What you'll learn

Understand and perform the basic steps in order to performa penetration testing of a web application
Understand web application's security principles and potential dangers
Be able to gather information about your target
You will learn how to find vulnerabilities in your target web application
Exploit found vulnerabilities and get control over remote servers
Understand the penetration testing process
As a web application developer you will understand how to secure your application

Course content

11 sections • 46 lectures • 9h 23m total length

Introduction1:14
About myself and this course
Core Problems - Why Web Security7:33
In this video are presented most why web application security is so important and how they developed over the years
Web Technologies30:00
You will familiarise yourself with web technologies. It is important to have a good foundation before going forward.
Preparing the Lab Environment8:31
You will be guided trough the step required to install required tools and services in order to create a testing lab.
Information Gathering using Search Engines and Social Networks - part 112:58
Information Gathering using Search Engines and Social Networks - part 217:17
Join Our Online Classroom!0:54

What Web Application Mapping Means16:00
Understand the process and the need of mapping a web application.
Usernames and Passwords Brute-Forcing using Burp14:53
Learn how to use burp in order to brute-force usernames and password within your testing environment.
Spider and Analyze a Website using Burp5:26
A demo showing how to discover a web application resources.
Brute-frocing Web Resources using Dirb and Dirbuster10:38
A demo showing how to discover a web application resources, including the one that are not linked within the website.

Theoretical Overview of Attacking Authentication and Session Management33:00
A good overview of how authentication and session management works.
Session Hijacking trough Man In The Middle Attack11:05
Perform a man-in-the middle attack and capture authentication details of the computer in the same LAN. Test it in the lab environment.
Intercept and access traffic over HTTPS. Get Facebook or Gmail Passwords8:56
Intercept and analyze HTTPS (encrypted) traffic.

Theoretical Approach of Attacking Access Controls37:00
Understand access control data stores and learn what client side attacks implies.
SQL injection9:09
Perform an SQL injection attack to get data from the database.
Exploiting SQLi using Sqlmap and Getting Remote Shell10:07
Perform SQLi using an automate tool and get remote shell trough an SQLi vulnerability.
Upload and Remote File Execution10:43
Present problems related to file upload and show how an attacker can get control over the server trough a file upload correlated with a remote file inclusion.

Cross Site Scripting Theory. Attacking Users33:00
Understand the Cross Site Scripting and how it affects users.
Reflected XSS – Session Hijacking using Cross Site Scripting10:29
A real example of how users are affected of XSS.
Stored or Persistent Cross Site Scripting6:59
Understand the difference between Reflected and Stored XSS trough examples.
Beef-XSS Demo16:12
Cross-site Request Forgery (CSRF)7:19
Change a user's password by exploiting a CSRF vulnerabilty.

Requirements

Basic IT skills
Basic knowledge of Linux and/or Windows
Understand basic computer networking

Description

In order to protect yourself from hackers, you must think as one.

This training is based on a practical approach of day-by-day situations and it contain labs based on real environments.

In this course, you will start as a beginner with no previous knowledge about penetration testing or hacking.

This course is focused on the practical side of penetration testing without neglecting the theory behind each attack. Before jumping into penetration testing, you will first learn how to set up a lab and install needed software to practice penetration testing on your own machine.

The course objective is to help you learn to master the (ethical) hacking techniques and methodology that are used in penetration systems. The course is designed for IT passionate, network and system engineers, security officers.

Once you understand how websites work we will start talking about how can we exploit these components. This course will take you from a beginner to a more advanced level -- so you will be able to launch attacks and test the security of websites and web applications, and furthermore you'll be able to help fixing these vulnerabilities and secure websites from them.

Below are the main topics, both theoretical and practical, of this course:

Core problems (Causes. Defences)
Web Technologies (HTTP Protocol, Web Functionality, Encoding)
Mapping (Spidering and Analysing)
Attacking Authentication (Technologies, Flaws, Fixes, Brute Force)
Attacking Session Management (State, Tokens, Flaws)
Attacking Access Controls (Common Vulnerabilities, Attacks)
Attacking Data Stores (SQL Injection, Bypassing Filters, Escalation)
Bypassing Client-Side Controls (Browser Interception, HTML interception, Fixes)
Attacking the server (OS command Injection, Path Traversal, Mail Injection, File Upload)
Attacking Application Logic
Cross Site Scripting
Attacking Users (CSRF, ClickJacking, HTML Injection)
OWASP Top Ten Vulnerabilities
Network Attacks

Labs:

Spidering, Website Analyser
Brute-Force
Session Hijacking via Mann-in-The-Middle
Get Gmail or Facebook Passwords via SSLStrip
SQL Injection
Upload File and Remote Execution
Cross-Site Scripting (Stored + Reflected, Cookie Stealing, Preventing XSS)
CSRF (Change password trough CSRF vuln., Preventing CSRF)

NOTE: This course is created only for educational purposes and all the attacks are launched in an isolated lab environment.

Who this course is for:

Web developers
Anyone who want to learn the ethical hacking and penetration testing process
IT students and/or passionate
Anyone who wants to start or develop a career in it security field or as "ethical hacker"

What you'll learn

Explore related topics

Course content

Why Web Security - Introduction7 lectures • 1hr 18min

Mapping the Web Application. User and Password Brute-Forcing4 lectures • 47min

Attacking Authentication and Session Management - Session Hijacking3 lectures • 53min

Access controls. Data stores and Client-side Controls4 lectures • 1hr 7min

Attacking the Server and Application Logic2 lectures • 36min

(XSS) Cross Site Scripting. Attacking the Users5 lectures • 1hr 14min

Guideline for Discovering and Improving Application Security2 lectures • 44min

(Bonus) Burp Tool for Advanced Web Penetration Testing7 lectures • 49min

(Bonus) Network Attacks5 lectures • 45min

(Bonus) Android reverse Engineering5 lectures • 55min

Requirements

Description

Who this course is for: