Certified Web Application Penetration Tester (CWAP)

Course details

Certified Web Application Penetration testing course is regarded as the top most application penetration testing course in India. With an average 30% rise in cyber-attack every year on web based applications. Certified Web Application Penetration testing course helps you to understand the new technologies used in web penetration testing and how to use them to protect the organizations website and applications from being hacked.  

Web based applications plays a very curricle role in the organization. As customer's the first interaction point with the organization is through its website and web based applications. These web applications stores very sensitive customer and internal data. Black hat hackers are constantly compromising websites, defacing websites, leaking customer credit card details which are incurring huge loss to many companies around the globe.

Certified Web Application Penetration testing course will help the students and working professionals to understand the web based applications flaws and how to exploit them in a real world scenario. With hands on practical session at our lab will equip students and working professionals to report their organizations about the security flaws and to implement countermeasures to rectify them.

Course Content:

Lesson 1: HTTP Basics

The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web.

Lesson 2: OWASP (Open Web Application Security Project)

The Open Web Application Security Project is an online community which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

Lesson 3: SQL Injection

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application's database server (also commonly referred to as a Relational Database Management System - RDBMS). Since an SQL injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.

Lesson 4: Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is an attack outlined in the OWASP Top 10 whereby a malicious website will send a request to a web application that a user is already authenticated against from a different website. This way an attacker can access functionality in a target web application via the victim's already authenticated browser. Targets include web applications like social media, in-browser email clients, online banking and web interfaces for network devices.

Lesson 5: Cross-site Scripting (XSS)

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

Lesson 6: Command Injection

Command injections are prevalent to any application independently of its operating system that hosts the application or the programming language that the application itself is developed. The impact of command injection attacks ranges from loss of data confidentiality and integrity to unauthorized remote access to the system that hosts the vulnerable application.

Lesson 7: Directory traversal

The web server is configured to display the list of files contained in this directory. This is not recommended because the directory may contain files that are not normally exposed through links on the web site.

Lesson 8: Input Validation

Input Validation is the outer defensive perimeter for your web application. This perimeter protects the core business logic, processing and output generation. Beyond the perimeter is everything considered potential enemy territory which is…literally everything other than the literal code executed by the current request.

Lesson 9: Information leakage

Information Leakage is an application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data. Sensitive data may be used by an attacker to exploit the target web application, its hosting network, or its users.

Lesson 10: Click-Jacking 

Clickjacking attacks are an emerging threat on the web. In this paper, we design new clickjacking attack variants using existing techniques and demonstrate that existing clickjacking defenses are insufficient. Our attacks show that clickjacking can cause severe damages, including compromising a user's private webcam, email or other private data, and web surfing anonymity. 

Lesson 11: Web Application Security Controls

• Application Security - Overview 
  
• Treat Modeling 
  
• Hacker's Approach 
  
• Practical Considerations 
  
• Case Study 

Lesson 12: Exploitation and Information Gathering Tools

• Burp Suite 
  
•  Sqlmap 
  
• Acunetix 
  
• Archini 
  
• W3af 
  
• Browser Exploitation Framework (BeEF)