Welcome to Web application penetration testing and bug bounty course. A course that teaches you practically, about web application security, protecting your websites from attacks and reporting bugs for reward money, if you found one.
Every single day, you read this in news, linkedin was attacked, Yahoo was attacked and have asked users to change their passwords. Cyber security is next Big thing. Every month thousands of people are learning about web app development and yet only a few are learning to secure those applications
We have designed this course, so that you can learn to secure web application. Regardless that you know, How to design one or not, these skills will help you to run various tests and enhance security of web apps. By the end of this course, you will able to apply for Junior web application pen tester, A complete independent bug bounty hunter and secure web developer.
In this course we will learn to install our own labs to do pentesting. We will walk you through with OWASP, top vulnerabilities like sql injection, Cross site scripting, session management flaws and various others. Also we will give you enough challenges to practice along.
Ideal student for this course is one who is interested in Web application security, Bug bounty and developers who want to secure their web apps.
Our goal with this course is to create more security experts so that these incidents can be minimised. It used to be time when banks were attacked, now everything is online and so is the money and attackers. Every web application developers should have skills to secure web application. In fact, development should be a process with constant involvement of cyber security experts.
Join us in this goal of creating secure cyber space. This course is great starting point to earn some good bounties with bugs. Take a look at some free previews and See You Inside Course.
This is a complete introduction to Complete web application penetration testing and bug bounty course. In this video I'll walk you through with What each section contains and How will the course progress.
With every course, I always says that don't expect magic with any course. Make sure that you understand that course is to guide you, it also need hard work, time and a lot of practice.
To get started in Pentesting or penetration testing, we need to collect some tools like kali for attack machine and Virtual machine for virtualization and Dojo as a victim machine. Once we get those operating system and tools, of course for free, then we will move further
Earning from Bug Bounty is not a new thing for security experts. Infact most of web application security experts are taking this a part time, high revenue generating process. In this video we will learn about right path of getting started with Bug Bounty
Dojo is one stop solution of having vulnerable testing application. We need to learn a lot of attacks like SQL injection, XSS, session management etc and for each of those we need a loophole in application. Installing this Dojo makes like easy and we can practice all those attacks without worrying about it.
For any ethical hacker or pentester Kali linux does not require any introduction. This linux distribution is one stop solution for pentesters. Although for web application, we will use it at minimum but without this, we would feel that something is missing from the course.
Kali is a an Operating System with vast number of tools already installed in it. This machine surely require a tour. In Fact, We can create a course on just kali tool tour, but in this case lets just leave it to a small tour to make you friendly with interface
OWASP stands for Open Web application Security Project, it is kind of Holy Bible for web application attacks and precautions. This website is always a GOTO for further reference or more reading material on attacks.
Linux training is a must have skills for everyone in the field of IT security. You don't need to be guru or linux administrator for this course but all the linux that you will need for this course is already covered in this course. In this first video we will learn about creating files via command line and traveling in linux.
Linux have a little different file structure than Windows. So this surely requires some understanding like which one is file and which one is directory. Judging just by color is not a good idea in linux as it is opensource and within a few lines of codes it can be changed. So we will learn the right way of understanding it.
Not every file in linux can be executable. There are certain permissions in linux that allows us to read, write and execute files. These permissions are usually denotes by numbers like for read - 4, write - 2 and execute - 1.
Networking is also an important part of linux. Of course we cannot do penetration testing by staying offline. We will learn about commands like ifconfig and iwconfig. This will help you to get to know you Ip and net card details. Also we will look at Reading manual of any command in linux
A quick introduction about what this course contains
TOR Browser is one the many way of getting anonymity in the online world. TOR sends request to other nodes and your request get passed via various nodes. Also, I will introduce you with the world of Darknet.
Proxies are a way to hide your location or basically route the entire traffic via a different server. It helps us to improve the anonymity. We will install proxychains and with this we can make n number of stops between the traffic.
MAC address also know as physical address of your ethernet device or wireless device is your main identity over the internet, apart from IP. We will learn to mask or change the current mac address.
there are many methods to gather information of our client, one of them is DNS enumeration. We also take a look on what is open DNS
Although, zone transfer vulnerability is very rare to see now a days but still we will look at this vulnerability on a dedicated platform.
DIG is another tool that gives more detail information about DNS information. Let's have a look on DIG tool which ships in Kali linux.
DNStracer is the utility which calculates the path of our request to the server and plots it nicely on graphical interface. We will also have a quick look on wireshark.
Dimitry is a built in tool in kali that gather a lots of information about the company like email ID and DNS information but there are many better tools available now.
