Syllabus WAPT

WAPT in pills:

Self-paced, online, flexible access

1000+ interactive slides

4+ hours of video materials

Learn the most advanced Web

Application Attacks

Integrated with Coliseum Lab

24 Educational Coliseum labs

16 real world web applications to

pentest in Coliseum Lab

Learn newest HTML5 Attacks

Dedicated BeEF Manual

Leads to 100% practical eWPT

certification

Prepares for real world Web App

Penetration testing job

The most practical and comprehensive training

course on Web App Penetration testing

eLearnSecurity has been chosen by

students in 113 countries in the

world and by leading organization

such as:

2

The Web Application Penetration Testing course (WAPT) is the online, self-paced

training course that provides all the necessary advanced skills to carry out a

thorough and professional penetration test against modern web applications.

Thanks to the extensive use of Coliseum Lab and the coverage of the latest

researches in the web application security field, the WAPT course is not only the

most practical training course on the subject but also the most up to date.

The course, although based on the offensive approach, contains, for each

chapter, advices and best practices to solve the security issues detected during

the penetration test.

The WAPT training course benefits the career of penetration testers and IT

Security personnel in charge of defending their organization web applications.

This course allows organizations of all sizes assess and mitigate the risk at which

their web applications are exposed, by building strong, practical in-house skills.

Penetration testing companies can train their teams with a comprehensive and

practical training course without having to deploy internal labs that are often

outdated and not backed by solid theoretical material

The student willing to enroll in the course must possess a solid understanding of

web applications and web application security models. No programming skills

are required, however snippets of Javascript/HTML/PHP code will be used

during the course.

The WAPT course leads to the eWPT certification.

The certification can be obtained by successfully

completing the requirements of a 100% practical

exam consisting in a penetration test of a real

world complex web application hosted in our

eLearnSecurity Hera labs.

An eWPT voucher is included in all the plans of the WAPT course.

3

The WAPT course is integrated with Coliseum Lab: the most advanced virtual lab

on web application security available today, with sandboxed vulnerable web

applications run on-the-fly within the eLearnSecurity cloud infrastructure.

Only a web browser and an internet connection are required to access the lab.

Each sandbox will be exclusive and dedicated to the student. The student will be

able to start, stop and reset each scenario at any time.

WAPT course comes with 40 different labs in two different typologies:

Educational labs

These are guided scenarios with small tasks to be performed in order to

understand in practice what has been studied in theory. These labs

contain step by step instructions in PDF manuals. Educational labs are

available in all the modules of the WAPT course.

There are 24 different educational labs available in WAPT

Penetration testing labs

The Penetration testing labs are included in the Coliseum WAPT package

(former WAS360) featuring 16 different website scenarios modeled after

real world websites that the student will encounter during his career.

The student will perform penetration tests against these increasing

difficult scenario to self-assess and practice the acquired testing skills

during the training course.

By successfully completing all the labs in this package the student will

have acquired enough experience to attempt the certification exam.

There are 16 different educational labs available in WAPT

The number of labs available for this training course increases over time as

new updates are available and as new scenarios are added on the platform.

Please refer to the course home page for an up to date list of labs.

4

The student is provided with a suggested learning path to ensure the maximum

success rate and the minimum effort.

- Module 1: Introduction Web Application Essentials

- Module 2: Penetration Testing Process

- Module 3: Information Gathering

- Module 4: Cross Site Scripting

- Module 5: SQL Injection

- Module 6: Session Security and Attacks

- Module 7: Flash security

- Module 8: Authentication

- Module 9: HTML5 and New Frontiers

- Module 10: Common Vulnerabilities

- Module 11: Web Services

- Module 12 : XPath Injection

- Module 13 : Va & Exploitation tools

All modules come in slides + video format. Modules can be accessed from within the

eLearnSecurity Members area.

Labs are referenced within the slides in order to suggest the correct learning path to

follow.

5

During this introductory module the student will understand the basics of Web applications. An in-depth coverage of the Same Origin Policy in its latest developments and the Cookie RFC 6525 2011 will help experienced and non-experienced penetration testers gain critical foundational skills useful for the rest of the training course. At the end of the module the student will become familiar with Burp Suite and its basic configuration. Its a light necessary introduction for an heavily practical, advanced training course.

