The Most Advanced course on Web

Application Penetration Testing

WAPTX at a glance:
Self-paced, online, flexible access
1100+ interactive slides and 4+
hours of video material
50 labs to practice attack
techniques and exploits

Web Application Penetration Testing eXtreme

SYLLABUS

The SQLi multi-platform test-bed

lab: try SQLi on MySQL, SQL Server
and Oracle
Based on latest Web Application
Penetration Testing research
Master Advanced Web Application
Security tools
In depth Web Application
Vulnerabilities analysis
Much more than simple XSS, SQL
Injection, HTML5
Advanced obfuscation and
encoding techniques
Bypassing filters and WAF
techniques
HTML5 attacks vectors and
exploits
Prepares for the eWPTX
certification

eLearnSecurity has students in 148

countries in the world and from
leading organizations such as:

Course home page:

www.elearnsecurity.com/course/web_application_penetration_testing_extreme

Course description:
Web Application Penetration Testing eXtreme is an extremely practical online course
on the most advanced web application penetration testing techniques.
This training course is tied to Hera Lab where the students will access a number of
laboratories for each learning module.

Pre-requisites:
This course is an advanced course that requires the following pre-requisites:

Deep understanding of HTML, HTTP, Server-side languages, XML, JavaScript.

Good understanding and practical proficiency of XSS, XSRF, SQLi and basic
HTML5 attacks.
Reading and understanding PHP code will help although not mandatory
Basic development skills required
The eLearnSecurity WAPT course provides most of the above pre-requisites.

Who should take this course?

WAPTX course is mainly geared towards:

Penetration Testers
Web Developers
IT Security professionals with a technical background

How am I going to learn this?

eLearnSecurity courses are very interactive and addictive. During this training course
you will have to deal with several guided labs, so knowledge and fun is guaranteed.
Every module comes with videos and practical lessons so do not expect the outdated
way of learning by just reading pages of theoretical methodologies.

Will I get a certificate?

Once you satisfy the requirements of the final practical
certification test, you will be awarded an
eLearnSecurity Web Penetration Tester eXtreme
certificate and will hold the eWPTX certification.

Course outline
The WAPTX is a follow up of the WAPT course at an extreme level. This course
brings students into a new world of advanced exploitation techniques using realworld scenarios. All served with challenging and extremely hands-on laboratories in
which to put the covered techniques in practice.
- Module 1: Encoding and Filtering

- Module 2: Evasion Basic

- Module 3: Cross-Site Scripting

- Module 4: XSS Filter Evasion and WAF Bypassing

- Module 5: Cross-Site Request Forgery

- Module 6: HTML 5
- Module 7: SQL Injections

- Module 8: SQLi Filter Evasion and WAF Bypassing

- Module 9: XML Attacks

Module 1: Encoding and Filtering

1.

This module is not just another

module on encoding. Its a course in
the course with some esoteric
encoding skills that will be helpful
during the rest of the course.
Understanding what kind of data
encoding is being used and how it
works is fundamental in ensuring
that the tests are performed as
intended, thats why this module
starts with the basic concept of Data
Encoding.
The following section is all about
Filtering Basics, starting from a brief
introduction on how to deal with
Regular
Expression,
to
understanding how to detect,
fingerprint
and
evade
Web
Application Firewalls to finally
conclude with analyzing the most
common Client-side defensive
mechanism.

Introduction
1.1. Data encoding basics
1.1.1. Dissecting encoding types
1.1.1.1. URL Encoding
1.1.1.2. HTML Encoding

Document character encoding

Character references
1.1.1.3. Base (36|64) encoding

Base 36

Base 64
1.1.1.4. Unicode encoding
1.1.2. Multiple (De|En)codings
1.2. Filtering basics
1.2.1. Regular Expressions
1.2.1.1. Metacharacters
1.2.1.2. Shorthand character classes
1.2.1.3. Non-printing characters
1.2.1.4. Unicode
1.2.2. Web Application Firewall
1.2.2.1. WAF Detection and Fingerprinting
1.2.3. Client-side Filters

Module 2: Evasion Basic

2.

This module provides advanced

coverage of the most modern filter
evasion techniques using different
client side and server side
languages.
To have a complete understanding
of filters and encoding this module
introduces the main Evasion
Techniques that start from Base64
and lesser known URI obfuscation
techniques and concludes with
JavaScript and PHP Obfuscation
techniques.

