O'Reilly logo
live online training icon Live Online training

Intense Introduction to Hacking Web Applications

Omar Santos

This course starts with an introduction to modern web applications and then immediately dives into the mapping and discovery phase of testing. In this course, you will learn security penetration testing methodologies and concepts by going over step-by-step examples in real time.

This hands-on training course will use various open source tools. You will learn how to exploit SQL injection, command injection, cross-site scripting (XSS), XML External Entity (XXE), and cross-site request forgery (CSRF). You will also learn how to perform assessments of modern APIs used for mobile and IoT applications. This course includes interactive labs where students can interact with a series of vulnerable web applications in a safe environment. Learn how to craft the exploits used by ethical hackers to perform real-world penetration testing attacks and vulnerabilities.

What you'll learn-and how you can apply it

  • Learn through step-by-step interactive demonstrations
  • Perform real-world pen testing

This training course is for you because...

  • You have an understanding of cybersecurity fundamentals.
  • You are interested in cybersecurity and penetration testing (ethical hacking)
  • You want to learn different methodologies and best practices to perform security penetration testing assessments.

Prerequisites

Course participants should have a basic understanding of cybersecurity and networking, plus core familiarity with Microsoft Windows and Linux operating systems. The following books and video courses provides a good overview of cybersecurity fundamentals that are pre-requisites for this course:

Course Set-up:

Recommended Preparation:

Recommended Follow-up:

About your instructor

  • Omar Santos is a Principal Engineer in the Cisco Product Security Incident Response Team (PSIRT) within Cisco's Security Research and Operations. He mentors and leads engineers and incident managers during the investigation and resolution of security vulnerabilities in all Cisco products, including cloud services. Omar has been working with information technology and cyber security since the mid-1990s. Omar has designed, implemented, and supported numerous secure networks for Fortune 100 and 500 companies and the U.S. government. He is an active member of the security community, where he leads several industry-wide initiatives and standard bodies. Omar is often delivering technical presentations at many conferences and he is the author of over 15 books and video courses.

Schedule

The timeframes are only estimates and may vary according to how the class is progressing

Section 1: Introduction to Web Application Penetration Testing Methodologies (20 minutes)

  • An introduction to ethical hacking and penetration testing methodologies
  • Reviewing the OWASP Testing Methodologies

Section 2: Building Your Own Web Application Lab (30 minutes)

  • Building your own lab
  • Installing WebSploit
  • Reviewing the Installation and Tools
  • Reviewing additional tools and web application hacking environments

Break 10 minutes

Section 3: Reconnaissance and Profiling Web Applications (20 minutes)

  • Conducting information gathering using appropriate techniques
  • Vulnerability Scanning
  • Analyzing vulnerability scan results
  • The process of leveraging information to prepare for exploitation
  • Weaknesses related to specialized systems

Section 4: Authentication and Session Management Vulnerabilities (20 minutes)

  • Introducing authentication methods
  • Exploiting authentication-based vulnerabilities
  • Exploiting session management vulnerabilities

Section 5: Exploiting Cross-site Scripting (XSS) and Understanding Cross-site Request forgery (CSRF/XSRF) Vulnerabilities (20 minutes)

Reflected XSS Stored XSS DOM-based XSS Understanding Cross-site Request forgery (CSRF/XSRF)

Break 10 minutes

Section 6: Exploiting SQL Injection (30 minutes)

  • Overview of SQL Injection
  • Exploiting SQL Injection Vulnerabilities

Section 7: Exploiting XML External Entity (XXE) Vulnerabilities (30 minutes)

  • Understanding XXE
  • Exploiting XXE vulnerabilities

Break 10 minutes

Section 6: Hacking APIs, Fuzzing, and Q&A (30 minutes)

  • Overview of APIs
  • Hacking APIs
  • Fuzzing
  • Q&A