source Code File
functional, applicative and
3.5.3.
Enumerating Users Accounts with
infrastructural information.
Burp
3.5.4. Attack Preparation: Spotting the
The student will use a
differences
3.6. Relevant Information through
variety of tools to retrieve
Misconfiguration
readily available information
3.6.1. Directory Listing
from the target.
3.6.2. Log and Configuration Files
3.7. Google Hacking
Coliseum Labs included in this module
4. XSS
4.1. Cross site scripting
4.1.1. Basics
4.2. Anatomy of a XSS exploitation
4.3. The three types of XSS
4.3.1. Reflected XSS
4.3.2. Persistent XSS
4.3.3. DOM-based XSS
4.4. Finding XSS
4.4.1. Finding XSS in PHP code
4.5. XSS Exploitation
4.5.1. XSS, Browsers and same origin policy
4.5.2. Real world attacks
4.5.2.1. Cookie stealing through XSS
4.5.2.2. Defacement
4.6. Advanced phishing attacks
5. SQL Injection
5.1. Introduction to SQL Injection
5.1.1. Dangers of a SQL Injection
5.1.2. How SQL Injection works
5.2. How to find SQL injections
5.2.1. How to find SQL injections
5.2.2. Finding Blind SQL Injections
5.3. SQL Injection Exploitation
5.3.1. Exploiting Union SQL Injections
5.4. Exploiting Error Based SQL Injections
5.4.1. Dumping database data
5.4.2. Reading remote file system
5.4.3. Accessing the remote network
5.5. Exploiting Blind SQL Injection
5.5.1. Optimized Blind SQL Injections
5.5.2. Time Based SQL Injections
5.6. Tools
5.6.1. Advanced SQLmap usage and
other tools
5.6.2. Tools taxonomy
6. Session Security
6.1. Weakness of Session Identifier
6.2. Understanding Session Hijacking
6.2.1. Session Hijacking Introduction
6.2.2. Session Hijacking through XSS
6.2.2.1. Preventing Session Hijacking
through XSS
6.2.2.2. PHP
6.2.2.3. Java
6.2.2.4. .NET
6.2.3. Session Hijacking through Packet
Sniffing
6.2.4. Session Hijacking through Access
to the Web Server
6.2.4.1. PHP
6.2.4.2. Java
6.2.4.3. .NET
6.3. Session Fixation
6.3.1. Session Fixation Attacks
6.3.2. Preventing Session Fixation
6.3.2.1. PHP
6.3.2.2. .NET
6.3.2.3. Java
10
7. Flash
7.1. Introduction
Flash, although a dying
7.1.1. Actionscript
technology, is still present on
7.1.1.1. Compiling and
decompiling
millions of websites online.
7.1.2. Embedding Flash in HTML
7.1.2.1. The allowScriptAccess
Flash files can expose a web
Attribute
application and its users to a
7.1.3. Passing arguments to Flash Files
7.2. Flash Security model
number of security risks that
7.2.1. Sandboxes
will be covered within this
7.2.2. Stakeholders
module.
7.2.2.1. Administration Role
7.2.2.2. User role
7.2.2.3. Website role
The student will first study the
7.2.2.4. URL policy file
Flash security model and its
7.2.2.5. Author role
pitfalls.
7.2.3. Calling Javascript from
Actionscript
7.2.4.
Calling
Actionscript from
Then will use the most recent
Javascript
tools to find and exploit
7.2.5. Method NavigateToURL
vulnerabilities in Flash files.
7.2.6. Local Shared Objects
7.3. Flash Vulnerabilities
7.3.1. Flash parameter injection
After having studied this
7.3.2. Fuzzing Flash with
module, students will never
SWFInvestigator
look at SWF files the same
7.3.3. Finding Hardcoded sensitive
information
way.
7.4. Pentesting Flash Applications
7.4.1. Analyzing client side components
7.4.2. Identifying communication
protocol
7.4.3. Analyzing server side
components
Coliseum Labs included in this module
11
12
8. Authentication
8.1. Introduction
8.1.1. Authentication vs. Authorization
8.1.2. Authentication factors
8.1.2.1. Single-factor
Authentication
8.1.2.2. Two-factor Authentication
8.2. Common Vulnerabilities
8.2.1. Credentials Over Unencrypted
Channel
8.2.2. Inadequate Password Policy
8.2.2.1. Dictionary Attack
8.2.2.2. Brute Force Attack
8.2.2.3. Preventing Inadequate
Password Policy
8.2.2.3.1. Strong Passwords
8.2.2.3.2. Storing Hashes
8.2.2.3.3. Blocking Requests
8.2.3. User Enumeration
8.2.3.1. Examples
8.2.3.2. Taking Advantage of User
Enumeration
8.2.4. Default or (easily) Guessable User
Accounts
8.2.4.1. Typical default credentials
8.2.4.2. Default User Accounts
8.2.5. Remember me feature
8.2.5.1. Cache Browser Method
8.2.5.2. Cookie Method
8.2.5.3. Web Storage method
8.2.5.4. Best defensive techniques
8.2.6. Password reset
8.2.6.1. Easily guessable answers
8.2.6.2. Unlimited Attempts
8.2.6.3. Password reset link
8.2.6.3.1. Guessable
8.2.6.3.2. Recyclable
8.2.6.3.3. Predictable
8.2.6.4. Secret questions
8.2.7. Logout Weaknesses
8.2.7.1. Incorrect Session
Destruction
8.3. Bypassing Authentication
8.3.1. Direct page request (Forced
browsing)
13
14
15
16
techniques
10.9. Logical Flaws
10.9.1. A vulnerable Web Application
10.9.2. Best defensive techniques
10.10. Denial of Services
10.10.1. Different DoS Attacks
10.10.1.1. Request bombing
10.10.1.2. Greedy Pages
10.10.2. Best defensive techniques
Coliseum Labs included in this module
17
18
12. XPath
12.1. XML Documents and Databases
12.2. XPath
12.3. XPath vs. SQL
12.3.1. No comment statements
12.3.2. Case Sensitive
12.4. Detecting XPath Injection
12.4.1. Error Based Injection
12.4.2. Blind Injection
12.4.2.1. Detect True
12.4.2.2. Detect False
19
20
About eLearnSecurity
Based in Pisa, Italy, eLearnSecurity is a leading provider of IT security and
penetration testing courses for IT professionals. eLearnSecurity advances the
careers of IT security professionals by providing affordable top-level instruction. We
use engaging eLearning and the most effective mix of theory, practice and
methodology in IT security all with real-world lessons that students can
immediately apply to build relevant skills and keep their companies data and
systems safe. For more information, visit http://www.elearnsecurity.com.
21