Finding email is one of the important part as it can be later used for social engineering. Also we will look at generating reports.
Now that we have talked about a lot of tools, here is the time give you a very small and easy assignment. Also let's have a look on recon-ng
A quick introduction about what this course contains
Writing secure code seems easy process but it is one of the most challenging task. In this exercise we will explore that how bad code can reveal critical information and can lead to harm the application. Some times even the comments left at development phase does reach to production stage.
OS Command injection is a serious vulnerability where attacker is able to run system commands from the application. Attacker can even read critical files like shadow or passwd files. We will look and compare secure code vs the vulnerable code.
Cross site scripting or XSS is one the most famous and trending attack with modern application. In this video we will refer to a great and precise documentation being put on google site. Although there are not many payload to talk in here but we will point to them as well
Stored XSS uses almost the same payload but is more dangerous as payload get stores in database. Now if anyone visits that page, every user will be attacked by that payload. This serious flaw can even damage the credibility of business in long run
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. This can be seen in banking application or set new password section
The superstar of web application attack is SQL injection. In this attack, attacker tries to run sql commands from the user end and if he gets a success, then he has got a full access to read database. And yep, it is that scary. He can even get access to passwords (If not hashed) or even credit card details or entire email, which is entire business
Sometimes application needs to collect more info from users like their photos or their resumes or other pdf. In the uploading process application needs to be extra careful as users might upload something malicious. they can upload shells that can take full access over the server
This is one great example of JSON injection. Here we will intercept the request between client and server and will edit it on the go. This vulnerability will help us to book cheap tickets and destroy the business logic of the application
DOM or Document Object Model XSS is rarely seen on web application but is equally dangerous. In this video we will learn more about DOM based XSS
When we talk about Cross site scripting aka XSS sometimes companies asks for Proof of concepts and more attack scope. BeEF is one such tool that is one stop solution for exploiting XSS to next level. Let's explore BeEF automation tool
Sql injection is the most common attack and many application are still vulnerable to it. This is the most deadliest attack as attacker gets entire access to database. It this video we will talk about it and will point out to a FREE resource to learn more about sql injection. Yep, totally free and no need to even signup
SQLmap is a great tool for automating various tasks of sql injection. Specially for error based injections this tool is great and works as smooth as butter. We will learn about all the commands, opening manual for sqlmap and will try it over an error based injection
Time based injection is based on the fact that sometime a full error is not shown on the page and rather we have to work on true or false based results. This is very difficult for a normal user but with tools like sqlmap, we can work on it without breaking the head in wall
Forgot password is the common feature and almost must have in every web application. But in many web application, we don't restrict users for number of attempts for answering questions. This video is perfect example of such situation
In some cases, we can force session IDb to be created by providing it. In this case we will force a user to visit bank login and inject session id, later we will use same ID to login into his/her session
So, we have talked about Damn Vulnerable web application, but after practicing over it you might be wondering if you could have more such apps to test our skills, here is the answer of this question. We will introduce you with Hackme casino, that has lot of entertainment and bugs.
There are a lots Vulnerabilities and loopholes in hack me casino. Although, we will talk about few of them like SQL Injection and session mis management but this application is for you to apply all the attacks that you have learned in this course.
This cheesy vulnerable web application is there for you do whatever you wish to do with it, in terms of attacks and exploitation. It is specially designed to leave some loopholes for practice purposes. As soon as you find some vulnerability in application, please post in the Q/A section to showoff. Yep, we need you to do that
We at Igneus have trained students from IIT's, NIT's and reputed companies. Students from all over the globe have trusted our High quality and affordable trainings from 10+ countries and have opted for our Certification programs.
IGNEUS stands for the Revolutionary and a quality enhanced change that we’ve tried to come up with in the modern world of Internet education. We’ve come up bearing in mind the maximum emphasis on the quality dealing with every new technology which has made us distinguished from the throng at internet. And this revolution of choice will keep continuing. Today IGNEUS Technologies has proudly lifting up the tag of being the world's most trusted provider of myriad of services and training programs aiding constantly in every corner of the globe along with web security aspects, and open source technology.
IGNEUS Technologies Pvt. Ltd is a dream shared and brought up by two computer geniuses to make the society upgraded and aware of the cyber crimes that curb the innocence of environment, thus starting a revolution in favor of cyber security.
Igneus stands for the Revolutionary and a quality enhanced change in every aspect of its touch to internet. Quality dealing with every new technology makes us different from the crowd of internet. The revolution of choice continues. Today Igneus Technologies is the world's most trusted provider of mentioned services and training along with web security aspects, and open source technology.