SEC542: Web App Penetration Testing and Ethical Hacking
SECTION 1: Introduction and Information Gathering Understanding the attacker’s perspective is key to successful web application penetration testing. The course begins by thoroughly examining web technology, including protocols, languages, clients, and server architectures, from the attacker’s perspective. We look at collecting open source intelligence (OSINT) specific to data points likely to help exploitation be more successful. We analyze the importance of encryption and HTTPS. TOPICS: Overview of the Web from a Penetration Tester’s Perspective; Web Application Assessment Methodologies; The Penetration Tester’s Toolkit; WHOIS and DNS Reconnaissance; Virtual Host Discovery; Open Source Intelligence (OSINT); The HTTP Protocol; Secure Sockets Layer (SSL) Configurations and Weaknesses; Interception Proxies; Proxying SSL Through BurpSuite Pro and Zed Attack Proxy.
SECTION 2: Content Discovery, Authentication, and Session Testing Section 2 begins with profiling the target(s) to understand the underlying configuration. The collected data is used to build a profile of each server and identify potential configuration flaws. The discussion is underscored through several practical, hands-on labs in which we conduct further reconnaissance. The exploitation is an opportunity to get deeper hands-on experience with BurpSuite Pro, cURL, and manual exploitation techniques. The system’s configuration should involve proper logging and monitoring to ensure security-related events are not missed. We will briefly explore logging configuration and basic incident response testing. TOPICS: Logging and Monitoring; Learning Tools to Spider a Website; Analyzing Website Content; Brute Forcing Unlinked Files and Directories via ZAP and ffuf; Web Authentication Mechanisms; Fuzzing with Burp Intruder; Username Harvesting and Password Guessing; Burp Sequencer; Session Management and Attacks; Authentication and Authorization Bypass; Mutillidae.
SECTION 3: Injection AND XXE After ending Section 2 with authentication bypass, we begin by exploring how web applications track authenticated users and ways to exploit weaknesses in session management. We will build on the information identified during the target profiling, spidering, and forced browsing exercises, exploring methods to find and verify vulnerabilities within the application. Students also begin to explore the interactions between the various vulnerabilities. This course section dives deeply into vital manual testing techniques for vulnerability discovery. We focus on developing in-depth knowledge of interception proxies for web application vulnerability discovery. Many of the most common injection flaws (command injection and local and remote file inclusion are introduced, and followed with lab exercises, to reinforce the discovery and exploitation. TOPICS: Command Injection; Directory Traversal; Local File Inclusion (LFI); Remote File Inclusion (RFI); Insecure Deserialization; SQL Injection; Blind SQL Injection; ErrorBased SQL Injection; Exploiting SQL Injection; SQL Injection Tools: sqlmap; XML External Entity (XXE).
SECTION 4: XXE After ending Section 3 by learning about and exploiting XXE, section four continues exploring exploitation flaws and spends time introducing Cross-Site Scripting (XSS) vulnerabilities, including reflected, stored and DOMbased XSS vulnerabilities. Manual discovery methods are employed during hands-on labs. Section 4 also introduces the Browser Exploitation Framework (BeEF) to students, which is used in multiple labs. The course continues with a detailed discussion of AJAX as we explore how it enlarges the attack surface leveraged by penetration testers. We also analyze how AJAX is affected by other vulnerabilities already covered in depth earlier in the course. TOPICS: Cross-Site Scripting (XSS); Browser Exploitation Framework (BeEF); AJAX; XML and JSON; Document Object Model (DOM); API attacks; Data Attacks; REST and SOAP.
SECTION 5: CSRF, Logic Flaws, and Advanced Tools During SECTION 5, we launch actual exploits against realworld applications, expanding our foothold within the application, and extending it to the network on which it resides. As penetration testers, we specifically focus on ways to leverage previously discovered vulnerabilities to gain further access, highlighting the cyclical nature of web application penetration testing. TOPICS: Cross-Site Request Forgery (CSRF); Logic Attacks; Python for Web App Penetration Testing; WPScan; ExploitDB; BurpSuite Pro scanner; Metasploit; When Tools Fail; Business of Penetration Testing.
SECTION 6: Capture the Flag During Section 6, students form teams and compete in a web application penetration testing tournament. This NetWars-powered Capture-the-Flag exercise provides students an opportunity to wield their newly developed or further honed skills to answer questions, complete missions, and exfiltrate data, applying skills gained throughout the course. The style of challenge and integrated hint system allows students of various skill levels to both enjoy a game environment and solidify the skills learned in class.