Web Application Security: Beginner Edition

A beginner-friendly introduction to the Open Web Application Security Project® (OWASP) Top 10 vulnerabilities, where you will build a solid foundation in pentesting modern web applications with different attack tools.
Write your awesome label here.
Starts: 03 July 2021  Duration: 4 weeks
Recordings of live sessions included!

What You'll Learn

Web application security is as old as the web. However, today, almost all WebApps have transitioned into the cloud. This bootcamp lets you practice attacks on real-world web applications and teaches the subtle differences between pentesting traditional and cloud-based applications.

Throughout the 4 weeks, you will learn WebApp basics, OWASP Top 10 vulnerabilities and more, all via hands-on practice in our labs.

End the bootcamp with skills that are immediately usable in real-life engagements, and get prepared to earn the PAWASP certification.
  • 4 Live Sessions

  • 2.5 hrs per session

  • Over 50 Lab Exercises

  • 1 PAWASP Attempt

  • Recordings of Live Sessions

Build Your Cybersecurity Credentials

  • Become a Pentester Academy WebApp Security Professional (PAWASP)

The PAWASP is getting a lot of traction in cybersec circles – with the ubiquity of web applications, understanding their security and being able to audit them is a critical skill all security professionals should possess. This certification gives you a solid foundation for starting any career that will require skills in pentesting modern web applications for the OWASP Top 10 security vulnerabilities.
  • Bootcamp Completion Certificate

Attendees will also get a course completion certificate after attending all 4 live sessions.

Live Session Schedule

Weekly 2 hr 30 min sessions start at 12:00pm ET and end at 2:30pm ET.
3 July 2021
10 July 2021
17 July 2021
24 July 2021
WebApps, Protocol Basics, Tools of the Trade
OWASP Top 10 Part I
OWASP Top 10 Part II
OWASP Top 10 Part III and Case Studies

Prerequisites

1. A basic knowledge of computers and networking
2. Familiarity with the Linux operating system

Bootcamp Syllabus

Module I: Modern Web Applications and Protocol Basics

Learn the building blocks of web applications and how everything works behind the scenes including HTTP Methods, web design patterns, client and server-side components. Understand modern deployment architectures such as single-page applications, microservices and serverless architecture.
  • Client-side Languages and Concepts
  • Server-side Concepts
  • Web Servers
  • Web Communication - HTTP verbs
  • HTTP request methods
  • HTTP response codes
  • HTTP headers and security
  • HTTP access control
  • HTTP authentication
  • HTTP cookies
  • HTTPS vs HTTP
  • Data Storage - Database Servers
  • SQL 
  • NoSQL
  • Web Application Architecture
  • Monolithic architecture
  • Single page applications
  • Microservices 
  • Serverless architecture 

Module II: Reconnaissance Basics

Learn how to perform reconnaissance on a network, identify live hosts, and fingerprint the services running on machines.
  • Domain Reconnaissance
  • Whois lookup
  • DNS reconnaissance
  • Network Scanning and Live Host Identification
  • Open Ports and Running Services
  • Identifying Architectures, Operating Systems and Frameworks
  • Spidering/Crawling Websites
  • Performing Directory Enumeration
  • Discovering Protected Resources

Module III: Tools of the Trade

Learn how to use popular open source tools for reconnaissance, observing, mangling data, and automation of attacks.
  • Enumerating Common/Framework-specific Directories
  • DIRB
  • DirBuster
  • Burp Suite
  • OpenDoor
  • Crawling Web Pages
  • ZAP
  • HTTrack
  • Burp Suite
  • Identifying Web Application Vulnerabilities with Scanners
  • Nikto
  • OpenVAS
  • Wapiti
  • Vega
  • OWASP OWTF
  • XSS Scanner
  • XSSer
  • Attacking Database Servers
  • sqlmap
  • jSQL
  • BBQSQL

Module IV: OWASP Top 10

Familiarize yourself with the OWASP Top 10 which are the most common vulnerabilities attackers are exploiting today. Learn everything with practical hands-on labs using both manual methods and tool based automation where applicable.
  • A1 Injection Attacks
  • SQL Injection
  • NOSQL Injection
  • OS Command Injection
  • Code Injection
  • A2 Broken Authentication
  • Weak Credentials
  • Default Credentials
  • SQL Injection
  • Cookie Manipulation
  • Parameter Tampering
  • A3 Sensitive Data Exposure
  • Plain Text Transmission (HTTP/FTP/SMTP)
  • Presence of .git Directory
  • Presence of Debugging Utilities
  • Installation Files/README
  • Backup Directory/Log Directories
  • Lack of Custom Error Pages
  • A4 XML External Entity
  • Classic XXE
  • Error Based XXE
  • Blind XXE
  • A5 Broken Access Control
  • Path Traversal
  • Remote File Inclusion
  • Insecure Direct Object Reference
  • Client-Side Checks
  • Missing/Improper Functional Level Access Control
  • Missing HTTP Method-specific Access Control on Resources
  • CORS Misconfiguration
  • A6 Security Misconfigurations
  • Management Applications with Weak/Default Credentials
  • Directory Listing Enabled
  • Disabled Security Features
  • Poor Error Handling
  • A7 Cross-Site Scripting
  • Reflected Cross-Site Scripting
  • Stored Cross-Site Scripting
  • DOM Based Cross-Site Scripting
  • A8 Insecure Deserialization
  • Remote Code Execution
  • Denial of Service
  • A9 Using Components with Known Vulnerabilities
  • A10 Insufficient Logging & Monitoring

Module V: Real World Attacks

Perform case study on popular real-world attacks, understand the root cause of the vulnerability, and how the attackers exploited it.
  • Case Study
  • Laravel Unserialize RCE (CVE-2018-15133)
  • Rails DoubleTap RCE (CVE-2019-5418, CVE-2019-5420)
  • Jquery-File-Upload (CVE-2018-9206)
  • Drupalgeddon2 (CVE-2018-7600)
Meet the instructor

Jeswin Mathai

He has published his work at DEFCON China, RootCon, Blackhat Arsenal, and Demo labs (DEFCON). He has also been a co-trainer in classroom trainings conducted at HITB, RootCon, OWASP NZ Day. He has a Bachelor degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals, conducted awareness workshops for government institutions. His area of interest includes Malware Analysis and Reverse Engineering, Cryptography, WiFi security, and Web Application Security.
Jeswin Mathai - Instructor

Can't attend this bootcamp? Get informed about future bootcamps!

Thank you!
Thank you!