1. Introduction 1.1. HTTP Protocol Basics

1.1.1. Header and Body 1.1.2. Requests 1.1.3. Responses

1.2. Encoding 1.2.1. Introduction 1.2.2. Charsets

1.2.2.1. ASCII Charset 1.2.2.2. Unicode Charset

1.2.3. Charset vs. Charset Encoding 1.2.3.1. Encoding in Latin-1 1.2.3.2. Encoding in Unicode

1.2.4. Encoding in HTML 1.2.5. URL Encoding 1.2.6. HTML Entities (HTML Encoding) 1.2.7. Base64

1.3. Same Origin (SOP) 1.3.1. Introduction 1.3.2. Origin 1.3.3. What does Sop protect from? 1.3.4. How SOP works 1.3.5. Exceptions

1.3.5.1. Window.location 1.3.5.1.1. Examples 1.3.5.1.2. Security Issues

1.3.5.2. Document.domain 1.3.5.3. Cross window messaging 1.3.5.4. Cross Origin Resource Sharing

1.4. Cookies 1.4.1. Cookies Domain

1.4.1.1. Specified Cookie domain 1.4.1.2. Unspecified Cookie domain 1.4.1.3. Internet Explorer exception

1.4.2. Inspecting the cookie protocol 1.4.2.1. Correct cookie installation 1.4.2.2. Incorrect cookie installation

1.5. Sessions 1.6. Web Application Proxies

1.6.1. Burp Proxy Configuration

6

This module helps Penetration tester gain confidence with the processes and legal matters involved in a penetration testing engagement. The student will learn the methodologies and the reporting best practice in order to become a confident and professional penetration tester. This is a wealth of information useful throughout the entire career of a penetration tester.

2. Penetration Testing Process 2.1. Pre-engagement

2.1.1. Rules of engagement 2.1.1.1. The goal and scope

2.1.1.1.1. Goal 2.1.1.1.2. Scope of engagement

2.1.1.2. Time-table 2.1.1.3. Liabilities and responsibilities

2.1.1.3.1. NDA 2.1.1.3.2. The Emergency plan

2.1.1.4. The allowed techniques 2.1.1.5. The deliverables

2.2. Methodologies 2.2.1. PTES 2.2.2. OSSTMM 2.2.3. OWASP Testing Guide

2.3. Reporting

7

Let the Penetration test start. Every penetration test begins with the Information gathering phase. This is where a penetration tester understands the application under a functional point of view and collects useful information for the following phases of the engagement. A multitude of techniques will be used in order to collect behavioral, functional, applicative and infrastructural information. The student will use a variety of tools to retrieve readily available information from the target.

3. Information Gathering 3.1. Gathering Information on Target

3.1.1. Finding Owner, IP addresses, Emails

3.1.2. WHOIS 3.1.3. DNS

3.1.3.1. Nslookup 3.2. Infrastructure

3.2.1. Fingerprinting the Web Server 3.2.1.1. Modules

3.2.2. Enumerating subdomains 3.2.2.1. Bing 3.2.2.2. Subdomainer 3.2.2.3. Zone Transfer

3.2.3. Finding Virtual Hosts 3.2.3.1. Hostmap

3.3. Fingerprinting Frameworks and Applications 3.3.1. Fingerprinting Third-Party Add-Ons

3.4. Fingerprinting Custom Applications 3.4.1. Mapping the Attack Surface

3.5. Enumerating Resources 3.5.1. Crawling the Website 3.5.2. Finding Hidden Files

3.5.2.1. Back Up and Source Code File 3.5.3. Enumerating Users Accounts with

Burp 3.5.4. Attack Preparation: Spotting the

differences 3.6. Relevant Information through

Misconfiguration 3.6.1. Directory Listing 3.6.2. Log and Configuration Files

3.7. Google Hacking

Coliseum Labs included in this module

8

The most widespread web application vulnerability will be dissected and studied in all its parts. At first you will be provided with theoretical explanation. This understanding will help you in the exploitation and remediation process. Later you will master all the techniques to find XSS vulnerabilities through black box testing.

4. XSS 4.1. Cross site scripting

4.1.1. Basics 4.2. Anatomy of a XSS exploitation 4.3. The three types of XSS

4.3.1. Reflected XSS 4.3.2. Persistent XSS 4.3.3. DOM-based XSS

4.4. Finding XSS 4.4.1. Finding XSS in PHP code

4.5. XSS Exploitation 4.5.1. XSS, Browsers and same origin policy 4.5.2. Real world attacks

4.5.2.1. Cookie stealing through XSS 4.5.2.2. Defacement

4.6. Advanced phishing attacks


9

This module will contain the most advanced techniques to find and exploit SQL Injections. From the explanation of the most basic SQL injection up to the most advanced. Advanced methods will be taught with real world examples and the best tools will be demonstrated on real targets. You will not just be able to dump remote databases but also get root on the remote machine through advanced SQL Injection techniques.

