Practical Web Application Security & Testing

About Course

Practical Web Application Security and Testing is an entry-level course on web application technologies, security considerations for web application development, and the web application penetration testing process. We begin with the basics of HTTP, servers, and clients, before moving through the OWASP Top 10 on our way to a full demonstration penetration test. We also cover the reporting process for web application assessments, so you’re prepared not only to conduct security assessments on web applications but also clearly and effectively communicate your findings.

Skill Level

Basic-Plus: Although we cover some advanced techniques, the course assumes no familiarity with web application penetration testing and only some knowledge of the Linux command line. This is a perfect starting point for beginning web hackers.

Course Content

Introduction

welcome

09:54
Course Structure

01:37

1: Setup

2: Web Application Concepts

Servers and Clients

00:00
Lab – Nginx and Server Logs

00:00
HTTP

00:00
The Web Trinity

00:00
HTML

00:00
CSS

00:00
JavaScript

00:00
Lab – Alert Button

00:00
ZAP Intro

00:00
Lab – ZAP Enumeration

00:00

3: Server-Side Webapps

4: The OWASP Top 10

OWASP Overview

00:00
Broken Access Control

00:00
Cryptographic Failures

00:00
Injection – XSS

00:00
Injection – SQLI

00:00
Injection – Command Injection

00:00
Insecure Design

00:00
Security Misconfiguration

00:00
Vulnerable and Outdated Components

00:00
Identification and Authentication Failures

00:00
Software and Data Integrity Failures

00:00
Security Logging and Monitoring Failures

00:00
Server-Side Request Forgery

00:00
Extra Practice

00:00

About Course

Course Content

Introduction

welcome

Course Structure

1: Setup

Lab Setup Overview

Lab Setup – Hyper-V

Lab Setup – VirtualBox

Lab Setup – Kali Linux

Lab Setup – Docker

2: Web Application Concepts

Servers and Clients

Lab – Nginx and Server Logs

HTTP

The Web Trinity

HTML

CSS

JavaScript

Lab – Alert Button

ZAP Intro

Lab – ZAP Enumeration

3: Server-Side Webapps

PHP

Lab – PHP with Docker

Server Side Security Considerations

Lab – WordPress

Lab – DVWA

4: The OWASP Top 10

OWASP Overview

Broken Access Control

Cryptographic Failures

Injection – XSS

Injection – SQLI

Injection – Command Injection

Insecure Design

Security Misconfiguration

Vulnerable and Outdated Components

Identification and Authentication Failures

Software and Data Integrity Failures

Security Logging and Monitoring Failures

Server-Side Request Forgery

Extra Practice

5: Client-Side Webapps

Client-Side Webapp Intro

Lab – Juice Shop

Frontend Considerations

6: Webapp Pentesting Methodology

Preparation

Scoping

Enumeration

Manual Testing

Automated Attacks

7: Juice Shop Pentest

Automatic Enumeration

Manual Enumeration

Discoveries

Login/Authentication

Purchasing

Customer Support

Additional API Testing

Legacy Code

8: Reporting

Report Structure

Writing Tips

9: Final Thoughts

Exhibition of Mastery

Next Step

Quick link

Company