On the final day of the course, you will apply the knowledge you have acquired in a Capture-the-Flag competition, a fun environment based on real-world technologies. Modern web applications are growing more sophisticated and complex as they use exciting new technologies and support ever-more critical operations. Long gone are the days of basic HTML requests and responses. The complexity of HTTP and modern web applications is progressing at breathtaking speed. With the demands of highly available web clusters and cloud deployments, web applications are looking to deliver more functionality in smaller packets at a decreased strain on backend infrastructure.
Are your web application assessment and penetration testing skills ready to evaluate these impressive new technologies and make them more secure? This pen testing course is designed to teach you the advanced skills and techniques required to test modern web applications and next-generation technologies. The course uses a combination of lectures, real-world experiences, and hands-on exercises to teach you the techniques to test the security of tried-and-true internal enterprise web technologies, as well as cutting-edge Internet-facing applications.
The final course day culminates in a Capture-the-Flag competition where you will apply the knowledge you acquired during the previous five course sections in a fun environment based on real-world technologies. We begin by exploring advanced techniques and attacks to which all modern-day complex applications may be vulnerable. We'll learn about new web frameworks and web backends, then explore encryption as it relates to web applications, digging deep into practical cryptography used by the web, including techniques to identify the type of encryption in use within the application and methods for exploiting or abusing it.
The last section of the course, before the Capture-the-Flag competition, will focus on how to identify and bypass web application firewalls, filtering, and other protection techniques. As applications and their vulnerabilities become more complex, penetration testers have to be able to handle advanced targets.
After discovering the flaws, we will work through various ways to exploit these flaws beyond the typical methods used these days. These advanced techniques will help penetration testers find ways to demonstrate these vulnerabilities to their organization through advanced and custom exploitation.
Cryptographic weaknesses are a major area of web application vulnerabilities, yet very few penetration testers have the skill to investigate, attack, and exploit these flaws. When we investigate web application crypto attacks, we typically target the implementation and use of cryptography in modern web applications. Many popular web programming languages or development frameworks make encryption services available to the developer.
However, they often do not protect encrypted data from being attacked, or they enable the developer to use cryptography only weakly. These implementation mistakes are going to be our focus in this section, as opposed to the exploitation of deficiencies in the cryptographic algorithms themselves. We will also explore the various ways applications use encryption and hashing insecurely. Students will learn techniques ranging from identifying types of encryption to exploiting various flaws within encryption or hashing techniques.
Web applications are no longer limited to the traditional HTML-based interfaces. Web services and mobile applications have become more common and are regularly being used to attack clients and organizations. As such, it has become very important that penetration testers understand how to evaluate the security of these systems. We will explore various techniques to discover flaws within the applications and backend systems.
These techniques will make use of tools such as Burp Suite and other automated toolsets. In this section we start exploring the underlying infrastructure of our frameworks and languages. It all begins with an exploration of the architecture of popular frameworks. There is coverage on architectural vulnerabilities found in frameworks even today, such as Mass Assignment. Newer frameworks such as server-side JavaScript frameworks with NodeJS show us some different exploitation options.
Most of the things that folks want to learn can be found in a book or online, whether it is calculus or hacking. Knowing that you can use burp proxy to do web pen testing, and knowing that it has x y and z options does not tell you how, when, or where to apply it.
Part of the value of a course is the ability to ask questions and ask for direction. With other venues, your mileage may vary, and they will rarely show you what you are doing wrong in an interactive way where you can have immediate feedback and you can make sure you have a full understanding when you walk away. I would say that the value of SANS courses lies partially in the tools that you learn, partially in the knowledge of how to implement them, and partially in the experiences that the teachers shares around real world usage and scenarios.
What sets SANS aside from other teaching institutions is the real word experience and techniques for application of the tools.
The SANS instructors are not just instructors, they are practitioners as well. Knowing not just what Paros proxy does, but knowing when to apply it vs Burp or WebScarab has a lot of value. When I took , I had some basic stuff that I was doing, and after , I had really kicked it up a notch. I was using nmap more effectively, my metasploit fu was vastly improved, I started writing vbs scripts using wmic as soon as I got back to do incident response and all of that goodness.
After I took , I started writing my own metasploit additions, started playing with writing my own nmap NSE scripts, and had another huge jump from where I was after Having this course through SANS is great, I hope that they do a higher level course with more ninja skills in it. I definitely picked up some great stuff in the class, but there is a big focus on tools.
Looking through the course though, you go from evaluating web servers, to evaluating web code, to evaluating implementation, to evaluating applets, to evaluating logic. If you are tight on cash, there are things that you can do to bring down the price of classes. Things like the Mentor program, or offering to TA or host a class locally all can bring down the price of the course.