5. SQL Injection 5.1. Introduction to SQL Injection

5.1.1. Dangers of a SQL Injection 5.1.2. How SQL Injection works

5.2. How to find SQL injections 5.2.1. How to find SQL injections 5.2.2. Finding Blind SQL Injections

5.3. SQL Injection Exploitation 5.3.1. Exploiting Union SQL Injections

5.4. Exploiting Error Based SQL Injections 5.4.1. Dumping database data 5.4.2. Reading remote file system 5.4.3. Accessing the remote network

5.5. Exploiting Blind SQL Injection 5.5.1. Optimized Blind SQL Injections 5.5.2. Time Based SQL Injections

5.6. Tools 5.6.1. Advanced SQLmap usage and

other tools 5.6.2. Tools taxonomy


10

Session related vulnerabilities will be the subject of this module with extensive coverage of the most common attacking patterns. Code samples on how to prevent session attacks are provided in PHP, Java and .NET At the end of the module the student will master offensive as well as defensive procedures related to session management within web applications.

6. Session Security 6.1. Weakness of Session Identifier 6.2. Understanding Session Hijacking

6.2.1. Session Hijacking Introduction 6.2.2. Session Hijacking through XSS

6.2.2.1. Preventing Session Hijacking through XSS

6.2.2.2. PHP 6.2.2.3. Java 6.2.2.4. .NET

6.2.3. Session Hijacking through Packet Sniffing

6.2.4. Session Hijacking through Access to the Web Server

6.2.4.1. PHP 6.2.4.2. Java 6.2.4.3. .NET

6.3. Session Fixation 6.3.1. Session Fixation Attacks 6.3.2. Preventing Session Fixation

6.3.2.1. PHP 6.3.2.2. .NET 6.3.2.3. Java


11

Flash, although a dying technology, is still present on millions of websites online. Flash files can expose a web application and its users to a number of security risks that will be covered within this module. The student will first study the Flash security model and its pitfalls. Then will use the most recent tools to find and exploit vulnerabilities in Flash files. After having studied this module, students will never look at SWF files the same way.

7. Flash 7.1. Introduction

7.1.1. Actionscript 7.1.1.1. Compiling and

decompiling 7.1.2. Embedding Flash in HTML

7.1.2.1. The allowScriptAccess Attribute

7.1.3. Passing arguments to Flash Files 7.2. Flash Security model

7.2.1. Sandboxes 7.2.2. Stakeholders

7.2.2.1. Administration Role 7.2.2.2. User role 7.2.2.3. Website role 7.2.2.4. URL policy file 7.2.2.5. Author role

7.2.3. Calling Javascript from Actionscript

7.2.4. Calling Actionscript from Javascript

7.2.5. Method NavigateToURL 7.2.6. Local Shared Objects

7.3. Flash Vulnerabilities 7.3.1. Flash parameter injection 7.3.2. Fuzzing Flash with

SWFInvestigator 7.3.3. Finding Hardcoded sensitive

information 7.4. Pentesting Flash Applications

7.4.1. Analyzing client side components 7.4.2. Identifying communication

protocol 7.4.3. Analyzing server side

components


12

Any application with a minimum of complexity requires authentication at some point. Chances are that the authentication mechanisms in place are not sufficient or are simply broken, exposing the organization at serious security issues leading to a complete compromise of the web application and the data it stores. During this module the student will learn the most common authentication mechanisms, their weaknesses and the related attacks. From Inadequate password policies to weaknesses in the implementation of common features.

8. Authentication 8.1. Introduction

8.1.1. Authentication vs. Authorization 8.1.2. Authentication factors

8.1.2.1. Single-factor Authentication

8.1.2.2. Two-factor Authentication 8.2. Common Vulnerabilities

8.2.1. Credentials Over Unencrypted Channel

8.2.2. Inadequate Password Policy 8.2.2.1. Dictionary Attack 8.2.2.2. Brute Force Attack 8.2.2.3. Preventing Inadequate

Password Policy 8.2.2.3.1. Strong Passwords 8.2.2.3.2. Storing Hashes 8.2.2.3.3. Blocking Requests

8.2.3. User Enumeration 8.2.3.1. Examples 8.2.3.2. Taking Advantage of User

Enumeration 8.2.4. Default or (easily) Guessable User

Accounts 8.2.4.1. Typical default credentials 8.2.4.2. Default User Accounts

8.2.5. Remember me feature 8.2.5.1. Cache Browser Method 8.2.5.2. Cookie Method 8.2.5.3. Web Storage method 8.2.5.4. Best defensive techniques

