SANS Software Security Institute
SANS Software Security Institute
Home > Courses > Web Applications

Register For
Upcoming Events

January
Security 542 ::

Web App Penetration Testing and Ethical Hacking

Overview

Assess Your Web Apps in Depth

Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited web sites altered by attackers. In this class, you'll learn the art of exploiting web applications so you can find flaws in your enterprise's web apps before the bad guys do. Through detailed, hands-on exercises and training from a seasoned professional, you will be taught the four-step process for web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize Cross Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And, you will explore various other web app vulnerabilities in-depth, with tried-and-true techniques for finding them using a structured testing regimen. You will learn the tools and methods of the attacker, so that you can be a powerful defender.

On Day 1, we will study the attacker's view of the web. On Day 2, we will analyze the art of reconnaissance, specifically targeted to web applications. We will also examine the mapping phase, when we interact with a real application to determine its internal structure. We will also start the discovery step. During Day 3, we will continue our in-depth discovery using the information we gathered on Day 2. On Day 4 we will continue discovery, focusing on client side portions of the application such as Flash objects and Java applets.

Throughout the class, you will learn the context behind the attacks, so that you intuitively understand the real-life applications of exploitation. In the end, you will be able to assess your own organization's web applications to find some of the most common and damaging web application vulnerabilities today.

By knowing your enemy, you can defeat your enemy. General security practitioners, as well as web site designers, architects, and developers, will benefit from learning the practical art of web application penetration testing in this class.

Web Application developers will find that the exploration of web penetration testing and the vulnerabilities discovered will help them as they build applications. While the class does not discuss code or development techniques to fix the applications, testing for vulnerabilities is as valuable in preventing the issues.

Sampling of Topics

  • Topics
    • Learn methods to decompile client side code
      • Flash
      • Java
      • etc.
    • Explore malicious applets and objects
    • Discover vulnerabilities in web application through their client components

Laptop

Laptop Requirements:

Minimum hardware requirements:

  • 1GHz processor
  • 512MB RAM (1+GB highly recommended)
  • 3GB free hard disk space
  • CD ROM drive

A laptop with Windows 2000 or XP is required with the latest Service Packs and patches. Windows XP Pro is preferred, but Windows XP Home should work. Do not use server OSes such as Windows 2000 Server or Windows 2003 Server. Please install the following software on the computer:

  • VMware Player or VMware Workstation 5.x or newer (Server and ESX are not supported)
  • Firefox browser (latest version)

Apple laptops are also supported. The student must install VMware Fusion and UnrarX.

You must have ability to disable the host firewall (Windows firewall or other third party firewall) and anti-virus running on your desktop. This usually means you need to have administrative privilege on the machine.

DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated.

Day Information

Day 1
Web App Penetration Testing and Ethical Hacking: The Attacker's View of the Web

Understanding the attacker's perspective is key to successful web application penetration testing. We will begin by thoroughly examining web technology, including protocols, languages, clients and server architectures, from the attacker's perspective. In this portion of the class, we will also examine different authentication systems, including Basic, Digest, Forms and Windows Integrated authentication, discussing how servers use them and how attackers abuse them.

Next, we will discuss the four steps that make up our process for conducting web application penetration tests: Reconnaissance, Mapping, Discovery and Exploitation. During the next few days, we will delve into each of these steps more deeply. For the first day, we will review the fundamental principles of each phase, and discuss how we will use them together as a cyclical, repeatable, and as-safe-as-possible attack process. Finally, we will cover the types of penetration testing and the pieces that need to be part of the report.

  • Topics
    • Overview of the web from a penetration tester’s perspective
    • Exploration of various servers and clients
    • Discussion of various web architectures
    • Analysis of how session state works
    • Discussion of the different types of vulnerabilities
    • Definition of a web application test scope and process
    • Analysis of the types of penetration testing
Day 2
Web App Penetration Testing and Ethical Hacking: The Attack Process Part 1

On the second day, we will start the actual penetration testing process, beginning with the reconnaissance and mapping phases. Reconnaissance includes gathering publicly available information regarding the target application and organization, identifying the machines which support our target application, and building a profile of each server, including operating system, specific software, and configuration. Our discussion will be augmented by practical, hands-on exercises in which we conduct reconnaissance against an in-class target.

In the mapping phase, we will build a "map" or diagram of the application. In order to do this, we identify the components, analyze the relationship between them, and determine how the pieces work together. We will specifically consider how the session management system works within an application. This will help us identify potential vulnerabilities during the next sections.

Finally we will start the discovery phase of the penetration test. We are going to actually start interacting with sites in order to uncover vulnerabilities that we can leverage during exploitation. We will explore common vulnerabilities in-depth, including information leakage, username harvesting, command injection, SQL injection and Blind SQL injection. Then we will delve deeply into Cross-Site Scripting and Cross-Site Request Forgery.

  • Topics
    • Discover the infrastructure within the application
    • Identify the machines and operating systems
    • Analyze SSL configurations and weaknesses
    • Explore virtual hosting and its impact on testing
    • Learn methods to identify load balancers
    • Discover software configuration
    • Explore external information sources
    • Study Google hacking methods and tools
    • Learn tools to spider a web site
    • Analyze scripting to automate web requests and spidering
    • Flow charting an application’s logic
    • Analyze relationships within an application
    • Learn methods to discover various vulnerabilities
      • Information Leakage
      • Username Harvesting
      • Command Injection
      • SQL Injection
      • Blind SQL Injection
      • Cross Site Scripting (XSS)
      • Cross Site Request Forgery
Day 3
Web App Penetration Testing and Ethical Hacking: The Attack Process Part 2

In this section, we will continue to explore the discovery phase. We will build upon the discovery started yesterday, exploring methods to find and verify vulnerabilities within the application. The students will also begin to explore the interactions between the various vulnerabilities.

After we cover vulnerabilities, we will explore the different user interfaces that web apps expose to clients. This will include a detailed discussion of Web Services and AJAX, in which we will explore how AJAX and Web service technology enlarge the attack surface that penetration testers leverage. We will also explore the how AJAX and Web services are affected by the vulnerabilities already explored.

Throughout the discovery phase, we will explore both manual and automated methods of discovering vulnerabilities within applications, and discuss the circumstances under which each is appropriate.

  • Topics
    • Gain deeper understanding of various attack vectors, including SQL injection, XSS, and Cross Site Request Forgery
    • Explore differences between various data back-ends
    • Analyze fuzzing and various fuzzing tools
    • Discuss the different interfaces web sites contain
    • Understand methods for attacking web services
    • Study methods for testing Web 2.0 and AJAX based sites
    • Learn how AJAX and Web services change penetration tests
Day 4
Web App Penetration Testing and Ethical Hacking: The Attack Process Part 3

On day 4, students will start exploring client side portions of the web site. We will cover methods to discover vulnerabilities within client side code, such as Java applets and Flash objects. We will learn how to use tools to decompile the objects and applets to find vulnerabilities. Tools such as Flare and JAD will be used during hands-on exercises.

Students will also be able to understand the ways that these client side components can be used to attack other portions of the network and web application. Students will also be using various tools and methods to discover ways to interact with web applications bypassing these client side controls.

  • Topics
    • Learn methods to decompile client side code
      • Flash
      • Java
      • etc.
    • Explore malicious applets and objects
    • Discover vulnerabilities in web application through their client components