Web Application Penetration Testing (WAPT) Program details:@ 40 Hrs Hands-on-Practical’s

We can assure you one thing that our course is one of the best in whole world. And we believe in
end to end and complete exposure to all stages of the Penetration testing.

The following are salient features of our course

 Hands on environment for you, to try the attacks (here we use samurai framework)
 Our course concentrates more on a manual approach so that you can test any
application even without any tools however we also teach extensive tools
(about 150+ tools)
 Hands on commercial tools like burp suite pro and Open Source Tools
 Explanation with examples for all the owasp top 10 attacks and techniques
(we also cover most of the SANS TOP 25 ).

Entersoft IT Solutions Labs Pvt Ltd , #103,First Floor,HUDA Maitrivanam,Ameerpet,Hyderabad-38

040-30423415,92915 22006. http://www.entersoftlabs.com. Reach Us: [email protected]
Web Application Penetration Testing (OWASP TOP 10)

Module 1: Introduction To Web application

 What is web application?
 History of Web-Applications
 Existing problems and challenges in present web applications
 Overview of web application defenses
Module 2: Basics
 How a web application works
 Architecture of web applications
 Basics of HTML
 Basics of CSS
 Basics of Javascript
 Basics of any server-side language (PHP/J2EE/ASP.NET)
Module 3: HTTP Protocol
 Overview of RFC 2616
 HTTP Messages & Entities
 HTTP Request
 HTTP Response
 HTTP Status Codes
 Various types of encoding schemes
Module 4: Web servers and clients
 IIS Server
 Apache Server
 Other Servers
 Browsers
 Browser’s same origin policy
 Other Web enabled Clients

Module 5: Server-side and Client-side security controls

 Input Validation
 Output validation (encoding)
 Insufficient input & output validations
 Validation approaches
o White list approach
o Black list approach
 Bypass thin/thick(decompile) client validations
o Flash
o Java
 Leveraging Ajax and web 2.0 in attacks
 Bypass Server-side validations

Entersoft IT Solutions Labs Pvt Ltd , #103,First Floor,HUDA Maitrivanam,Ameerpet,Hyderabad-38

040-30423415,92915 22006. http://www.entersoftlabs.com. Reach Us: [email protected]
Module 6: Types of web application security testing
 Black box testing
 White box tesing
 Grey box testing
 Vulnerability Assessment vs Penetration testing
 Web application penetration test scope and process
 Legalities of the VAPT

Module 7: Reconnaissance
 Foot printing Domain details (whois) - Technicalinfo.net
 OS and Service fingerprinting – Netcraft.com, Banner grabbing, HTTPprint
 Google hacking
 Load balancer Identification
 Spidering a web site (wget, Burp spider)
 Application flow charting
 Relationship analysis within an application
 Software configuration discovery

Module 8: Mastering Burp suite

 Introduction to burp suite
 Configuring burp suite
 Burp proxy
 Burp Spider
 Burp Intruder
 Burp Repeater
 Burp Sequencer
 OWASP Zap Proxy

Module 9: Injections
 SQL Injection
 Blind SQL Injection
 Tools
o Havij
o SQLmap
 Command Injection
 LDAP Injection
 XPATH Injection
 SOAP Injection
 File Includes
 other Injections
 Implications of Injections
 Test methodology for injections
 Remediation’s

Entersoft IT Solutions Labs Pvt Ltd , #103,First Floor,HUDA Maitrivanam,Ameerpet,Hyderabad-38

040-30423415,92915 22006. http://www.entersoftlabs.com. Reach Us: [email protected]
Module 10: Cross-site Scripting
 Reflected XSS
 Stored XSS
 DOM XSS
 Implications of XSS
 Test Methodology for XSS
 Remediations

Module 11: Cross-site Request Forgery

 CSRF with GET method
 CSRF with POST method
 Implications of CSRF
 Test methodology for CSRF
 Remediations

Module 12: Authentication testing

 Introduction to Authentication
 Guessable Passwords
 Failure Messages
 Brute forcing login
 Plain text password transmission
 Improper implementation of forgot password functionality
 Remember Me Functionality
 Guessable User names
 Multi factor authentication flaws
 Fail-Open Login Mechanisms
 Insecure Storage of Credentials
 Remediation’s
 Use Strong Credentials
 Transmit the credentials securely
 Log, Monitor, and Notify

Module 13: Authorization testing

 Introduction to authorization
 Implementation weaknesses in authorization
 Horizontal privilege escalation
 Vertical privilege escalation
 URL, Form, cookie based escalation

Entersoft IT Solutions Labs Pvt Ltd , #103,First Floor,HUDA Maitrivanam,Ameerpet,Hyderabad-38

040-30423415,92915 22006. http://www.entersoftlabs.com. Reach Us: [email protected]
Module 14: SSL & Configuration testing
 Testing SSL / TLS cipher
 Testing SSL certificate validity – client and server
 Infrastructure and Application Admin Interfaces
 Testing for HTTP Methods and XST
 Testing for file extensions handling
 Old, Backup and Unreferenced Files
 Application Configuration Management Testing
Module 15: Session Management testing
 Need for session and state
 Ways to implement state
 how session state work
 What are cookies
 Common Cookies and Session Issues
o Attacks on Cookies and Session
 Session hijacking
 Session Fixation
 Session replay
 Man in the middle
o Cookie / session security
 Http only
 X-Frame-option
 Use of SSL
Module 16: Brute force web applications
 Brute force authentication
 Brute force Authorization
 Brute force web services
 Brute force web server
 Brute force .htaccess
Module 17: Parameter Manipulation
 Query string manipulation
 Form field manipulation
 Cookie manipulation
 HTTP header manipulation
Module 18: Other Attacks
 Sniffing
 Phishing
 Vishing
 D(D)OS Attacks
 Unvalidated Redirects and Forwards

Entersoft IT Solutions Labs Pvt Ltd , #103,First Floor,HUDA Maitrivanam,Ameerpet,Hyderabad-38

040-30423415,92915 22006. http://www.entersoftlabs.com. Reach Us: [email protected]
Module 19: Samurai WTF
 Introduction to Samurai WTF
 Various Tools in Samurai WTF
 Nikto
 w3af
 BeEF Framework
 Fuzzing and JBroFuzz
 DirBuster
 Netcat
 Brutus and Hydra
 Overview of various Proxies (zed, rat, webscarab)

Module 20: Firefox security Add-ons

 Tamper Data
 SQL inject me
 XSS me
 Firebug
 Live HTTP headers
 Foxy Proxy
 Web Developer

Module 21: Automated Scanners

 Acunetix
 IBM App Scan
 Netsparker
 Effectiveness of Automated tools
 Reduction of False positives and false Negatives

Module 22: VAPT Methodologies:

 OWASP
 SANS 25
 WAHH
 OWASP Check-list

Module 23: Reporting

 Importance of documentation
 OWASP Risk rating methodology
 Creating managerial, technical VAPT reports
 Open reporting standards

Entersoft IT Solutions Labs Pvt Ltd , #103,First Floor,HUDA Maitrivanam,Ameerpet,Hyderabad-38

040-30423415,92915 22006. http://www.entersoftlabs.com. Reach Us: [email protected]