ELWSECT – Web Security Testing
Enquire/Book this course
Trained over 60000 delegates
Course delivered by industry expert instructors
Highly competitive pricing
Web Security Testing (WST)
Common attack methods
Security policies, building a policy
Hackers and crackers
Security testing techniques
Manual inspections and reviews - gap analysis
Threat modelling - attack trees and use/misuse cases
A framework for testing
Packets, IP addresses, IP v4 and v6
Transmission Control Protocol (TCP), three-way handshake
HyperText Transfer Protocol (HTTP)
Universal Resource Locators (URL), Domain Name System (DNS)
Wired networks, wireless networks, IP spoofing
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
Encryption, Public Key Infrastructure (PKI), SSL sessions
Wireless encryption
Packet filtering, screening routers
Proxy servers
Network address translation
Virtual private networks
Types of firewall configuration
Dual-homed host, screened host firewall system, screened subnet firewall system
IP address inventory, ping sweeps
Service/socket inventory, port scanning
Hardening the system software
Spiders, robots and crawlers
Web application fingerprinting
Using site maps
Testing source code
Testing for error code
Testing for weak cipher levels
Testing SSL certificate validity
Testing for file extension handling
Old, backup and unreferenced files, server logs
Evaluating intruder detection, intruder detection systems
Testing for user enumeration
Default or guessable user accounts, brute force
Direct page requests, parameter modification, session ID prediction
File and directory privileges
Password remember and reset
Social engineering and insiders
Logout testing, cached pages
Cookie reverse engineering
Cookie manipulation by guessing
Cookie manipulation using brute force
Overflow
Exposed session tokens
HTTP methods and cross site tracing
SQL injection
Relational databases, Structured Query Language (SQL)
Testing for SQL injection
Testing for authorisation bypass attacks
Testing for Select statement attacks
Testing for Insert statement attacks
SSI injection
Xpath injection
Dynamic code
Buffer overflows