Web Application penetration testing and Bug Bounty Course

Name: Web Application penetration testing and Bug Bounty Course
Rating: 3.8 (78 reviews)

Complete Ethical hacking and penetration testing guide to make sure that your web application is secure

Created byIgneus Technologies

Last updated 1/2017

English

What you'll learn

you will be able to apply for Jr. Pentester
Intermediate Bug Bounty hunter
Find and report critical bugs
Prepare Proof of Concepts for bugs
Automate vulnerability searches
Learn about web goat, hackme casino and Kali

Course content

7 sections • 46 lectures • 5h 55m total length

Introduction to the course2:41
This is a complete introduction to Complete web application penetration testing and bug bounty course. In this video I'll walk you through with What each section contains and How will the course progress.
Setting realistic goals with course2:14
With every course, I always says that don't expect magic with any course. Make sure that you understand that course is to guide you, it also need hard work, time and a lot of practice.
Getting ready with tools, softwares and hardware10:08
To get started in Pentesting or penetration testing, we need to collect some tools like kali for attack machine and Virtual machine for virtualization and Dojo as a victim machine. Once we get those operating system and tools, of course for free, then we will move further
How to earn with bug bounty - FAQ5:02
Earning from Bug Bounty is not a new thing for security experts. Infact most of web application security experts are taking this a part time, high revenue generating process. In this video we will learn about right path of getting started with Bug Bounty

what to expect in section 22:01
A quick introduction about what this course contains
Installing DOJO for pentesting9:13
Dojo is one stop solution of having vulnerable testing application. We need to learn a lot of attacks like SQL injection, XSS, session management etc and for each of those we need a loophole in application. Installing this Dojo makes like easy and we can practice all those attacks without worrying about it.
Installing KALI for penetration testing12:18
For any ethical hacker or pentester Kali linux does not require any introduction. This linux distribution is one stop solution for pentesters. Although for web application, we will use it at minimum but without this, we would feel that something is missing from the course.
Tour of Kali tools and services5:45
Kali is a an Operating System with vast number of tools already installed in it. This machine surely require a tour. In Fact, We can create a course on just kali tool tour, but in this case lets just leave it to a small tour to make you friendly with interface
OWASP - introduction6:23
OWASP stands for Open Web application Security Project, it is kind of Holy Bible for web application attacks and precautions. This website is always a GOTO for further reference or more reading material on attacks.

what to expect in section 32:23
A quick introduction about what this course contains
creating files and traveling in linux11:05
Linux training is a must have skills for everyone in the field of IT security. You don't need to be guru or linux administrator for this course but all the linux that you will need for this course is already covered in this course. In this first video we will learn about creating files via command line and traveling in linux.
Exploring linux file system6:58
Linux have a little different file structure than Windows. So this surely requires some understanding like which one is file and which one is directory. Judging just by color is not a good idea in linux as it is opensource and within a few lines of codes it can be changed. So we will learn the right way of understanding it.
Files and persmissions10:46
Not every file in linux can be executable. There are certain permissions in linux that allows us to read, write and execute files. These permissions are usually denotes by numbers like for read - 4, write - 2 and execute - 1.
Linux networking commands7:38
Networking is also an important part of linux. Of course we cannot do penetration testing by staying offline. We will learn about commands like ifconfig and iwconfig. This will help you to get to know you Ip and net card details. Also we will look at Reading manual of any command in linux

what to expect in section 43:08
A quick introduction about what this course contains
Introducing TOR and DARKNET world9:52
TOR Browser is one the many way of getting anonymity in the online world. TOR sends request to other nodes and your request get passed via various nodes. Also, I will introduce you with the world of Darknet.
Proxychains - Multilevel Anonymity13:25
Proxies are a way to hide your location or basically route the entire traffic via a different server. It helps us to improve the anonymity. We will install proxychains and with this we can make n number of stops between the traffic.
MAC address - masking MAC and details12:08
MAC address also know as physical address of your ethernet device or wireless device is your main identity over the internet, apart from IP. We will learn to mask or change the current mac address.
DNSENUM - gathering information15:57
there are many methods to gather information of our client, one of them is DNS enumeration. We also take a look on what is open DNS
Zone transfer Vulnerability5:51
Although, zone transfer vulnerability is very rare to see now a days but still we will look at this vulnerability on a dedicated platform.
DIG - Gather data with dig4:30
DIG is another tool that gives more detail information about DNS information. Let's have a look on DIG tool which ships in Kali linux.
DNSTracer and wireshark basics11:53
DNStracer is the utility which calculates the path of our request to the server and plots it nicely on graphical interface. We will also have a quick look on wireshark.
Dimitry - old still powerfull6:36
Dimitry is a built in tool in kali that gather a lots of information about the company like email ID and DNS information but there are many better tools available now.
Finding emails, subdomain and generating reports11:45
Finding email is one of the important part as it can be later used for social engineering. Also we will look at generating reports.
Assignment and recon6:53
Now that we have talked about a lot of tools, here is the time give you a very small and easy assignment. Also let's have a look on recon-ng

