The course is a mix of case driven, instructor-led, and self paced learning, designed to enable participants learn, experiment and implement the concepts involving in managing and controlling Penetration Testing. It is designed to walk testers through introductory steps of web application penetration testing as well as some common web application vulnerabilities. Students will be provided with a special virtual machine that contains the custom Web penetration testing environment. They will be able to use this both in the class and after leaving and returning to their normal jobs.

Module 1 – Introduction to Class
Participants | Familiarization with course material | Familiarization with the protocols and timings | Expectation setting and clarifications
Module 2 – Introduction to Ethical Hacking
Foot printing and Reconnaissance | System Hacking | Server Fingerprinting | Port Scanning | Tools: HTTPrint, NMap, etc
Module 3 – Different types of malware
Trojans and Backdoors | Viruses and Worms
Module 4 – Other attacks
Social Engineering | Denial of Service
Module 5 – Introduction to Software Security
Security in the System Development Lifecycle | Thinking Like a Security Engineer | Enumerating the Attack Surface
Module 6 – Standard Application Attack Vectors
GET and POST | Header | Cookies | Understanding the underlying protocols of the web | Client server communications on the web (overview of HTTP requests and response) | Adding session tracking to HTTP (the concept of sessions i.e. cookies, form based sessions etc)
Module 7 – Introduction to web app sec testing tools
What are browser add-ons , firesheep, live http headers, tamper data | What are web proxies burp, paros etc | HTTP request interception and manipulation (including analysis of requests and | Examining real HTTP requests/responses | Session hijacking and session fixation | Insufficient Session Timeout | Session Hijacking/Replaying (facebook) (demo)
Module 8 – Learn methods to discover various vulnerabilities
Information leakage | Command injection | SQL injection | Blind SQL injection | Cross-Site Scripting (XSS) | Cross-Site Request Forgery | Session issues
Module 9 – Review of top web application vulnerabilities : (Hands on Exercise webgoat)
Common Weaknesses | Data Leakage Attacks | Sniffing | Path Traversal | Parameter Tampering (Hands On!) | Incorrect Resource Transfer between Spheres | Bypassing Client-side Enforcement of Security | Unrestricted File Upload | Injection Attacks | SQL Injection (Hands On!) | Cross-site Scripting (XSS) (Hands On!) | Session Riding/Cross-site Request Forgery (XSRF)
Module 9 – Introduction to Automated WebApp Testing tools
IBM Rational AppScan | Acunetix | And many other automated open source Web app pen testing tools