Introduction
2.1. Base64 Encoding evasion
2.2. URI Obfuscation techniques
2.2.1. URL shortening
2.2.2. URL Hostname obfuscation
2.3. JavaScript Obfuscation Techniques
2.3.1. JavaScript Encoding
2.3.1.1. Non-alphanumeric
2.3.2. JavaScript Compressing
2.3.2.1. Minifying
2.3.2.2. Packing
2.4. PHP Obfuscation Techniques
2.4.1. Basic Language Reference
2.4.1.1. Type Juggling
2.4.1.2. Numerical Data types
2.4.1.3. String Data types
2.4.1.4. Array Data types
2.4.1.5. Variable Variables
2.4.2. Non-alphanumeric Code
2.4.2.1. String generation
2.4.2.2. Hackvector.co.uk

Module 3: Cross-Site Scripting

3.

This module is entirely dedicated to

Cross-site Scripting attacks. It starts
from a brief recap of the different
types of XSS and after that
introduces
Advanced
Attack
Techniques and exotic XSS vectors.
This module covers how to exploit
any kind of XSS with the most
advanced tools available.

Introduction
3.1. Cross-Site Scripting
3.1.1. Reflected XSS
3.1.2. Persistent XSS
3.1.3. DOM XSS
3.1.4. Universal XSS
3.2. XSS Attacks
3.2.1. Cookie Grabbing
3.2.1.1. Script Injection
3.2.1.2. Cookie Recording & Logging
3.2.1.3. Bypassing HTTPOnly flag
Cross-site Tracing (XST)
CVE: 2012-0053
BeEFs Tunneling Proxy
3.2.2. Defacements
3.2.2.1. Virtual Defacement
3.2.2.2. Persistent Defacement
3.2.3. Phishing
3.2.4. Keylogging
3.2.4.1. Keylogging with Metasploit
3.2.4.2. Keylogging with BeEF
3.2.5. Network Attacks
3.2.5.1. IP detection
3.2.5.2. Subnet detection
3.2.5.3. Ping Sweeping
3.2.5.4. Port Scanning
Simple Port Scanner
HTML5 alternatives
3.2.6. Self-XSS
3.2.6.1. Browsers security measures
Chromium based browser
Mozilla Firefox based browser
Internet Explorer
Safari
3.2.6.2. JavaScript console limitations
3.3. Exotic XSS Vectors
3.3.1. Mutation-based XSS
3.3.1.1. mXSS Examples
3.3.1.2. mXSS Multiple Mutations

Hera Labs are included in this module

Module 4: XSS Filter Evasion and WAF Bypassing

4.

In this module the student will learn

about advanced Filter Evasion and
WAF bypassing techniques. Starting
from simple Blacklisting filters, the
student will go through different
mechanisms to bypass common
input
sanitization
techniques,
browser filters and much more.
The student will not only find a
number of well-known vectors but
will also understand how to find
new ones.
At the end of this module the
student will be able to recognize the
presence of WAFs and filters and
implement effective bypassing
techniques.

Introduction
4.1. Bypassing Blacklisting Filters
4.1.1. Injecting Script Code
4.1.1.1. Bypassing weak <script> tag banning
4.1.1.2. ModSecurity > Script tag based XSS
4.1.1.3. Beyond <script> tagUsing HTML
attributes
4.1.2. Keyword based filter
4.1.2.1. Character escaping
Unicode
Decimal, Octal, Hexadecimal
4.1.2.2. Constructing Strings
4.1.2.3. Execution Sinks
4.1.2.4. Pseudo-protocols
Data
Vbscript
4.2. Bypassing Sanitization
4.2.1. String Manipulations
4.2.1.1. Removing HTML Tags
4.2.1.2. Escaping Quotes
4.2.1.3. Escape Parenthesis
4.3. Bypassing Browser Filters
4.3.1. (Un)Filtered Scenarios
4.3.1.1. Injecting inside HTML attributes
4.3.1.2. Injecting inside SCRIPT tag
4.3.1.3. Injecting inside event attributes
4.3.1.4. DOM Based
4.3.1.5. Other scenarios

Hera Labs are included in this module

Module 5: Cross-Site Request Forgery

5.

