Web Penetration Testing

Course Duration

4 days

Audience

Employees of federal, state and local governments; and businesses working with the government.

Prerequisites

No prerequisite knowledge required other than general computer use.

Course Description

This hands-on live training is designed to take you from beginner to confident web application pentester with no prior hacking experience required. You will gain a solid foundation in how web apps work, how to find and exploit common vulnerabilities, and how to think like an attacker. The primary focus is learning by doing, with each module focused on real-world techniques. You will also receive 12-month access to the full on-demand version of the course to reinforce classroom learning objectives. This course includes two Exam Vouchers for TCM Security's Practical Web Pentest Associate (PWPA) and Practical Web Pentest Professional (PWPP) certifications. Each exam voucher includes 1 exam attempt and is valid for 12 months from the course completion date.

Learning Objectives

• Understand the fundamental architecture and functionality of web applications
• Identify and exploit common server-side vulnerabilities and attack techniques
• Execute client-side attack methods and exploitation tactics
• Use scanning tools and techniques to identify and execute advanced web application attacks

Course Outline

Day 1 – How Web Apps Work

• Introduction to Web Applications
• How Web Apps Work
• Intro to HTTP
• Broken Authentication
• Broken Access Control
• SQL Injection

Day 2 – Server-Side Attacks

• SQL Injection (continued)
• Command Injection
• XML External Entity (XXE) Injection
• Directory Traversal

Day 3 – Server-Side and Client-Side Attacks

• File Upload Vulnerabilities
• Server-Side Request Forgery (SSRF)
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)

Day 4 – Scanning and Advanced Attacks

• Scanning, Filter Bypasses, and WAF Bypasses
• Logic Bugs
• Building a Methodology
• Performing a Web App Pentest