8.2.6. Password reset 8.2.6.1. Easily guessable answers 8.2.6.2. Unlimited Attempts 8.2.6.3. Password reset link

8.2.6.3.1. Guessable 8.2.6.3.2. Recyclable 8.2.6.3.3. Predictable

8.2.6.4. Secret questions 8.2.7. Logout Weaknesses

8.2.7.1. Incorrect Session Destruction

8.3. Bypassing Authentication 8.3.1. Direct page request (Forced

browsing)

13

8.3.1.1. Best defensive techniques 8.3.2. Parameter modification

8.3.2.1. An example of vulnerable web application

8.3.2.2. Best defensive techniques 8.3.3. Incorrect Redirection

8.3.3.1. Using redirect to protect contents

8.3.3.2. Are the contents really protected?

8.3.3.3. A typical vulnerable WebApp

8.3.3.4. Best defensive techniques 8.3.4. SessionID prediction 8.3.5. SQL Injection

8.3.5.1. A vulnerable authentication form

8.3.5.2. Exploitation through SQL Injection


14

This module is an extremely in-depth coverage of all the attack vectors and weaknesses introduced by drafted as well as finalized W3C new standards and protocols. We will go through the most important elements of HTML5 and especially the new CORS paradigm that completely changes the way the SOP is applied to most modern web applications. By mastering this module in theory and practice the student will possess an arsenal of penetration testing techniques that are still unknown to the vast majority of penetration testers. A number of Coliseum labs are available to practice all the aspects covered within this module. This module brings penetration testers skills to the next level with next generation attack vectors that are going to affect web applications for the next decade.

9. HTML5 and New Frontiers 9.1. Cross Origin Resource Sharing (CORS)

9.1.1. Same Origin Policy Issue 9.1.2. Cross-Domain Policy in Flash 9.1.3. Cross Origin Resource Sharing

9.1.3.1. Cross Origin Ajax Request 9.1.3.2. Cross Origin Requests

9.1.3.2.1. Simple Requests 9.1.3.2.2. Preflighted requests 9.1.3.2.3. Request with Credentials

9.1.3.3. Control Access Headers 9.1.3.3.1. Header Access-Control-

Allow-Origin 9.1.3.3.2. Header Access-Control-

Allow-Credentials 9.1.3.3.3. Header Access-Control-

Allow-Headers 9.1.3.3.4. Header Access-Control-

Allow-Methods 9.1.3.3.5. Header Access-Control-

Max-Age 9.1.3.3.6. Header Access-Control-

Expose-Headers 9.1.3.3.7. Header Origin 9.1.3.3.8. Header Access-Control-

Request-Method 9.1.3.3.9. Header Access-Control-

Request-Headers 9.2. Cross Windows Messaging

9.2.1. Relationship between windows 9.2.2. Sending Messages 9.2.3. Receiving Messages 9.2.4. Security Issues

9.3. Web Storage 9.3.1. Different Storages

9.3.1.1. Local Storage 9.3.1.2. Session Storage

9.3.2. Local Storage APIs 9.3.2.1. Adding an Item 9.3.2.2. Retrieving an Item 9.3.2.3. Removing an Item 9.3.2.4. Removing all Items

9.3.3. SessionStorage APIs 9.3.4. Security Issues

9.4. Web Sockets

15

9.4.1. Real Time Applications Using HTTP

9.4.2. WebSocket 9.4.2.1. Features 9.4.2.2. Benefits 9.4.2.3. APIs

9.5. Sandboxed frames 9.5.1. Security Issues before HTML5

9.5.1.1. Redirection 9.5.1.1.1. Example 9.5.1.1.2. Preventing

9.5.1.2. Accessing the Parent Document from iframe

9.5.2. HTML5 sandbox attribute


16

During this module the student will practice a number of vulnerabilities that, despite being less known or publicized, are still affecting a number of web applications across many different programming languages and platforms. Advanced clickjacking attacks are covered in depth with real world examples and dissected real world attacks. The level of depth and the amount of practical sessions during this module will provide even seasoned penetration testers with new ways to break the security of their targets.