Thanks much for answering my question! What you said makes a lot of sense. It made me consider taking this course soon. Apollo, that was great, I was thinking the same about to take any course of just keep reading the books. Day Four was scheduled to have PHP as the final module, however, like the Python section, it was pushed to the next day. It was unclear if this will be the standard for the class, but it did provide some extra time to work through the questions without feeling the pressure of finishing the exercises before having to leave the classroom.
Overall, Day Four contained a lot of cutting-edge material, even though the first half of the day was light on exercises. The exercises in the second half of the day were good and provided a basis for individuals who are comfortable looking through code to find vulnerabilities. The day that everyone was looking forward to was Day Five, unofficially named the exploitation day.
The PHP section was a good, quick introduction to PHP with the final result utilizing aspects from the Javascript section and creating code that would be very useful outside the class. The programming sections were a bit difficult to sit through because of the variety of skill levels in the class, but the instructor helped guide those who needed it to the final product.
The idea of the exercise was great, and the fact that there were intermediate steps and checkpoints helped the exercise feel like an actual development process. After the PHP section, the day jumped right into exploit techniques. We began with a discussion of authentication bypass, and an exercise demonstrating its principles. The rest of the morning through lunch consisted of SQLi discussions with exercises demonstrating different types of SQLi.
There was also good time spent on blind SQLi, determining vulnerabilities and eventually exploiting them. There were a variety of tools that were discussed and utilized in the examples. The BeEF example was great and, as client-side exploitation is one of the commonly discussed topics today, this was a very relevant exercise and discussion. The day finished out with a discussion of session flaws and determining if a site was vulnerable.
The instructor covered how to exploit the site, although there were no examples. The final topic was on chaining attacks to get maximum benefit, and a teaser discussion of the upcoming exercises for Day Six.
Day Five was the day that I had looked forward to the most. While I felt like there were a lot of tools that could have helped in executing SQLi attacks, I wish that there had been more hands-on, manual exercises, so that the students would have had a better feel for how to exploit more complex applications. The tools that were used though were effective at detecting problems and exploiting them, and proved to be good preparation for what lied ahead on Day Six.
Day Six consisted of a brief introduction, some network setup, and then a sample web penetration test affectionately known as "Capture the Flag" CTF.
The scenario was setup well, and the requirements for the exercise matched well with the course content and mirrored many of the expectations from a real-world penetration test.
The class was grouped into teams with each team determining the duties of its members to find sample data flags on a variety of servers and services. The nice part about this exercise was that the difficulty of the placement of the flags varied. The variation made it possible for everyone in the class to make some progress, while only a handful of individuals were able to capture all of the flags. There was a final debriefing that mirrored the presentation of findings to a client. If you have ever heard a phrase such as "BeEF injection through persistent XSS due to blind SQL injection," and thought that you were the victim of Mad Libs gone awry, then this class will help you sort out your attack methodologies and teach you the basics of web application penetration testing along the way.
You will learn methodologies for approaching web app penetration testing and many tools to help you along the way. SANS has consistently provided quality instructors for the classes that I have taken, and even the day the primary instructor was ill, the alternate instructor picked up the reigns with very few hiccups.
Kudos go to SANS for the quality of their farm system like process of finding and grooming instructors. Security professionals are reaching out to gain the knowledge to detect and resolve the security problems inherent in Web 2.
The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below.
If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.
Network, Wireless Connection: A wireless Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete.
Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link.
You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. Students routinely show up to SEC having been demoralized by their organization's web application vulnerability scanner. One of the most rewarding aspects of teaching SEC is seeing and hearing those very same students' enthusiasm for applying the skills they have learned through the week to the applications they are responsible for securing.
They intrinsically knew the push-button approach to penetration testing was failing them, but lacked the knowledge and skill to ably and efficiently perform any other style of assessment. We are happy to say that SEC remedies this problem. Students walk away from class with a deep knowledge of key web application flaws and how to discover and exploit them, as well as how to present these findings in an impactful way. The real life experiences he shared really helped us understand the content.
Includes labs and exercises, and support. Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide. Training events and topical summits feature presentations and courses in classrooms around the world. Use this justification letter template to share the key details of this training and certification opportunity with your boss.
Register Now Course Demo. In Person 6 days Online. Course Authors: Eric Conrad Fellow. Timothy McKenzie Certified Instructor. Bojan Zdrnja Certified Instructor. Seth Misenar Fellow.
What You Will Learn Web applications play a vital role in every modern organization. You Will Learn: To apply a repeatable methodology to deliver high-value penetration tests.
How to discover and exploit key web application flaws. How to explain the potential impact of web application vulnerabilities. The importance of web application security to an overall security posture. How to wield key web application attack tools more efficiently. How to write web application penetration test reports.
Analyze the results from automated web testing tools to validate findings, determine their business impact, and eliminate false positives. Manually discover key web application flaws.
0コメント