Practical Web Application Penetration Testing

Practical Web Application Vulnerability Assessment and Penetration Testing with Linux and OWASP Tools

Instructor: Johnny Chuah

Overview

The class session will introduce participants to the concepts, methodologies and tools employed in web application penetration testing. Starting from using automated reports through scanners to more detailed manual testing, analyses of findings, verification and validation through secondary tools, to penetration and execution of exploits to obtain system access and compromise.

Learning Objectives/Outcomes

— Module 1: Lab Setup —

Virtualization: Concepts, use, options, install, setup to local private environment that will have pre-configured virtual machines with applications that participants can connect to for testing and penetration testing.

Applications, Programs, Scripts, Configuration – Download, install, configure tools for class exercise, almost all open source. A couple are trial versions, and may require a quick registration.

— Module 2: Web Application Risks and Vulnerabilities —

HTTP Basics – Basic concepts of web service, HTTP, HTTPS, TCP.

OWASP Top 10, 2017 – Ten Most Critical Web Application Security Risks

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

Methodology – Overview of OWASP Web Application Penetration Testing Methodology

https://www.owasp.org/index.php/Web_Application_Penetration_Testing

Tools – OWASP ZAP and Burp Suite Pro – overview of features, use, settings.

— Module 3: Information Gathering / Footprinting —

Using scanners, automated reports to gather information, footprint a system and application.

Analyses of information to get more detailed information, harvest more details, versions, email, passwords, paths…

— Module 4: SQL Injection —

Description and basics of SQL, SQL injection

Identifying web applications with SQL injection vulnerability

Verification and injection

Different examples of SQL injection issues

— Module 5: Cross Site Scripting —

Description and basics of Cross Site Scripting

Identifying web applications with cross site scripting vulnerability

Verification and execution

Variations of cross site scripting

— Module 6: Session Security —

Description and basics of session cookies

Testing session tokens and checking cookie properties

Cookie capturing and session hijacking

— Module 7: Authentication and Authorization —

Using penetration tools for brute forcing web application authentication

Testing for authorization and access control issues

Information leak and social engineering issues

Student Requirements

Have some familiarity with Linux, basic file and script editing, and running and piping commands from the Linux terminal.

What Students Should Bring

Have a laptop with Linux as the main host operating system or within a guest virtual machine. You can have Linux running in VMware, VirtualBox or Hyper-V. Install the OWASP ZAP (Zed Attack Proxy) tool – https://github.com/zaproxy/zaproxy/wiki/Downloads

Instructors

Johnny Chuah has been with MicroSolved, Inc since 2015 as a security engineer. Prior to that, he taught databases, servers and security at Hocking College for 14 years and was an adjunct faculty at Franklin University teaching Windows Administration for 8 years. He is deeply motivated to sharing and helping others be more security aware with networked devices and applications.

Date and Time

October 12, 2018

Morning session: 8:30 AM to 12 at noon
Lunch break: 12:00 to 1:00 PM
Afternoon session: 1:00 PM to 4:30 PM

Registration

Go to registration page to register for the training course and select “Ohio LinuxFest Institute Professional Pass”. During the registration process, you will get an option to select your training program.