Web Application Security

Web Application Security Training

Importance of Information Security and Penetration Testing

Penetration testing varieties
Penetration testing for Web Applications
Application security differences
Application security testing tools
Burp, Owasp Zap, Webscarab ...
Firefox extension used in the Web Security Testing
Automated Security Scanning Tools
Web Security lab for testing. media
Wasp BWPA, but

A Network pentest Classic Scenario

Basic Nmap, Nessus, Metasploit Use
Port Scan type and vulnerability scanning
Network pentest Web pentest intersections
JBoss, Apache Tomcat vulnerabilities of applications, such as
JBOSS JMX-Console authorization overcome weakness abuse
Tomcat capture systems used

In Web Application Security Testing WAF / IPS evasion techniques

WAF and IPS security vulnerabilities across the application
The encoding methods and uses of Web application testing
Encoding techniques and varieties
URLs and HTML Encoding Using IPS Confusion
HPP (HTTP Parameter Pollution) using IPS bypass
Using encrypted traffic to bypass IPS

Web Application Security Components and HTTP Basic Information

Client
Server
Database
Application Server
Network Line
HTTP Basic Information
HTTP Methods and Functions
HTTP methods and exploitation in terms of safety
Active web servers support HTTP PUT abuse

Towards the Web Application Discovery

Web vulnerability discovery techniques using the search engine
Determining the input field of the web applications on Google
Of the target system via a web platform Google research
Important search criteria
Subdomain exploration work
Virtual host (virtual host) identification systems using
Subdirectory exploration work
Administration panel of the file / directory to determine the
DirBuster, the use of tools Wfuzz
Obtain sensitive information from error message
IPS, WAF exploration work

OWASP TOP 10 (2013) and Leak Use in Testing: XSS (Cross Site Scripting) Vulnerability Audit Techniques

XSS definition, causes
Real-life examples of XSS attacks
XSS vulnerability types
-Stored XSS
-Reflected XSS
-Dom XSS
Advances in XSS attacks
Obtaining information session XSS results
Senaryors using XSS malware infection
Classic XSS blocking and evasion techniques yöntelmer
Beef use the XSS attack
XSS-Proxy and use of XSS attack XSS-tunnel

CSRF (Cross Site Request Forgery) attacks

Basic information about CSRF vulnerabilities
The real-life examples of CSRF
Gmail Amazon.co examples
Example CSRF attack attempts

SQL injection (SQL injection) Attacks

Basic knowledge of SQL and database types
-Mysql Basic information
-mssql Basic information
Basic information on -Oracl
-Postresql Basic information
SQL injection attacks and real-life examples
SQL Injection varieties
-Blind (Blind) SQL injection attacks
-Err Is based (fault-based) SQL injection attacks
-Time Based (time-based) SQL injection attacks
-Other SQL types
Exceeding the login form using SQL / Authentication Bypass
Time Based Blind SQL Attack detection method
Time Based Blind Sqli kullanarak veri çekme - Mssql/Mysql
Automated SQL Injection attacks and attack tools
Sqlmap, Havij, the use of tools
SQL injection attempts according to the specifications Database
Progress in SQL Injection Attacks
SQL injection using the operating system handle the review scenario

Harmful Code Injection Attacks (LFI / RFI)

General descriptions and examples of code injection real life
Surf anonymously Index (Directory Treversal)
Local File Inclusion
Remote File Inclusion
Manage the system remotely using LF
Restrict access controls for URL problems

Insecure Direct Object Reference Control Techniques

Basic information about IDR weakness
Examples from real life
Insecure Direct Object Reference kullanarak yetki şstismarı
Session-Id and the transition to a different authorization rights to the exploitation of the cookie information

Exceeding Client Protection and Controls

Exceed the client-side security protection - Java Script
Exceed the client-side security protection - HTML Forms
Security vulnerability in Flash used site search
HTTP headers can be changed on the client side information and abuse methods
User-agent values with tests for mobile applications / bypass
X-Forwarded-For header information and using authorizations abuse
Exploitation method using the values in hidden form fields

Command Injection (Command Injection) Attacks

What is it, how does it work?
The real-life examples of command injection attacks
Example command injection attacks
Takeover target system using a command injection

Violated Authentication and Session Management

Authentication Control and Attacks
Authentication Types
Forms-based authentication
Password authentication method for finding trials
Captcha used for safety testing system
Session fixation attack and its effects

Controls for the HTTP Connection Security

SSL / TLS Concepts
TLS operating structure and basic security weaknesses
Certification otorire, concepts and uses of PKU
Examples on the SSL MITM
Intervention in the SSL connection using sslstrip
HTTPS bağlantılard information sessions / cookies obtain open
Sidejacking, surfjacking attacks and measures

Penetration Testing Web-Based Rear Door (Backdoor) Use

Backdoor, shell concepts and differences
Metasploit using the platform to create custom web-based back door
PHP Shell Building
Shell JSP Creation
Creating the ASP Shell
Create your shell will be recognized by antivirus
Create unrecognizable shell samples using the web webacoo
Antivirus bypass for shell (laudanum) use

Towards Web and Application Dos / DDoS Attacks

General DoS / DDoS attacks and real-life examples
Web applications for DOS / DDoS attacks
HTTP GET flood DoS / DDoS attacks to perform
Perform Slowloris HTTP DoS attack
Web stress testing using the OWASP HTTP DoS tool
Perform DoS using SSL
THC SSL DOS software using SSL-based sample of DoS attacks

Open Source and Commercial Web Security Scanning Software

Nikto tests using static web security
Dynamic web security tests using W3af
Dynamic web security testing using Netsparker
Owasp ZAP, Burp Proxy usage