Library

Course: Complete Ethical Hacking & Penetration Testing for Web Apps

Complete Ethical Hacking & Penetration Testing for Web Apps

  • Life Time Access
  • Certificate on Completion
  • Access on Android and iOS App
  • Self-Paced
About this Course

Learn OWASP TOP 10 Vulnerability Categories and the Defenses and Fixes for them. Covering all the popular hacking types

Hello and welcome to Web Based Ethical Hacking and Penetration Testing for Beginners. This course is an introduction to your career as a web security expert.

Internet is all around us. We have been using the facilities of internet since a long while and as the internet came in, the cyber-security threat also started to appear. You can hear stories of cyber-attacks day by day in news papers and media.

As the facilities, the easiness and the comfort of using internet based applications, even if its a web application or a mobile application which is using a cloud based API, the chances of getting a cyber attack has also been increased. It has been increased to such a level that we cannot even predict what happens the next day, because hackers are always alert and vigilant and they are looking for a loophole to get into an application and steal your information.

Like the saying " A person knows how to break a lock, can make a good lock !" , because he knows the vulnerabilities, he knows the loop holes and that person can build a good secure application or he can guide the developer to build a good application which is almost secure and which does not have the loop holes that has already been discovered.

So being cyber security professionals or being cyber security enthusiasts , we will deal with the OWASP Top 10 vulnerabilities . OWASP is a community based project, that is Open Web Application Security Project. Periodically they will be updating their list of vulnerabilities. And in this Top 10 list of vulnerabilities we will be having a subset of other vulnerabilities which will be coming under this top 10 vulnerabilities. So we will cover almost 30 kind of most popular vulnerabilities in this course and these vulnerabilities are the common vulnerabilities that is currently in the Cyber World.

Once you get hold of these 30 vulnerabilities, you will be having enough confidence to test a web application or test a cloud based application in an API based application, a mobile application which is using a cloud based API. In every session I am giving you the mitigations, the defensive mechanisms that we can follow to avoid the vulnerability that we discussed in that particular session. So you will be able to suggest the defensive measures to the programmer or to the developer who is developing the web application.

Please make sure you are using these techniques only for Penetration Testing as well as Ethical Hacking and please do not use it for any other illegal purpose or any other un-ethical kind of things.

Cyber-security and Penetration Testing is a very lucrative career. This course is indented for Cyber Security Beginners, with an overview of basic web coding, interested to come into the cyber security world,and also, existing Testers, who are willing to go into the Penetration Testing. People who are interested in Ethical Hacking can also do this course.

In this course, we will be concentrating mainly on how Penetration Testing can be done on web based applications. And it can also be used for mobile based applications because most of the mobile based applications communicate with a cloud based API. The security of this API is actually the security of the mobile application which is using this API. And by the end of this course, we will be providing you with a course completion certificate on-demand, which you can include in your resume and it will be giving very high value to your current profile.

I promise that you are going to have a really thrilling experience doing Penetration Testing and Ethical Hacking. So see you soon in the class room.

Basic knowledge
  • Should have the basic knowledge of how web applications work. However, its good to have basic HTML, Java-script and PHP knowledge. A minimal configuration PC or laptop would be fine
What you will learn
  • You will understand about how to make use of the most popular vulnerabilities (OWASP TOP 10) to hack into a website and the ways to prevent it
Curriculum
Number of Lectures: 32
Total Duration: 03:42:08
Quick Overview of the Course
  • Quick Overview of the Course  

    The importance of Cyber Security Career and the Topics covered in the course

Lab Setup 1 : Install WAMP
  • Lab Setup 1 : Install WAMP  

    Install WAMP, the Apache, PHP and MySQL stack for hosting the demo web server

Lab Setup 2: Install Mutillidae
  • Lab Setup 2: Install Mutillidae  

    Install Mutillidae II, a free, open source, deliberately vulnerable web-app

  • Error Troubleshooting  

    If you are getting the error "The database server appears to be offline" while accessing mutillidae


    Please go to the bin directory of mysql in wamp


    (normally it will be in C: directory by default , Use your computer's path to wamp)


    For example, in my computer, I have used the commands


    cd C:\wamp64\bin\mysql\mysql5.7.21\bin


    Now it will be at the prompt C:\wamp64\bin\mysql\mysql5.7.21\bin> 


    Type the following commands:


    mysql -u root


    use mysql


    update user set authentication string=PASSWORD('multillidae') where user='root';


    update user set plugin='mysql_native_password' where user='root';


    flush privileges;


    quit;


    Then try to access mutillidae 










    If you have installed apache2 standalone in linux, the web folder path will be "htdocs" rather than "www"


    OR 


    some distros will have it in /opt/lampp/htdocs


    OR


    some distros may be having it in /var/www

Lab Setup 3: Install Burp Suite
  • Lab Setup 3: Install Burp Suite  

    Install Burp Suite - An integrated platform for security testing of web Sites

SQL Injection - Attack and Defenses
  • SQL Injection - Attack and Defenses  

    SQL Injection, the most common , yet serious cyber attack method. We will learn how to penetrate the database using SQL Injection and the things to take care to prevent this type of attack.