10. Common Vulnerabilities 10.1. OWASP A4 - Insecure Direct Object

Reference 10.1.1. Examples

10.1.1.1. References to file system 10.1.1.2. References to DB Keys

10.2. OWASP A8 Failure to restrict URL access

10.3. Path Traversal 10.3.1. Path Convention

10.3.1.1. Encoding 10.3.2. Best defensive techniques

10.4. File Inclusion 10.4.1. Local File Inclusion 10.4.2. Remote File Inclusion

10.5. Unrestricted File Upload 10.5.1. A vulnerable Web Application 10.5.2. Best defensive techniques

10.5.2.1. Filtering based on file content

10.6. Clickjacking 10.6.1. Understanding Clickjacking

10.6.1.1. Feasibility study 10.6.1.1.1. Case1: possible 10.6.1.1.2. Case2: not possible

10.6.1.2. Building Malicious Web Pages

10.6.1.3. Spreading the Malicious Link

10.6.1.4. Waiting for the victim 10.6.1.5. Best defensive

techniques 10.6.1.5.1. The Old School 10.6.1.5.2. HTTP header X-Frame-

Options 10.6.2. Likejacking in Facebook 10.6.3. Cursorjacking

10.7. HTTP Response splitting 10.7.1. A typical Scenario 10.7.2. XSS through HTTP Response

splitting 10.8. Header Injection

10.8.1. Bypassing Same Origin Policy 10.8.1.1. Attack explained 10.8.1.2. Best defensive

17

techniques 10.9. Logical Flaws

10.9.1. A vulnerable Web Application 10.9.2. Best defensive techniques

10.10. Denial of Services 10.10.1. Different DoS Attacks

10.10.1.1. Request bombing 10.10.1.2. Greedy Pages

10.10.2. Best defensive techniques


18

Professional penetration testers should master all aspects related to web services testing. Web services are nowadays the data and logic provider for a variety of thin and thick clients, from web application clients to mobile applications. During this highly in depth module the student will first become familiar with web services paradigms and protocols and then learn all the most important related security issues. WSDL and SOAP testing will be covered not only in theory but also in practice in our Coliseum Lab.

11. Web Services 11.1. Introduction 11.2. Why using Web Services

11.2.1. Standardized Protocols 11.2.1.1. HTTP 11.2.1.2. XML 11.2.1.3. SOAP

11.2.2. Interoperability between different Applications

11.2.3. Exposing Services 11.3. Description of a Web Service

11.3.1. The WSDL Language 11.3.2. Interaction between Client and

Web Service 11.3.3. Object in WSDL 1.1

11.3.3.1. Binding 11.3.3.2. PortType 11.3.3.3. Message 11.3.3.4. Operation

11.4. Attacks 11.4.1. WSDL Disclosure

11.4.1.1. WSDL Google Hacking 11.4.1.2. WSDL Scanning

11.4.2. SOAP Action Spoofing 11.4.2.1. Pre-requirements 11.4.2.2. Attack in action 11.4.2.3. Best defensive

techniques 11.4.3. SQL Injection through SOAP

messages 11.4.3.1. Best defensive techniques


19

Xpath is the XML standard that allows web applications to query XML databases. In this module the student will learn advanced XPath injection techniques, in theory and practice in the Coliseum.

12. XPath 12.1. XML Documents and Databases 12.2. XPath 12.3. XPath vs. SQL

12.3.1. No comment statements 12.3.2. Case Sensitive

12.4. Detecting XPath Injection 12.4.1. Error Based Injection 12.4.2. Blind Injection

12.4.2.1. Detect True 12.4.2.2. Detect False


20

In this module the student will learn how to use Open source and commercial tools to find and exploit all the vulnerabilities studied and practiced during the training course.

13. VA & Exploitation Tools 13.1. Acunetix

13.1.1. VA 13.1.2. Exploitation

13.2. Netsparker 13.2.1. VA 13.2.2. Exploitation

13.3. W3af 13.3.1. VA 13.3.2. Exploitation

13.4. BeEF 13.4.1. Architecture 13.4.2. User Interface 13.4.3. Communication Server (CS) 13.4.4. Zombie 13.4.5. Hooking Example

13.4.5.1. BeEF Commands 13.4.5.2. Browser Commands 13.4.5.3. Host Commands 13.4.5.4. Network Commands 13.4.5.5. Exploits Commands

13.4.6. XSSrays 13.4.7. Requester 13.4.8. Tunneling Proxy

13.4.8.1. Configuring a tunneling Proxy

13.4.9. Metasploit Integration

All tools can be practiced within the Coliseum Lab

21

About eLearnSecurity

Based in Pisa, Italy, eLearnSecurity is a leading provider of IT security and

penetration testing courses for IT professionals. eLearnSecurity advances the

careers of IT security professionals by providing affordable top-level instruction. We

use engaging eLearning and the most effective mix of theory, practice and

methodology in IT security all with real-world lessons that students can

immediately apply to build relevant skills and keep their companies data and

systems safe. For more information, visit http://www.elearnsecurity.com.

2013 eLearnSecurity S.R.L Via Matteucci 36/38 56124 Pisa, Italy

http://www.elearnsecurity.com/