Free Course

Web Application Penetration Testing

time4.25 Hours
ceu5 CEU/CPE
Raymond Evanss profile image
Cyberspace Defense Operations at United States Air Force

Web Application Penetration Testing
Course Intro
In this course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.
Course Description

Web Application Penetration Testing

In this course, Cybrary subject matter expert, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on and somewhat advanced course that will require that you set up your own pentesting environment. You’re also expected to have a basic understanding of Linux and be comfortable working with the command line.

In addition, you should have familiarity with virtualized environments such as VMWare or VirtualBox and also understand how to configure a browser’s proxy settings. But don’t let these requirements deter you. Rolling up your sleeves and getting down and dirty with the tools of the trade will make you a better web application pentester!

Course Outline:

  • HTTP and HTTPS basics – these protocols are the foundation of communication for web apps and understanding the various requests, responses, and status codes are fundamental to the course. We also examine packet structure and how packets can be manipulated by attackers.
  • Why sites get hacked – sites get hack for a number of reasons. The main ones are because websites provide a large attack surface and the technologies that run on them are subject to common vulnerabilities such as SQLI, XSS, LFI, and RFI. These attack vectors are discussed in greater detail later in the course.
  • Hacker methodology – the steps followed by an attacker which consist of footprinting, scanning, enumeration, gaining access, maintaining access, and covering one’s tracks. A host of essential tools are presented throughout the course that should be in every pentester’s toolbox. Manual and automated approaches are presented for each type of process.
  • SQLI – structured query language injection is a common exploit that takes advantage of improperly-filtered user input. Escape characters such as single and double quotes can then be inserted or “injected” into URL query strings to form basic SQL queries. Such queries can be used to dump a database, modify or delete individual tables or even the entire database!
  • XSS – cross site scripting takes advantage of a client-side vulnerability that allows an attacker to inject code that can execute malicious scripts. Like SQLI, it exploits improperly-filtered user input. The malicious scripts can hijack session cookies and tokens as well as steal other sensitive information from a compromised site.
  • LFI and RFI – local file inclusion and remote file inclusion respectively, are attacks where malicious files are installed on a vulnerable server. One (LFI) performs the exploit locally on the host and the other (RFI) uploads them remotely. Common exploits of this type are backdoors, key loggers, malware distribution, and bots.
  • Reporting best practices – this is what sets straight-up hackers apart from the professionals. Presenting well-written testing plans up front to a client heads off any confusion and ill-will that may result from pentesting. A final report upon the completion of testing details what was done, what vulnerabilities were discovered, and recommendations for how to resolve any vulnerabilities that were found during testing.
Complete this course and earn a Web Application Penetration Testing Certificate of Completion
Complete this course and add the Web Application Penetration Testing course badge to your profile

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?