what to expect in section 53:11
A quick introduction about what this course contains
Code quality and source code analysis6:53
Writing secure code seems easy process but it is one of the most challenging task. In this exercise we will explore that how bad code can reveal critical information and can lead to harm the application. Some times even the comments left at development phase does reach to production stage.
OS command Injection9:39
OS Command injection is a serious vulnerability where attacker is able to run system commands from the application. Attacker can even read critical files like shadow or passwd files. We will look and compare secure code vs the vulnerable code.
Basics of Cross Site Scripting10:04
Cross site scripting or XSS is one the most famous and trending attack with modern application. In this video we will refer to a great and precise documentation being put on google site. Although there are not many payload to talk in here but we will point to them as well
Reflected XSS9:36
Reflected XSS is one which does not get store in database and runs only at client side. Running a javascript code in the client browser can harm application a lot. We can get cookies of the viewer or can redirect him to a malicious website, where we can link hooks. We will discuss hooks in advance section
Stored XSS7:14
Stored XSS uses almost the same payload but is more dangerous as payload get stores in database. Now if anyone visits that page, every user will be attacked by that payload. This serious flaw can even damage the credibility of business in long run
Cross site request Forgery11:22
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. This can be seen in banking application or set new password section
SQL injection12:31
The superstar of web application attack is SQL injection. In this attack, attacker tries to run sql commands from the user end and if he gets a success, then he has got a full access to read database. And yep, it is that scary. He can even get access to passwords (If not hashed) or even credit card details or entire email, which is entire business
Upload Vulnerabilities, shell and defacing8:34
Sometimes application needs to collect more info from users like their photos or their resumes or other pdf. In the uploading process application needs to be extra careful as users might upload something malicious. they can upload shells that can take full access over the server
JSON injection and web scarab7:46
This is one great example of JSON injection. Here we will intercept the request between client and server and will edit it on the go. This vulnerability will help us to book cheap tickets and destroy the business logic of the application
DOM based Cross site scripting5:01
DOM or Document Object Model XSS is rarely seen on web application but is equally dangerous. In this video we will learn more about DOM based XSS

BeEF and XSS automation and PoC9:07
When we talk about Cross site scripting aka XSS sometimes companies asks for Proof of concepts and more attack scope. BeEF is one such tool that is one stop solution for exploiting XSS to next level. Let's explore BeEF automation tool
SQLi Lab setup and 5 hour of free resource on sql injection10:10
Sql injection is the most common attack and many application are still vulnerable to it. This is the most deadliest attack as attacker gets entire access to database. It this video we will talk about it and will point out to a FREE resource to learn more about sql injection. Yep, totally free and no need to even signup
SQLMap and error based injection8:32
SQLmap is a great tool for automating various tasks of sql injection. Specially for error based injections this tool is great and works as smooth as butter. We will learn about all the commands, opening manual for sqlmap and will try it over an error based injection
Time based and blind sql injection8:00
Time based injection is based on the fact that sometime a full error is not shown on the page and rather we have to work on true or false based results. This is very difficult for a normal user but with tools like sqlmap, we can work on it without breaking the head in wall
Forgot password vulnerability4:37
Forgot password is the common feature and almost must have in every web application. But in many web application, we don't restrict users for number of attempts for answering questions. This video is perfect example of such situation
Session mismanagement flaws6:41
In some cases, we can force session IDb to be created by providing it. In this case we will force a user to visit bank login and inject session id, later we will use same ID to login into his/her session

Introducing Hackme casino8:11
So, we have talked about Damn Vulnerable web application, but after practicing over it you might be wondering if you could have more such apps to test our skills, here is the answer of this question. We will introduce you with Hackme casino, that has lot of entertainment and bugs.
HackMeCasino Vulnerabilities6:31
There are a lots Vulnerabilities and loopholes in hack me casino. Although, we will talk about few of them like SQL Injection and session mis management but this application is for you to apply all the attacks that you have learned in this course.
Assignment - Cheese app test bed4:35
This cheesy vulnerable web application is there for you do whatever you wish to do with it, in terms of attacks and exploitation. It is specially designed to leave some loopholes for practice purposes. As soon as you find some vulnerability in application, please post in the Q/A section to showoff. Yep, we need you to do that
Thanking note0:13

Requirements

Use computers at basic level
Basic understanding of working of websites
Windows and MAC, both are good for this course

Description

Welcome to Web application penetration testing and bug bounty course. A course that teaches you practically, about web application security, protecting your websites from attacks and reporting bugs for reward money, if you found one.

Every single day, you read this in news, linkedin was attacked, Yahoo was attacked and have asked users to change their passwords. Cyber security is next Big thing. Every month thousands of people are learning about web app development and yet only a few are learning to secure those applications

We have designed this course, so that you can learn to secure web application. Regardless that you know, How to design one or not, these skills will help you to run various tests and enhance security of web apps. By the end of this course, you will able to apply for Junior web application pen tester, A complete independent bug bounty hunter and secure web developer.

In this course we will learn to install our own labs to do pentesting. We will walk you through with OWASP, top vulnerabilities like sql injection, Cross site scripting, session management flaws and various others. Also we will give you enough challenges to practice along.

Ideal student for this course is one who is interested in Web application security, Bug bounty and developers who want to secure their web apps.

Our goal with this course is to create more security experts so that these incidents can be minimised. It used to be time when banks were attacked, now everything is online and so is the money and attackers. Every web application developers should have skills to secure web application. In fact, development should be a process with constant involvement of cyber security experts.

Join us in this goal of creating secure cyber space. This course is great starting point to earn some good bounties with bugs. Take a look at some free previews and See You Inside Course.

Who this course is for:

interested in securing your web application
Interested in Becoming Bug bounty hunter
web developers
Ethical hacker
pentesters

Web Application penetration testing and Bug Bounty Course

What you'll learn

Explore related topics

Course content

Getting started in Web Application pentesting4 lectures • 20min

Clearing up our Vocab of web application pentesting5 lectures • 36min

Linux - Getting started and must have basics5 lectures • 39min

Prepare yourself before Pentesting11 lectures • 1hr 42min

OWASP - Vulnerability practicals and Safeguards11 lectures • 1hr 32min

Advance attacks and automation6 lectures • 47min

Home labs - Hack me casino and others4 lectures • 20min

Requirements

Description

Who this course is for: