Web Application Penetration Testing with OWASP 2021
This is a fundamentals course for those interested in finding out how to start analysing and penetration testing a web application.
Engagement
In this section we learn how to ensure that boundaries of the testing are properly organised, permissions are obtained, and the scope of the testing engagement notified.
Identifying Targets and Users
How do attackers know who the users of a website are? How easy is it to push the website to disclose sensitive information. In this session we use OSINT (Open Source Intelligence) tooling to attempt to gain an understanding of the public profile of the application and its users.
Footprint and Discovery
Before any effective testing can take place it is important to understand the environment the application is hosted on and in. The web application should be analysed to identify structure and content, the results analysed and the application scanned.
User Controls, Authentication and Session
After analysing the web application’s login options we will begin to use our toolset to bypass login controls, brute force access and manipulate sessions and cookies.
Automating Attacks on Databases, Encrypted and Hashed Resources
Learn how to use tools to crack encrypted and hashed passwords and other secured resources, and find Database vulnerabilities in the application’s data stores.
Input Validation
The weakest part of any application is its need to accept data input. We will attempt to identify vulnerabilities in an application by intercepting and manipulating data, using fuzzing techniques and other attempts to identify weaknesses.
Hosting Vulnerabilities
In this session we will look to see what the most common vulnerabilities are in hosted environments and how to identify them.