Target Audience

The course is appropriate for both Novice and Experienced Testers under the following category: Test Engineers who are not familiar with Web Application Security Testing but have fundamental knowledge/experience in functional testing.

Benefits of this course:

After the completion of the course, the participants would be able to:

Learn how attackers succeed in breaking web applications
Understand the attack target possibilities of web apps
Understand and apply the differences between Security testing & Functional testing
Gain basic network/system level knowledge needed for application security testers
Understand the 'Top Ten' vulnerabilities proposed by OWASP
Get hands-on Web Application Security Testing techniques, using WebScarab and other tools
Incorporate security testing as a continuous process in your organization

Details of Topics covered:

Day One

Introduction
What is Security
Grasping the fundamentals of Security flaws
Vulnerabilities and the anatomy of an attack
Some proven application security principles
The mindset needed for Testing the Security aspects of a web application

Review of Top Ten vulnerabilities in Web Applications
Cross Site Scripting (XSS)
Injection Flaws
Malicious File Execution
Insecure Direct Object Reference
Cross Site Request Forgery (CSRF)


Review of Top Ten vulnerabilities in Web Applications
Information Leakage and Improper Error Handling
Broken Authentication and Session Management
Insecure Cryptographic Storage
Insecure Communications
Failure to Restrict URL Access

Grasping the bastic system-level knowledge
How the network plays a role between clients and servers
Basic network commands that testers need to know
(Handson)Understanding the elements of a web application, with focus on the HTTP data
Overview of HTTP Requests/Responses
Concept of cookies, revisited
Using Fiddler

Day Two
Practical session on testing web application security
Discussions

Introduction to Web Scarab
Understanding the context of tools
Introduction to Web Scarab

HTTP Request Interception & Manipulation
Using a proxy to intercept the request
Adding custom fields dynamically

Practical demo on Cross Site Scripting vulnerability identification
Using Web Scarab to analyze URLs
Injecting Javascript into request prameters

Inferences and HTML fields as sources of Attacks
Revealing Hidden Fields
Exceptions as the basis of knowing the server environment

Fuzzing and Web Application Security Testing
General concepts of fuzzers
Parameter fuzzing in web applications
Practical Demonstration of SQL Injection

Exercises on Web Application Testing

About Instructor
Ashiwn Palaparthi has 10+ years of experience in Test Engineering. He has worked at AppLabs for 6 years and held several positions starting from a Project Lead to Manager to Principal Architect to Associate Vice President. At Applabs he was deeply involved in technology support to Test Engineering, custom tools development and presales.

To his credit, Ashwin has
- built automated unit test suite for ZENEB’s compoenent platform.
- performed white-box testing (code/design reviews, profiling, instrumentation etc) for e-Duction.
- developed a prototype extension to Winrunner to support 3rd party ActiveX controls from Infragistics (a famous Activex component vendor).
- developed a Custom Test Harness for a company called Marketaxess, which is being used by 50 testers for last 5 years day-in/day-out without any changes.
- ran a Security Testing Practice as the Practice Head for a group of 100+ engineers in AppLabs where we performed Web-application Security Testing, Testing Security Products themselves etc.
- extended Jmeter and built a framework-assisted Performance Testing service.

Ashwin also delivered two seminars in London, one on Performance Testing using Open-source Testing tools and the other on Security Testing [ICSTEST,2004] and also delivered talks at HYSEA events. He also handled a very complex Test Automation project for ISS, built a custom Test Automation framework using QTP (and automated about 4000 tests, some of which were on distributed environment) for ISS.

Ashwin also created the world’s first Online Tool Platform for Software Testers, TestersDesk.com which today has more than 5000 users and has won the Best Innovation of the Year award among tight competition.

• All cancellations must be made in writing - either by mail, e-mail, or fax.
• All payments must be received by ETI prior to the start of the workshop/seminar.
• If cancelled 5 calendar days, or later, prior to the start date or for no-shows - NO REFUND
• If cancelled 6-30 calendar days prior to the start date - 50 % of the workshop/seminar fee will be non-refundable.
• If cancelled prior to 30 calendar days to the start date - A full refund will be issued.
• You are welcome to substitute if you cannot attend, but please notify in advance.
• You may reschedule with at least four weeks notice prior to the workshop/seminar for which you are currently registered.
• Please send all cancellations and substitutions to training@edistatesting.com or call 91-80-415-74806, Attn: Workshop Coordinator

Need to train multiple people on this topic? Try private in-house training.
For more information contact Akshay Raj at akshay.r@edistatesting.com or 91-80-415-74806