by Raymond Evans

Web Application Penetration Testing

0% Completed

In this course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

4.25 hours
5 hours
Share this course and earn Cybytes
Course Material
Course Description

Web Application Penetration Testing

In this course, Cybrary subject matter expert, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on and somewhat advanced course that will require that you set up your own pentesting environment. You’re also expected to have a basic understanding of Linux and be comfortable working with the command line.

In addition, you should have familiarity with virtualized environments such as VMWare or VirtualBox and also understand how to configure a browser’s proxy settings. But don’t let these requirements deter you. Rolling up your sleeves and getting down and dirty with the tools of the trade will make you a better web application pentester!

Course Outline:

  • HTTP and HTTPS basics – these protocols are the foundation of communication for web apps and understanding the various requests, responses, and status codes are fundamental to the course. We also examine packet structure and how packets can be manipulated by attackers.
  • Why sites get hacked – sites get hack for a number of reasons. The main ones are because websites provide a large attack surface and the technologies that run on them are subject to common vulnerabilities such as SQLI, XSS, LFI, and RFI. These attack vectors are discussed in greater detail later in the course.
  • Hacker methodology – the steps followed by an attacker which consist of footprinting, scanning, enumeration, gaining access, maintaining access, and covering one’s tracks. A host of essential tools are presented throughout the course that should be in every pentester’s toolbox. Manual and automated approaches are presented for each type of process.
  • SQLI – structured query language injection is a common exploit that takes advantage of improperly-filtered user input. Escape characters such as single and double quotes can then be inserted or “injected” into URL query strings to form basic SQL queries. Such queries can be used to dump a database, modify or delete individual tables or even the entire database!
  • XSS – cross site scripting takes advantage of a client-side vulnerability that allows an attacker to inject code that can execute malicious scripts. Like SQLI, it exploits improperly-filtered user input. The malicious scripts can hijack session cookies and tokens as well as steal other sensitive information from a compromised site.
  • LFI and RFI – local file inclusion and remote file inclusion respectively, are attacks where malicious files are installed on a vulnerable server. One (LFI) performs the exploit locally on the host and the other (RFI) uploads them remotely. Common exploits of this type are backdoors, key loggers, malware distribution, and bots.
  • Reporting best practices – this is what sets straight-up hackers apart from the professionals. Presenting well-written testing plans up front to a client heads off any confusion and ill-will that may result from pentesting. A final report upon the completion of testing details what was done, what vulnerabilities were discovered, and recommendations for how to resolve any vulnerabilities that were found during testing.
Course Badge
What is a Course Badge? Whenever you feel that you have mastered the content of a course, get yourself a nifty course badge to show off your profile.
Current Cybyte Count:
Course Badge: 15 Cybytes
Buy Badge
You need more Cybytes to earn this Course Badge
$ = 25 Cybytes

Download the Course MP3s (300 MB)

Software Development Practice Lab

How do I earn my Certificate of Completion?

1. Complete Web Application Penetration Testing on Cybrary

2. Earn Cybytes by logging in, completing lessons and sharing courses and other content

3. Use your Cybytes to earn your Cybrary verified Certificate of Completion

Have questions? Visit our FAQ page to learn more.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge



Views: 449 / April 21, 2018
Protect Your PC from Attack in 4 Steps
Views: 452 / April 21, 2018
Advanced PDS: OST to PST Converter Solution
Views: 266 / April 21, 2018
XFS File System – RHEL7
Views: 994 / April 20, 2018
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?