@ 2023 Cyber Dojo. All rights reserved.
Connect with us
Description
Curriculum
Instructor
Unlock the foundational knowledge and practical skills to defend against cyber threats with Cyber Dojo’s Web Application Penetration Tester course. This course equips participants with the skills to conduct thorough web application penetration tests by covering key topics such as interception proxies (ZAP, BurpSuite), common vulnerabilities (SQL Injection, XSS, SSRF, CSRF, etc.), and information gathering techniques (target profiling, vulnerability scanning). It emphasizes a repeatable methodology aligned with OWASP standards to ensure rigorous and quality-controlled assessments of both traditional and modern web applications. Participants will learn to use Python for scripting, analyze automated tool results, and manually exploit vulnerabilities, enabling them to explain the impact of web application flaws and write comprehensive test reports.
- Key Components of Web Application Penetration Tester:
- Apply OWASP’s methodology to web application penetration tests ensuring consistency, reproducibility, rigor, and quality control.
- Assess traditional server-based web applications and modern AJAX-heavy applications that interact with APIs.
- Analyze results from automated web testing tools to validate findings, determine their business impact, and eliminate false positives.
- Manually discover key web application flaws.
- Use Python to create testing and exploitation scripts during a penetration test.
- Discover and exploit SQL Injection flaws to determine the true risk to the victim organization.
- Understand and exploit insecure deserialization vulnerabilities with tools like ysoserial.
- Create configurations and test payloads for various web attacks.
- Fuzz potential inputs for injection attacks with ZAP, Burp’s Intruder, and ffuf.
- Explain the impact of exploiting web application flaws.
- Analyze traffic between the client and server using tools like Zed Attack Proxy and BurpSuite to find security issues.
- Use browser developer tools to assess findings within client-side application code.
- Manually discover and exploit vulnerabilities such as Command Injection, CSRF, SSRF, and more.
- Learn strategies and techniques to discover and exploit blind injection flaws.
- Use the Browser Exploitation Framework (BeEF) to hook victim browsers, attack client software and networks, and evaluate the impact of XSS flaws.
- Use the Nuclei tool to perform scans of target websites/servers.
- Develop comprehensive reports that communicate identified risks to stakeholders effectively.
- Hands-On Training:
- The course offers extensive lab-based exercises, providing students with practical experience applying course concepts.
- Labs are based on real-world scenarios, allowing students to grasp the challenges they’ll face in their careers.
- Certification Opportunity:
- You can obtain the GWAPT certification validating the acquired skills and knowledge.
Get the course now to unlock the gateway to a thriving and lifelong career in Cybersecurity.
Certificate Sample..
————————————————————————
- Important Notice:
- This course is independent and not sponsored, endorsed, or affiliated with organizations such as IBM, SANS, INE, Microsoft, Cisco, and others.
- This course is presented as a prerecorded program, offering flexibility for learners to access the content at their own pace and convenience.
- The modules are designed to be consumed in a sequential manner, allowing participants to navigate through the material at a time that suits their individual schedules.
- Please note that being prerecorded, the course does not involve live, real-time interactions with instructors except through the one-to-one support sessions.
- Participants can pause, rewind, and replay the content as needed to enhance their understanding of the subject matter.
