Security in Web Application Environments (based on OWASP TOP10) (BZP5)

Cybersecurity, ICT Security

This training is discontinued. Its curriculum has been reorganized into two focused courses: network sniffing, scanning and protocol attacks are now part of the Penetration Testing & Ethical Hacking course, while OWASP TOP10-based web application hacking is included in Secure Software Development (SSDLC).

The syllabus covered practical network analysis and web application security, including hands-on use of Wireshark, Nmap, OpenVAS, ZAP, sqlmap and Kali Linux. Emphasis was on vulnerability discovery, exploit demonstration and secure configuration checks.

Location, current course term

Contact us

Custom Customized Training (date, location, content, duration)

The course:

Hide detail
  • Sniffing and scanning
    1. Basic ARP and DNS cache commands. Sniffing basics in Linux and Windows. Identifying interfaces for sniffing. Basic use of Wireshark/Tshark. Analysis of TCP, UDP and IP. Capturing unencrypted passwords. Client–server network model. Capture and analysis examples for HTTP, ARP, STP, DHCP, RDP, SSL and others. Using Wireshark filters. Demonstrations of protocol abuse with Ettercap and Yersinia.
    2. Introduction to security distributions for pentesting, especially Kali Linux and Samurai. Introduction to intentionally vulnerable distributions such as Metasploitable and vulnerable WebAPPs. Practical configuration of targets for scanning and attacks.
    3. Explanation of the 3‑way handshake for remote port and service scanning. Measuring load and latency. Basics of scanning with Nmap. Detailed analysis of the FTP service.
    4. Scanning over IPv6, ARP, ICMP, UDP and TCP. Using Nmap – basic and advanced scan types against single ports, target groups, etc. Demonstration of advanced Nmap features such as vulnerability scanning and source address spoofing.
  • Service enumeration, vulnerability management for web apps, Windows hacking
    1. Using Nmap in multi-target networks. Service identification and OS detection, passive and active, using xprobe2, p0f and Nmap. Detecting load balancers and Web Application Firewalls.
    2. Nslookup and enumeration of DNS and NETBIOS. How caches work and modifying /etc/hosts and lmhosts files. DNS utilities in Kali Linux and automated external checks (for example DNSSTUFF).
    3. Commands for working with DHCP and DHCP attack techniques.
    4. Introduction to vulnerability management. Demonstration of OpenVAS for infrastructure and web application checks. Specialized web server scanners such as N‑Stalker, OpenVAS and Nessus. Using independent vulnerability databases. Inventory options via higher-level protocols like LDAP and SNMP. Detecting load balancers and WAFs.
    5. Using Windows identities for services (logonsessions utility) and demonstrating Metasploit attacks against Windows and Linux systems. Hacking a Windows workstation with Meterpreter via Armitage.
    6. Password bruteforcing, capturing RDP credentials, demo of xhydra (FTP and RDP) and decrypting Windows LM hash tables.
  • Hacking web applications
    1. Basic tools to meet OWASP control checks available in the KALI distribution. Using scanners and tools to find web application weaknesses such as OpenVAS, Zed Attack Proxy, WebScarab, Acunetix and others.
    2. Introduction to vulnerable application environments DVWA and Mutillidae. Evaluating results from web vulnerability scanners (N‑Stalker, Netsparker, Acunetix) on DVWA and Mutillidae. Comparison with vulnerabilities listed on https://www.skenerwebu.cz/.
    3. Using Wireshark for HTTP and HTTPS analysis. Using a sniffer (Fiddler) and a proxy (Charles Web Debug Proxy) to analyze browser–server communication.
    4. Demonstration and use of Zed Attack Proxy (ZAP). Testing authentication and session management in ZAP.
    5. Demonstrations of SQL injection and shell command injection exploitation. Principles to avoid SQL injection. Using sqlmap and phpMyAdmin in demonstrations.
    6. Abuse and validation of user input. Cross‑Site Request Forgery (CSRF) and Cross‑Site Scripting (XSS) attacks.
    7. Checking HTTPS security for web servers using manual Kali tools and online services (SSL Labs, SecurityHeaders.com and others).
Assumed knowledge:
Basic knowledge of TCP/IP, common web technologies and operating systems.
Schedule:
3 days (9:00 AM - 5:00 PM )
Course price:
636.00 € ( 769.56 € incl. 21% VAT)
Language:

Vybrané zákaznické reference

SATTURN HOLEŠOV spol. s r. o., Pavel M.
Security in Web Application Environments (based on OWASP TOP10) ( BZP5)
"Velice cením praktické zkušenosti lektora."