Smart University Home > Web Application Pen testing - Hands-On Immersion
Training Module 
Module designed and coordinated by Jason Lam, Sans Institute (Canada)

Dates & Location:
2 days - September 23-24, 2009, Sophia-Antipolis (French Riviera)

A laptop is required for this course.

Who should attend?
• Infrastructure penetration testers who are trying to expand into pen testing Web applications
• Developers who are interested in testing their applications against common vulnerabilities
• QA testers who are responsible for testing security vulnerabilities in applications
• Information security professionals with some background in hacker exploits

Sampling of Exercices
• Web Fingerprinting
• Input Manipulation
• Blind SQL Injection
• Non-obvious Session Issues
• Brute Forcing Credentials
• Cross-Site Scripting
• Code Review


In the first half of 2008, five million Web sites were compromised by automated SQL injection attacks. The hackers' goal was to inject links to malicious content in order to infect the users of the Web application. These automated attacks do not show any sign of stopping and will likely visit your Web applications in the near future. Don't want to be a part of the statistics? Performing runtime testing is essential to making your Web site secure. Developer 538 is a two-day course focusing on up-to-date, hands-on testing of Web application security.
This fast-paced course is ideal for students who have a basic understanding of Web application security vulnerabilities and testing methodologies and are looking to refresh and upgrade their skill set in pen testing Web applications. It is also well suited to infrastructure pen testers who are expanding testing scope to Web applications. If you are going to be testing Web applications in the next few months, this course will help you brush up on your Web application security testing knowledge. Whatever your level is, it will give you confidence to know that you have the hands-on experience to perform testing against common vulnerabilities.
This action-packed, two-day course has a strong, hands-on focus -- exercises are designed to give you experience with real-world vulnerabilities. Throughout the two days, you will be using various testing concepts to test vulnerable Web applications. The target applications are as realistic as possible. The labs are structured so both novices and intermediate students can enjoy the learning experience.


DAY 1: September 23rd, 2009

9:00 am - 5:00 pm
We start off with a brief overview of the testing methodologies and then step through the reconnaissance and mapping phase of pen testing Web applications. Concepts and techniques are reinforced by hands-on exercises. Vulnerability discovery in infrastructure components, authentication, and session mechanism are covered. After discussing how to discover the vulnerabilities, we learn how to exploit them. Real Opensource software is used as attack targets so students can get hands-on experience with real-life applications.

- Mapping and spidering Web site
- Using proxy tools
- Discovery of Authorization problems
- Session Token stealing and session hijacking

DAY 2: September 24th, 2009

9:00 am - 5:00 pm
Discovery and exploitation of various input-related vulnerabilities are the focus on this second day. We begin with an overview of the various vulnerabilities and an explanation of how weak input validation can be a potential avenue for exploitation. Then we go through a step-by-step approach to discover and exploit SQL injection vulnerability with various real-life examples to demonstrate the approach. Discussion and a hands-on exercise with Cross-Site Scripting and HTTP response splitting follow. We'll wrap up this second day by exploring how to automate the testing techniques discussed throughout the course.


- SQL Injection and related query enumeration
- Blind SQL injection
- Cross-Site Scripting discovery
- Cross-Site Scripting exploitation
- Code Analysis

To register (on the SANS Institute website), click here