- It includes opportunities for open discussion through dedicated discussion boards that enable participants to engage with peers, share insights, and ask questions related to the course content
————————————————————————
:إشعار مهم
هذا الكورس مستقل وليس برعاية أو مصادقة أو مرتبط بمنظمات مثل اي بي ام او سانز او اي ان اي او مايكروسوفت اوسيسكو او غيرهم من المنظمات
يتم تقديم هذا الدورة كبرنامج تم تسجيله مسبقًا، مما يوفر مرونة للمتعلمين للوصول إلى المحتوى بوتيرتهم وراحتهم
تم تصميم الوحدات لتكون مستهلكة بطريقة تسلسلية، مما يتيح للمشاركين التنقل في المواد في وقت يناسب جداولهم الفردية
يرجى ملاحظة أنه نظرًا لأنها مسجلة مسبقًا، لا تشمل الدورة تفاعلات حية في الوقت الحقيقي مع المدرسين باستثناء عن طريق جلسات الدعم الفردية
يمكن للمشاركين إيقاف التشغيل والترجيع وإعادة تشغيل المحتوى حسب الحاجة لتعزيز فهمهم للموضوع
تتضمن الدورة فرصًا للنقاش المفتوح من خلال لوحات نقاش مخصصة تمكن المشاركين من التفاعل مع الزملاء، ومشاركة الأفكار، وطرح الأسئلة المتعلقة بمحتوى الدورة
Curriculum
- 8 Sections
- 114 Lessons
- 52 Weeks
Expand all sectionsCollapse all sections
- Introduction to Cyber Dojo Platform3
- Chapter 1: Introduction and Information Gathering20
- 2.1Why the Web?13 Minutes
- 2.2Application Assessment Methodologies48 Minutes
- 2.3Web Application Pen Tester’s Toolkit6 Minutes
- 2.4Interception Proxies23 Minutes
- 2.5Exercise 1.1: Configuring Interception Proxies13 Minutes
- 2.6TryHackMe Bonus Lab: Burp Suite: The Basics48 Minutes
- 2.7TryHackMe Bonus Lab: Burp Suite: Repeater28 Minutes
- 2.8TryHackMe Bonus Lab: Burp Suite: Intruder38 Minutes
- 2.9TryHackMe Bonus Lab: Burp Suite: Other Modules21 Minutes
- 2.10TryHackMe Bonus Lab: Burp Suite: Extensions8 Minutes
- 2.11Open Source Intelligence (OSINT)29 Minutes
- 2.12Virtual Host Discovery39 Minutes
- 2.13Exercise 1.2: Virtual Host Discovery37 Minutes
- 2.14HTTP Syntax and Semantics48 Minutes
- 2.15HTTPS and Testing for Weak Ciphers21 Minutes
- 2.16Exercise 1.3: Testing HTTPS11 Minutes
- 2.17Target Profiling24 Minutes
- 2.18Exercise 1.4: Gathering Server Information21 Minutes
- 2.19Quiz: Exercise 1.Bonus: Testing and Exploiting Heartbleed60 Minutes1 Question
- 2.20Assignment: Build SSL OSINT Tool1 Day
- Chapter 2: Content Discovery, Auth, and Session Testing31
- 3.1Insufficient Logging and Monitoring13 Minutes
- 3.2Spidering Web Applications19 Minutes
- 3.3Exercise 2.1: Web Spidering38 Minutes
- 3.4Forced Browsing9 Minutes
- 3.5Exercise 2.2: ZAP and ffuf Forced Browse20 Minutes
- 3.6Fuzzing9 Minutes
- 3.7Information Leakage12 Minutes
- 3.8Authentication44 Minutes
- 3.9Exercise 2.3: Authentication21 Minutes
- 3.10Self-Study Lesson: OAuth 2.0 Authentication Vulnerabilities50 Minutes
- 3.11Self-Study Lesson: JWT Attacks50 Minutes
- 3.12Username Harvesting17 Minutes
- 3.13Exercise 2.4: Username Harvesting15 Minutes
- 3.14Burp Intruder8 Minutes
- 3.15Exercise 2.5: Fuzzing with Burp Intruder11 Minutes
- 3.16Bonus Lab 2.1 – Username Enumeration via Different Responses8 Minutes
- 3.17Bonus Lab 2.2 – Username Enumeration via Response Timing11 Minutes
- 3.18Session Management30 Minutes
- 3.19Exercise 2.6: Burp Sequencer12 Minutes
- 3.20Authentication and Authorization Bypass24 Minutes
- 3.21Vulnerable Web Apps: Mutillidae6 Minutes
- 3.22Exercise 2.7: Authentication Bypass33 Minutes
