Register For
Upcoming Events
May
- SANS Security East 2009
- Register Now!
- New Orleans, LA
- May 4 - May 12, 2009
March
- SANS Phoenix 2009
- Register Now!
- Phoenix, AZ
- March 23 - March 30, 2009
April
- SANS Tysons Corner 2009
- Register Now!
- Tysons Corner, VA
- April 14 - April 22, 2009
Developer 538 ::
Web Application Pen Testing Hands-On Immersion
Overview
In the first half of 2008, five million Web sites have been compromised by automated SQL injection attacks. The goal of the hackers was to inject links to malicious content in order to infect the users of the Web application. The automated attacks do not show any sign of stopping and will likely visit your Web applications in the near future. Don’t want to be a part of the statistics? Performing runtime testing is essential to making your Web site secure. Security 538 is a two-day course focusing on up-to-date, hands-on testing aspects of Web application security.
This fast-paced course is ideal for students who have a basic understanding of Web application security vulnerabilities and testing methodologies and are looking to upgrade and refresh their skillset in pen testing Web applications. It is also well suited to infrastructure pen testers who are expanding testing scope to Web applications. If you are going to be testing Web applications in the next few months, this course will help you to brush up on your Web application security testing knowledge and give you confidence, knowing that you have the hands-on experience to perform testing against common vulnerabilities.
This action packed two-day course has a strong hands-on focus with exercises designed to give you practice and experience with real-world vulnerabilities. Throughout the two days, you will be using the various testing concepts to test vulnerable Web applications. The target applications are as realistic as possible. The labs are structured so the novice and the intermediate students can both enjoy the learning experience.
Here is a sampling of testing exercises we cover:- Web Fingerprinting
- Input Manipulation
- Blind SQL Injection
- Non-obvious Session Issues
- Brute Forcing Credentials
- Cross-Site Scripting
- Code Review
Laptop
Laptop RequiredStudents attending this course are required to bring their own laptops that are properly configured. There is not enough time in class to help you install your laptop; your laptop must be properly installed and configured before you come to class.
Minimum hardware requirements:
- 1GHz processor
- 512MB RAM (1GB highly recommended)
- 3GB free hard disk space
- CD-ROM drive
- An unused USB slot
A laptop with Windows 2000, XP, or Vista is required with the latest Service Packs and patches. You should install the following software on the computer:
- Java Runtime Environment (JRE) - please download from http://www.sun.com
- Firefox browser (version 2) - DO NOT install version 3
- Microsoft .NET framework runtime 1.1 (some of the testing tools require it)
- Install Switchproxy extension in Firefox (see below)
Please install VMware Player or VMware Workstation on the laptop. (GSX and ESX will not work.) VMware player can be downloaded for free at http://www.vmware.com.
Switchproxy is a Firefox extension and can be installed from https://addons.mozilla.org/en-US/firefox/addon/125. Surf to the URL with Firefox 2 and then click on the "Add to Firefox" button on the page.
At the beginning of class you will be given a Linux bootable CD. This CD will be booted within VMware as a virtual image. You must have ability to disable the host firewall (Windows firewall or other third party firewall) and anti-virus running on your desktop. This usually means you need to have administrative privilege on the machine. The Windows host and Linux host need to talk to each other through the VMware network interface. A firewall could disallow such communication and render some of the exercises unsuccessful.