Practical Web Application Penetration Testing

Practical Web Application Vulnerability Assessment and Penetration Testing with Linux and OWASP Tools

Instructor: Johnny Chuah

Overview

The class session will introduce participants to the concepts, methodologies and tools employed in web application penetration testing. Starting from using automated reports through scanners to more detailed manual testing, analyses of findings, verification and validation through secondary tools, to penetration and execution of exploits to obtain system access and compromise.

Learning Objectives/Outcomes

— Module 1: Lab Setup — 
Virtualization: Concepts, use, options, install, setup to local private environment that will have pre-configured virtual machines with applications that participants can connect to for testing and penetration testing.
Applications, Programs, Scripts, Configuration – Download, install, configure tools for class exercise, almost all open source. A couple are trial versions, and may require a quick registration.
— Module 2: Web Application Risks and Vulnerabilities —
HTTP Basics – Basic concepts of web service, HTTP, HTTPS, TCP.
OWASP Top 10, 2017 – Ten Most Critical Web Application Security Risks

Methodology – Overview of OWASP Web Application Penetration Testing Methodology

Tools – OWASP ZAP and Burp Suite Pro – overview of features, use, settings.
— Module 3: Information Gathering / Footprinting —

Using scanners, automated reports to gather information, footprint a system and application.

Analyses of information to get more detailed information, harvest more details, versions, email, passwords, paths…
— Module 4: SQL Injection —
Description and basics of SQL, SQL injection
Identifying web applications with SQL injection vulnerability
Verification and injection
Different examples of SQL injection issues
— Module 5: Cross Site Scripting —
Description and basics of Cross Site Scripting
Identifying web applications with cross site scripting vulnerability
Verification and execution
Variations of cross site scripting
— Module 6: Session Security —

Description and basics of session cookies

Testing session tokens and checking cookie properties
Cookie capturing and session hijacking
— Module 7: Authentication and Authorization —
Using penetration tools for brute forcing web application authentication
Testing for authorization and access control issues
Information leak and social engineering issues

Student Requirements

  • Have some familiarity with Linux, basic file and script editing, and running and piping commands from the Linux terminal.

What Students Should Bring

  • Have a laptop with Linux as the main host operating system or within a guest virtual machine. You can have Linux running in VMware, VirtualBox or Hyper-V. Install the OWASP ZAP (Zed Attack Proxy) tool – https://github.com/zaproxy/zaproxy/wiki/Downloads

Instructors

Johnny Chuah has been with MicroSolved, Inc since 2015 as a security engineer. Prior to that, he taught databases, servers and security at Hocking College for 14 years and was an adjunct faculty at Franklin University teaching Windows Administration for 8 years. He is deeply motivated to sharing and helping others be more security aware with networked devices and applications.

 

Date and Time

October 12, 2018

  • Morning session: 8:30 AM to 12 at noon
  • Lunch break: 12:00 to 1:00 PM
  • Afternoon session: 1:00 PM to 4:30 PM

Registration

Go to registration page to register for the training course and select “Ohio LinuxFest Institute Professional Pass”. During the registration process, you will get an option to select your training program.