MindGrove - the Audit and Risk SpecialistsMindGrove Training page - header image of people

 Home
 About us
 Training
bullet pointIn-house training
 ... by category
 ... a to z listing
 Public courses 2012
 Download brochure
 eLearning
 Consultancy
 Resources
 Clients
 Contact us
















Testing the Security of Web Applications

All organisations, except the smallest, have a web site presence; most organisations have web applications. But these beneficial channels of activity often prove to be an organisation’s “Achilles Heel”. The problem stems from the client-server paradigm and the difficulty of controlling a remote user. This course provides a stimulating “hands-on” introduction to the “ethical” security testing of web based applications.

This course can be run using a demonstration workstation to illustrate techniques, run from passive captured sequences, or even for small groups be run as an interactive hands-on course.

 

Suitability and duration

Suitability: All levels

Duration: 2 days

 

Who should attend

Those with an interest in web based application security. Those from the domains of IT Audit and IT Security will find this course of greatest practical benefit. The course uses a mixture of briefings and interactive case study work to maximise knowledge transfer. Class size is limited.

 

Benefits

Skills

After completion of this course, you will be able to:

  • Describe the types of attack that are possible on web based client-server systems
  • Know how to fingerprint and cross check a website for vulnerabilities
  • Deploy simple strategies for determining common web vulnerabilities
  • Explore client and server side vulnerabilities by deploying a wide range of ethical hacking and exploratory scenarios
  • Display a practical approach to the cost-effective construction of anti-hacking controls

 

Support Materials

This course is accompanied by a detailed manual that contains briefing notes, explanations of network protocols and mechanisms and an integrated work programme to use on return to work.

 

Programme

Introduction to web based application security

  • The world wide web and client–servers
  • Attacks on client and server vulnerabilities
  • Attack by a man in the middle

 

Background essentials

  • The http protocol – enough to get you started
  • HTML – enough to get you started
  • Servers and extensions, cookies and scripts – enough to get you started

 

Practical 1 – first beginnings

  • Probing your website – revealing the underpinning software and services – fingerprinting the server
  • Cross-checking your website – vulnerability mapping of deployed products

 

Practical 2 – getting to know your website

  • Capturing your website – downloading the code, following the links, mapping the site
  • Capturing your website – downloading the code, following the links, mapping the site
  • Brainstorming the code – sieving for trouble Guessing the obvious – directory guessing and roving, prompting errors and error feedback

 

Practical 3 – targeting the client

  • Overcoming retransitionalions
  • By-passing validation
  • Setting up a man-in-the-middle proxy
  • Attacking parameters and scripts
  • Revealing and targeting hidden fields

 

Practical 4 – changing data

  • Overflow and null string attacks – the obvious weak spots
  • Data exchanged between users – cross site scripting
  • Database attacks – SQL injection

 

Practical 5 – targeting the server

  • More complex SQL strategies
  • Denial of service attacks

 

Bringing it all together

  • Reporting back on findings
  • Ensuring that problems are rectified
  • Keeping your knowledge up to date

 

 

  Call us on +44 (0) 1925 730 200Site map | Contact us 
© 2012 MindGrove Ltd. All rights reserved
 Valid XHTML 1.0 TransitionalValid CSS!