- 3.23Bonus Lab 2.3 – 2FA Simple Bypass6 Minutes
- 3.24Bonus Lab 2.4 – 2FA Broken Logic18 Minutes
- 3.25Bonus Lab 2.5 – User ID Controlled by Request Parameter4 Minutes
- 3.26Bonus Lab 2.6 – User Role Controlled by Request Parameter2 Minutes
- 3.27Bonus Lab 2.7 – User Role Can be Modified in User Profile6 Minutes
- 3.28Bonus Lab 2.8 – Insecure Direct Object References (IDOR)5 Minutes
- 3.29Quiz: Exercise 2.Bonus: Exploiting Shellshock60 Minutes3 Questions
- 3.30Assignment: Authentication Vulnerabilities Labs14 Days
- 3.31Assignment: Access control vulnerabilities Labs14 Days
- Chapter 3: Injection27
- 4.1HTTP Response Security Controls20 Minutes
- 4.2Command Injection19 Minutes
- 4.3Exercise 3.1: Command Injection26 Minutes
- 4.4Bonus Lab 3.1 – Blind OS Command Injection with Time Delays9 Minutes
- 4.5Bonus Lab 3.2 – Blind OS Command Injection with Out-of-Band Interaction10 Minutes
- 4.6Assignment: OS Command Injection5 Days
- 4.7File Inclusion and Directory Traversal13 Minutes
- 4.8Exercise 3.2: Local/Remote File Inclusion9 Minutes
- 4.9Bonus Lab 3.3 – File Path Traversal, Simple Case4 Minutes
- 4.10Bonus Lab 3.4 – File Path Traversal, Validation of File Extension with Null Byte Bypass7 Minutes
- 4.11Bonus Lab 3.5 – Web Shell Upload via Content-Type Restriction Bypass13 Minutes
- 4.12Assignment: Local/Remote File Inclusion14 Days
- 4.13Insecure Deserialization21 Minutes
- 4.14Exercise 3.3: Insecure Deserialization15 Minutes
- 4.15Assignment: Insecure Deserialization15 Days
- 4.16SQL Injection Primer28 Minutes
- 4.17Discovering SQLi26 Minutes
- 4.18Exploiting SQLi31 Minutes
- 4.19Exercise 3.4: Error-Based SQLi12 Minutes
- 4.20SQLi Tools11 Minutes
- 4.21Exercise 3.5: sqlmap + ZAP18 Minutes
- 4.22Bonus Lab 3.6. – SQL Injection Vulnerability in WHERE Clause Allowing Retrieval of Hidden Data4 Minutes
- 4.23Bonus Lab 3.7 – SQL Injection Vulnerability Allowing Login Bypass12 Minutes
- 4.24Bonus Lab 3.8 – Blind SQL Injection with Time Delays11 Minutes
- 4.25Bonus Lab 3.9 – Blind SQL Injection with Out-of-Band Interaction18 Minutes
- 4.26Bonus Lab 3.10 – Blind SQL Injection with Conditional Responses25 Minutes
- 4.27Assignment: SQL Injection20 Days
- Chapter 4: XSS, SSRF, and XXE27
- 5.1Document Object Model (DOM)24 Minutes
- 5.2Cross-Site Scripting (XSS) Primer22 Minutes
- 5.3Exercise 4.1: HTML Injection16 Minutes
- 5.4XSS Impacts10 Minutes
- 5.5BeEF8 Minutes
- 5.6Exercise 4.2: BeEF20 Minutes
- 5.7Classes of XSS22 Minutes
- 5.8Exercise 4.3: DOM-Based XSS20 Minutes
- 5.9Discovering XSS12 Minutes
- 5.10XSS Tools5 Minutes
- 5.11Exercise 4.4: XSS20 Minutes
- 5.12Bonus Lab 4.1 – Stored XSS into HTML Context with Nothing Encoded6 Minutes
- 5.13Bonus Lab 4.2 – Stored XSS into Anchor href Attribute with Double Quotes HTML-encoded15 Minutes
- 5.14Bonus Lab 4.3 – Exploiting Cross-Site Scripting to Steal Cookies10 Minutes
- 5.15Assignment: Cross-site Scripting30 Days
- 5.16AJAX20 Minutes
- 5.17Data Attacks8 Minutes
- 5.18REST and SOAP11 Minutes
- 5.19Server-Side Request Forgery (SSRF)12 Minutes
- 5.20Exercise 4.5: Server-Side Request Forgery6 Minutes
- 5.21Bonus Lab 4.4 – Basic SSRF Against Another Back-End System8 Minutes
- 5.22Assignment: Server-side request forgery (SSRF)9 Days
- 5.23XML External Entities (XXE)14 Minutes