This module is entirely dedicated to

Cross-Site Request Forgery attacks.
It starts from a brief recap about the
basics of this vulnerability and after
that introduces the main attack
techniques and vectors. During this
module we will see how to exploit
Weak
Anti-CSRF
mechanisms
concluding
with
Advanced
Exploitation techniques

Introduction
5.1. XSRF: Recap & More
5.1.1. Vulnerable scenario
5.2. Attack Vectors
5.2.1. Force Browsing with GET
5.2.1.1. Example: Change email address
5.2.2. Post Requests
5.2.2.1. Auto-submitting from > v1
5.2.2.2. Auto-submitting form > v2
5.3. Exploiting Weak Anti-CSRF Measures
5.3.1. Using Post-only requests
5.3.2. Multi-Step Transactions
5.3.3. Checking Referer Header
5.3.4. Predictable Anti-CSRF token
5.3.5. Unverified Anti-CSRF token
5.3.6. Secret Cookies
5.4. Advanced CSRF Exploitation
5.4.1. Bypassing CSRF defenses with XSS
5.4.1.1. Bypassing Anti-CSRF Token
Request a valid form with a valid
token
Extract the valid token from the
source code
Forge the form with the stolen
token
5.4.2. Bypassing Anti-CSRF Token Brute forcing

Hera Labs are included in this module

Module 6: HTML 5
6.

This module is entirely dedicated to

HTML5 and its new attack vectors. It
starts from a recap about this
language analyzing the main
features on which to focus our
security research.
After that, we will go in deep on the
main Exploitation techniques and
attack scenarios. Once analyzed the
security concerns related to HTML5
features, the student will learn
about the most common security
mechanisms developers use: these
are critical to understand how to
leverage even more sophisticated
attacks.
The module concludes with an
analysis of the UI Redressing attacks
and an overview of related new
Attack Vectors introduced with
HTML5.

Introduction
6.1. HTML5: Recap & More
6.1.1. Semantics
6.1.1.1. New attack vectors
Form Elements
Media Elements
Semantic/Structural Elements
Attributes
6.1.2. Offline & Storage
6.1.2.1. Web Storage > Attack Scenario
Session Hijacking
6.1.2.2. Offline Web Application > Attack
Scenario
6.1.3. Device Access
6.1.3.1. Geolocation > Attack Scenario
6.1.3.2. Fullscreen mode > Attack Scenario
Phishing
6.1.4. Performance, Integration & Connectivity
6.1.4.1. Attack Scenarios
6.2. Exploiting HTML5
6.2.1. CORS Attack Scenario
6.2.1.1. Universal Allow
Allow by wildcard value *
Allow by server-side
6.2.1.2. Weak Access Control
Check Origin Example
6.2.1.3. Intranet Scanning
JS-Recon
6.2.1.4. Remote Web Shell
The Shell of the Future
6.2.2. Storage Attack Scenarios
6.2.2.1. Web Storage
Session Hijacking
Cross-directory attacks
User Tracking and Confidential
Data disclosure
6.2.2.2. IndexedDB
IndexedDB vs WebSQL Database
6.2.3. Web Messaging Attack Scenarios
6.2.3.1. Web Messaging
DOM XSS
Origin Issue
6.2.4. Web Sockets Attack Scenarios

6.2.4.1. Web Sockets

Data Validation
MiTM
Remote Shell
Network Reconnaissance
6.2.5. Web Workers Attack Scenarios
6.2.5.1. WebWorkers
Browser-Based Botnet
Distributed Password Cracking
DDoS Attacks
6.3. HTML5 Security Measures
6.3.1. Security Headers
6.3.1.1. X-XSS-Protection
6.3.1.2. X-Frame-Options
6.3.1.3. Strict-Transport-Security
6.3.1.4. X-Content-Type-Options
6.3.1.5. Content Security Policy
6.4. UI Redressing: The x-Jacking Art
ClickJacking
LikeJacking
StrokeJacking
6.4.1. New Attack Vectors in HTML5
6.4.1.1. Drag-and-Drop
Text Field Injection
Content Extraction

Module 7: SQL Injections

This module is entirely dedicated 7. Introduction
to SQL Injection attacks. It starts
7.1. SQL Injection: Recap & More
from a brief recap of the main
7.2. Exploiting SQLi
classification
about
the
7.2.1. Techniques Classification
exploitation techniques and after
7.2.2. Gathering Information from the
that introduces Advanced Attack
Environment
Techniques on different DBMSs.
7.2.2.1. Identify the DBMS