OS Command Injection - Attack and Defenses
  • OS Command Injection - Attack and Defenses  

    Learn how to do OS command injection attack in windows or linux servers and get back valuable system details. Will learn how to defend this kind of attack.

JSON Injection Attack using Reflected XSS Technique and Defense Measures
  • JSON Injection Attack using Reflected XSS Technique and Defense Measures  

    Perform a possible Json Injection attack using reflected cross site scripting technique and tips how to prevent this attack

Cookie Manipulation Attack and Defenses
  • Cookie Manipulation Attack and Defenses  

    Will learn how to manipulate cookies stored by websites and use it to gain unauthorized access to websites. Also the preventive tips

Username Enumeration Attack - Part 1& 2
  • Username Enumeration Attack - Part 1  

    Attack using username enumeration brute force. Comparing the response from the server and tips for defense.

  • Username Enumeration Attack - Part 2  

    Attack using username enumeration brute force. Comparing the response from the server and tips for defense.

Brute Force Attack Technique and Defenses
  • Brute Force Attack Technique and Defenses  

    How to gain access to a website using brute force attack technique

Cross Site Scripting (Reflected XXS using HTML Context)
  • Cross Site Scripting (Reflected XXS using HTML Context)  

    Learn Reflected Cross Site Scripting using HTML Context

Cross Site Scripting (Reflected XSS using JavaScript)
  • Cross Site Scripting (Reflected XSS using JavaScript)  

    Learn Cross Site Scripting (Reflected XSS using JavaScript)

Storage Cross Site Scripting Attack - XSS Defenses
  • Storage Cross Site Scripting Attack - XSS Defenses  

    Will learn about Storage Cross Site Scripting Attack , the Defenses and Precautions

Insecure Direct Object Reference - IDOR and Defense using File Tokens
  • Insecure Direct Object Reference - IDOR and Defense using File Tokens  

    Learn how to hack utilizing the Insecure Direct Object Reference - IDOR and defense using File Tokens

Insecure Direct Object Reference - IDOR and Defense using URL Tokens
  • Insecure Direct Object Reference - IDOR and Defense using URL Tokens  

    Learn how to hack utilizing the Insecure Direct Object Reference - IDOR and defense using URL Tokens

Directory Browsing / Traversal Threat Demonstration
  • Directory Browsing / Traversal Threat Demonstration  

    Directory Browsing or directory Traversal as a Normal User - Demonstration

XXE - XML External Entity Attack
  • XXE - XML External Entity Attack  

    Validate the web app for XML External Entity Attack

User Agent Manipulation or Spoofing Attack
  • User Agent Manipulation or Spoofing Attack  

    How to manipulate browser user agent using browser plugin

Security miss-configuration Attack Defenses (DIR Browsing, XXE, User Agent)
  • Security miss-configuration Attack Defenses (DIR Browsing, XXE, User Agent)  

    Defense points for the popular Security miss-configuration Attacks like Directory Browsing, XML External Entity and User Agent Manipulation

Sensitive Data Exposure Vulnerability (HTML/CSS/JS Comments)
  • Sensitive Data Exposure Vulnerability (HTML/CSS/JS Comments)  

    The problems caused by sensitive Data Exposure Vulnerability and the precautions to prevent it

Hidden / Secret URL Vulnerability and Defenses
  • Hidden / Secret URL Vulnerability and Defenses  

    How to make use of Hidden / Secret URL Vulnerability to intrude into admin pages and the defense points to consider

HTML 5 Web Storage Vulnerability and Defenses
  • HTML 5 Web Storage Vulnerability and Defenses  

    We will learn how to manipulate the HTML 5 key value pair stored items and change the values in it and preventive measures.

  • Download Files here  

    Download Files here

Role Based Access Vulnerability and Defense
  • Role Based Access Vulnerability and Defense  

    Learn about Role Based Access Vulnerability and Defense

CSRF - Cross Site Request Forgery Attack
  • CSRF - Cross Site Request Forgery Attack - Part 1  

    CSRF - Cross Site Request Forgery Attack - Part 1

  • CSRF - Cross Site Request Forgery Attack & Defenses - Part 2  

    CSRF - Cross Site Request Forgery Attack & Defenses - Part 2

  • csrf.txt file download  

    csrf.txt file 

Entropy Analysis for CSRF Token
  • Entropy Analysis for CSRF Token  

    Analysis the magnitude of entropy for Token generated to prevent CSRF attack

CVSS - Common Vulnerability Scoring System
  • CVSS - Common Vulnerability Scoring System  

    Use CVSS - Common Vulnerability Scoring System to determine the score of used language or plugin, find and apply the patches

Unvalidated URL Redirect Attack and Prevention code sample
  • Unvalidated URL Redirect Attack and Prevention code sample  

    How to do Unvalidated URL Redirect Attack and analysis the prevention code sample

Reviews (0)