SANS WebApp Pentesting handsOn immersion

Jump to: navigation, search

SANS:Web Application Pen Testing Hands-On Immersion: DEV538

Course: Web Application Pen Testing Hands-On Immersion
Course ID: SB2DWPT / SANS Course ID : DEV538
Instructor: SANS Instructor
CPE Credits: 12 CPE’s
Duration: 2 Days
Date: November 19th - 20th, 2009 (9 AM – 6 PM)

Learn about DEV538 course at SANS

Who should attend?
• Infrastructure penetration testers who are trying to expand into pen testing Web applications
• Developers who are interested in testing their applications against common vulnerabilities
• QA testers who are responsible for testing security vulnerabilities in applications
• Information security professionals with some background in hacker exploits

Class Pre-requisite:
• This fast-paced course is ideal for students who have a basic understanding of Web application security vulnerabilities and testing methodologies and are looking to refresh and upgrade their skill set in pen testing Web applications. It is also well suited to infrastructure pen testers who are expanding testing scope to Web applications. If you are going to be testing Web applications in the next few months, this course will help you brush up on your Web application security testing knowledge. Whatever your level is, it will give you confidence to know that you have the hands-on experience to perform testing against common vulnerabilities.

Class Requirement:
Students attending this course are required to bring their own laptops that are properly configured. There is not enough time in class to help you install your laptop; your laptop must be properly installed and configured before you come to class.
Minimum hardware requirements:
• 1GHz processor
• 512MB RAM (1GB highly recommended)
• 3GB free hard disk space
• CD-ROM drive
• An unused USB slot

A laptop with Windows 2000, XP, or Vista is required with the latest Service Packs and patches. You should install the following software on the computer:
• Java Runtime Environment (JRE) - please download from
• Firefox browser (version 3)
• Microsoft .NET framework runtime 1.1 (some of the testing tools require it)
• Install Switchproxy extension in Firefox (see below)

Please install VMware Player or VMware Workstation on the laptop. (GSX and ESX will not work.) VMware player can be downloaded for free at
Switchproxy is a Firefox extension and can be installed from . Surf to the URL with Firefox and then click on the "Add to Firefox" button on the page.
At the beginning of class you will be given a Linux bootable CD. This CD will be booted within VMware as a virtual image. You must have ability to disable the host firewall (Windows firewall or other third party firewall) and anti-virus running on your desktop. This usually means you need to have administrative privilege on the machine. The Windows host and Linux host need to talk to each other through the VMware network interface. A firewall could disallow such communication and render some of the exercises unsuccessful.

Course Description:
We start off with a brief overview of the testing methodologies and then step through the reconnaissance and mapping phase of pen testing Web applications. Concepts and techniques are reinforced by hands-on exercises. Vulnerability discovery in infrastructure components, authentication, and session mechanism are covered. After discussing how to discover the vulnerabilities, we learn how to exploit them. Real Opensource software is used as attack targets so students can get hands-on experience with real-life applications.
• Mapping and spidering Web site
• Using proxy tools
• Discovery of Authorization problems
• Session Token stealing and session hijacking

Discovery and exploitation of various input-related vulnerabilities are the focus on this second day. We begin with an overview of the various vulnerabilities and an explanation of how weak input validation can be a potential avenue for exploitation. Then we go through a step-by-step approach to discover and exploit SQL injection vulnerability with various real-life examples to demonstrate the approach. Discussion and a hands-on exercise with Cross-Site Scripting and HTTP response splitting follow. We'll wrap up this second day by exploring how to automate the testing techniques discussed throughout the course.
• SQL Injection and related query enumeration
• Blind SQL injection
• Cross-Site Scripting discovery
• Cross-Site Scripting exploitation
• Code Analysis