Error Codes Analysis > MySQL

Error Codes Analysis > MSSQL
Error Codes Analysis > Oracle
Banner Grabbing
Educated Guessing
String Concatenation
Numeric Functions
SQL Dialect
7.2.2.2. Enumerating the DBMS Content
MySQL
MSSQL
Oracle
Tables & Columns
Users and Privileges
7.3. Advanced SQLi Exploitation
7.3.1. Out-of-Band Exploitation
7.3.1.1. Alternative OOB Channels
7.3.1.2. OOB vi HTTP
Oracle URL_HTTP Package
Oracle HTTPURITYPE Package
7.3.1.3. OOB via DNS
DNS Exfiltration Flow
Provoking DNS requests
MySQL
MSSQL
Oracle
7.3.2. Exploiting Second-Order SQL Injection
7.3.2.1. First-order example
7.3.2.2. Security Considerations
7.3.2.3. Automation Considerations

Module 8: SQLi Filter Evasion and WAF Bypassing

8.

In this advanced module the student

will learn about advanced Filter
Evasion and WAF bypassing
techniques. This ground skills will be
necessary to understand and master
the most important tools built on
purpose.
At the end of this module the
student will be able to recognize the
presence of WAFs and filters and
implement effective bypassing
techniques.

Introduction
8.1. DBMS gadgets
8.1.1. Functions
8.1.2. Constants and variables
8.1.3. System variables
8.1.4. Typecasting
8.2. Bypassing Keywords filters
8.2.1. Using comments
8.2.2. Case changing
8.2.3. Replaced keywords
8.2.4. Circumventing by Encoding
8.2.5. URL encode
8.2.6. Double URL encode
8.2.7. Characters encoding
8.2.8. Inline comments
8.2.9. Allowed Whitespaces
8.3. Bypassing Functions filters
8.4. Bypassing Regular Expression filters

Hera Labs are included in this module

Module 9: XML Attacks

9.

This module is entirely dedicated to

XML attacks. It starts from a recap
about this language. It then dives
into the most modern related
attacks such as XML Tag Injection,
XXE, XEE and XPath Injection. For
each of them basic and advanced
exploitation
techniques
are
analyzed.
At the end of this module the
student will be able to pentest
complex applications using XML.

Introduction
9.1. XML Attacks: Recap & More
9.1.1. Entities block
9.1.1.1. XML Document with External DTD +
Entities
9.2. XML Tag Injection
9.2.1. Testing XML Injection
9.2.1.1. Single/Double Quotes
9.2.1.2. Ampersand
9.2.1.3. Angular parentheses
9.2.1.4. XSS with CDATA
9.3. XML eXternal Entity
9.3.1. Taxonomy
9.3.1.1. External Entities: Private vs Public
9.3.2. Resource Inclusion
9.3.3. Resource Inclusion Improved
9.3.3.1. Invalid resource to extract
9.3.3.2. CDATA Escape using Parameter
Entities
9.3.3.3. php://I/O Stream
9.3.4. Bypassing Access Control
9.3.5. Out-Of-Band Data Retrieval
9.3.5.1. OOB via HTTP
9.3.5.2. OOB via HTTP using XXEServe
9.4. XML Entity Expansion
9.4.1. Recursive Entity Expansion
9.4.1.1. Billion Laugh Attack
9.4.2. Generic Entity Expansion
9.4.2.1. Quadratic Blowup Attack
9.4.3. Remote Entity Expansion
9.5. XPath Injection
9.5.1. XPath 1.0 vs 2.0
9.5.1.1. New Operations and Expressions on
Sequences
Function on Strings
Function accessors
FOR Operator
Conditional Expression
Regular Expression
Assemble/Disassemble String
9.5.1.2. Data Types

9.5.2. Advanced XPath Exploitation

9.5.2.1. Blind Exploitation
Error Based
Boolean Based
9.5.2.2. OOB Exploitation
HTTP Channel
DNS Channel

Hera Labs are included in this module

About eLearnSecurity
A leading innovator in the field of practical, hands-on IT security training.
Based in Pisa (Italy), Dubai (UAE) and in San Jose (USA), eLearnSecurity is a leading
provider of IT security and penetration testing courses including certifications for IT
professionals.
eLearnSecurity's mission is to advance the career of IT security professionals by
providing affordable and comprehensive education and certification.
All
eLearnSecurity courses utilize engaging eLearning and the most effective mix of
theory, practice and methodology in IT security - all with real-world lessons that
students can immediately apply to build relevant skills and keep their organizations
data and systems safe.

eLearnSecurity 2014
Via Matteucci 36/38
56124 Pisa, Italy
For more information, please visit http://www.elearnsecurity.com.