• Home
• Training
• Reverse Engineering
• Web Application Security
• Malware Research and Analysis
• Exploit Development
• Mobile Application Security
• Penetration Testing
• Digital Forensic Analysis
• Fraud Investigation
• Services
• Application Security Assessments
• Audits for Trading systems
• Product
• Contact Us

Web Application & Security

Overview

Most of the hacks that happen today start with compromising the target's web-application first. The goal of this specialty domain is to identify professionals with excellent skills in hacking and securing web applications.

Pre-requisites

1. In-Depth understanding of Web-Application Architecture.
2. Exposure to web application development will add value
3. Understanding of Database Management Systems.
4. Thorough knowledge of all the OWASP Top-Ten Vulnerabiltiies.
5. Experience in Programming.

Web Application Security Boot-camps

You can attend in-depth Web Application Security boot-camps offered by ISAC approved partners.

Program contents:

Introduction to Web Apps & Architecture

Introduction
Components of a web application
Basic Architecture
Static and Dynamic Websites

Web technologies

J2EE, ASP.NET, PHP
Overview of SOAP, XML and Web services
Overview of JSON

Top 10 Web Application Threats

Cross Site Scripting (XSS)
Injection Flaws
Malicious File Execution
Insecure Direct Object Reference
Cross Site Request Forgery (CSRF)
Information Leakage and Improper Error Handling
Broken Authentication and Session Management
Insecure Cryptographic Storage
Insecure Communications
Failure to Restrict URL Access

Web Application Penetration Testing

Information Gathering
Configuration Management Testing
Authentication Testing
Session Management Testing
Authorization Testing
Business Logic Testing
Data Validation Testing
Testing for Denial of Service
Web services testing
AJAX testing

Advanced Application Security

Application Threat Modeling
Securing Coding Secure coding principles for Web applications
Security Policies
Using compiler defense mechanisms
Source code analysis
Code Review (Asp.net & J2EE)
Documentation and Reporting Risks.

Lab exam blueprint

Lab Exam will basically consist of a "Hacking Challenge". The candidate will be provided with a url with specific challenges to achieve.

Objectives:

1. To identify all vulnerabilities that are present in the Web-App
2. Try to exploit the application in any way you can, to read the contents of a file on the remote system which will be disclosed to you just before the challenge commences.
3. If possible, get 'root' / 'Administrator' access on the remote system.

Hands-on recommended

• Web-App Vulnerabiltiy scanners of your choice.
• Firefox with Plugins of your choice.
• Backdoors of your choice.
• Web-Shells
• Metasploit
• Solution Format

At the end of the lab exam, the candidate is supposed to submit a report that explains how exactly the 'Hacking Challenge' was solved. Its expected to be as technical as possible with every single detail mentioned.

Report must include -

1. Findings
2. The challenges you faced
3. All the Critical vulnerabilities that were found
4. The exact Penetration Approach, that was used
5. Specific answers as required by the lab
You will be given an answer paper on which the above details have to be provided.