10151142Web Application Security
Course Information
Description
This course provides a broad overview of the tools and techniques commonly used for web application security testing. In depth hands-on exercises are used to instruct the student in the proper selection and application of a given tool for the intended task. Also included are basic strategies for documenting and reporting on the outcome of the test. The student must demonstrate the ability to plan, and execute a basic web security audit in an environment that simulates a common business or organization. Open Source tools include: The BURP suite, Python, etc…
Total Credits
3
Course Competencies
-
Install and configure web application and attack environmentsAssessment StrategiesSkill demonstrationCriteriayou install a Java application serveryou configure an application server administrative interfaceyou access the application server administrative interfaceyou deploy vulnerable web applicationsyou install a remote attack serveryou remotely access deployed applications from attack serveryou verify successful server and application installationyour tasks meet minimum performance levels or above as specified in the course handout
-
Analyze web application vulnerabilitiesAssessment StrategiesSkill demonstration, presentationCriteriayou identify common web application vulnerabilities, such as XSS, CSRF, and SQL injectionyou demonstrate web application vulnerability behavior by describing how an attacker would use the vulnerabilityyou verbally present information on web application vulnerabilities describing what they are and demonstrating the frequency of occurrence, conditions to occur, and how to defend againstyour tasks meet minimum performance levels or above as specified in the course handout
-
Perform web application penetration testing – reconnaissanceAssessment StrategiesSkill demonstrationCriteriayou install and use tools to identify application target informationyou use a remote attack server to identify application targets and supporting infrastructureyou use network protocols to learn domain names, technical contact information, target IP addresses, and hostsyou use external information sources to passively and discreetly learn about targetsyour tasks meet minimum performance levels or above as specified in the course handout
-
Perform web application penetration testing – mappingAssessment StrategiesSkill demonstrationCriteriayou use a remote attack server to complete port scans and fingerprint the supporting operating systemsyou analyze the application encryption designyou analyze virtual hosting and load balancer designsyou identify the target componentsyou install and use tools to map application infrastructure and software configurationsyour tasks meet minimum performance levels or above as specified in the course handout
-
Perform web application penetration testing – server-side discoveryAssessment StrategiesSkill demonstrationCriteriayou install and use tools to discover server-side application vulnerabilitiesyou execute web application vulnerability scanners and analyze the resultsyou install web browser plug-ins to assist in automated vulnerability identificationyou attempt server-side vulnerability discovery, such as directory traversalyou install and use tools to discover server-side application vulnerabilitiesyour tasks meet minimum performance levels or above as specified in the course handout
-
Perform web application penetration testing – client-side discoveryAssessment StrategiesSkill demonstrationCriteriayou install and use tools to discover client-side application vulnerabilitiesyou execute client-side vulnerability scanning and analyze the resultsyou perform business application attacks on a vulnerable web applicationyou perform web services vulnerability attacks on a vulnerable web applicationyour tasks meet minimum performance levels or above as specified in the course handout
-
Perform web application penetration testing – exploitationAssessment StrategiesSkill demonstrationCriteriayou install and use tools to exploit vulnerable web applications and verify vulnerabilities existyou verify that vulnerabilities such as XSS, SQL injection, and CSRF, identified in the discovery phases existyou bypass authentication mechanisms in a vulnerable web applicationyou find hidden content and use it in a vulnerable web applicationyou bypass client-side controls to exploit vulnerabilitiesyou perform injection attacks, such as SQL and AJAX JSON injection, in a vulnerable web applicationyour tasks meet minimum performance levels or above as specified in the course handout
-
Exploit vulnerable web applications with the Browser Exploitation Framework (BeEF)Assessment StrategiesSkill demonstrationCriteriayou use BeEF to “hook” web applications and take control of themyou run BeEF exploitation commands to break into web applicationsyou use BeEF to perform network reconnaissance and mappingyour tasks meet minimum performance levels or above as specified in the course handout
-
Install and configure a security information and event management (SIEM) systemAssessment StrategiesSkill demonstrationCriteriayou install a SIEM applianceyou configure the SIEM to monitor a web application environmentyou test deployment of a SIEM by using a remote attack environment to attack the application and monitor security alertsyour tasks meet minimum performance levels or above as specified in the course handout
-
Install and configure a web application firewall (WAF)Assessment StrategiesSkill demonstrationCriteriayou install, configure, and test deployment of a web application firewallyou install and configuring a proxy serveryou install and configure a web application firewallyou test deployment of a web application firewallyou use a remote attack environment to attack a web application and block the attacks with the WAFyour tasks meet minimum performance levels or above as specified in the course handout