- 5.24Exercise 4.6: XXE17 Minutes
- 5.25Bonus Lab 4.5 – Exploiting XInclude to Retrieve Files9 Minutes
- 5.26Bonus Lab 4.6 – Exploiting XXE Using External Entities to Retrieve Files6 Minutes
- 5.27Assignment: XML External Entity (XXE) Injection10 Days
- Chapter 5: CSRF, Logic Flaws, and Advanced Tools22
- 6.1Cross-Site Request Forgery11 Minutes
- 6.2Exercise 5.1: CSRF21 Minutes
- 6.3Assignment: Cross-Site Request Forgery10 Days
- 6.4Logic Flaws6 Minutes
- 6.5Assignment: Business Logic Vulnerabilities9 Days
- 6.6Python for Web App Pen Testers26 Minutes
- 6.7Exercise 5.2: Python3 Hours
- 6.8Assignment – Automate Portswigger Labs with Python3 Days
- 6.9WPScan and ExploitDB3 Minutes
- 6.10Exercise 5.3: WPScan and ExploitDB13 Minutes
- 6.11Burp Scanner9 Minutes
- 6.12Metasploit13 Minutes
- 6.13Exercise 5.4: Metasploit16 Minutes
- 6.14Exercise 5.5: Drupalgeddon II8 Minutes
- 6.15Nuclei6 Minutes
- 6.16When Tools Fail9 Minutes
- 6.17Exercise 5.6: When Tools Fail14 Minutes
- 6.18Business of Pen Testing: Preparation19 Minutes
- 6.19Business of Pen Testing: Post Assessment20 Minutes
- 6.20Pentest Report Sample10 Minutes
- 6.21Assignment: Exercise 5.Bonus: Python1 Day
- 6.22Assignment: Exercise 5.Bonus2: Exploiting Ruby on Rails1 Day
- Final Exam: GWAPT Exam Preparation1
- Project: Juice Shop Vulnerabilities Report3
Offensive Operations, Pen Testing, and Red Teaming
350 $
250 $
Courses you might be interested in
Cyber Defense
Unlock the foundational knowledge and practical skills to defend against cyber threats with Cyber Dojo’s Security Operations Analyst course. This course equips learners with foundational skills and knowledge necessary to operate...
-
87 Lessons
Offensive Operations, Pen Testing, and Red Teaming
Unlock the foundational knowledge and practical skills to defend against cyber threats with Cyber Dojo’s Incident Handler course. This course equips participants with the essential skills and knowledge to effectively respond...
-
88 Lessons
Digital Forensics, Incident Response & Threat Hunting
Unlock the foundational knowledge and practical skills to defend against cyber threats with Cyber Dojo’s Windows Forensic Examiner course. This course equips participants with advanced forensic analysis skills specifically for...
-
54 Lessons
Offensive Operations, Pen Testing, and Red Teaming
Unlock the foundational knowledge and practical skills to defend against cyber threats with Cyber Dojo’s Web Application Penetration Tester course. This course equips participants with the skills to conduct thorough web...
-
114 Lessons
Disclaimer
The materials presented on the website are not sponsored, endorsed, or affiliated with SANS, Microsoft, INE, or other logos mentioned here on the site. All logos are registered trademarks of these vendors in the United States and some other countries.
Upcoming Events
Most Popular Blog
From PICERL to DAIR: The New Incident Response Process with a Flexible Approach
May 17, 2024
No Comments
Read More »
Most Popular Course
-
97 Lessons
Cybersecurity and IT Essentials
Unlock the foundational knowledge and practical skills to defend against cyber threats with Cyber Dojo’s Cybersecurity Essentials course. This course delves into the fundamental principles of computer and information security, empowering...