Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
WAPTX at a glance:
Self-paced, online, flexible access
1100+ interactive slides and 4+
hours of video material
50 labs to practice attack
techniques and exploits
SYLLABUS
Course description:
Web Application Penetration Testing eXtreme is an extremely practical online course
on the most advanced web application penetration testing techniques.
This training course is tied to Hera Lab where the students will access a number of
laboratories for each learning module.
Pre-requisites:
This course is an advanced course that requires the following pre-requisites:
Penetration Testers
Web Developers
IT Security professionals with a technical background
Course outline
The WAPTX is a follow up of the WAPT course at an extreme level. This course
brings students into a new world of advanced exploitation techniques using realworld scenarios. All served with challenging and extremely hands-on laboratories in
which to put the covered techniques in practice.
- Module 1: Encoding and Filtering
- Module 6: HTML 5
- Module 7: SQL Injections
Introduction
1.1. Data encoding basics
1.1.1. Dissecting encoding types
1.1.1.1. URL Encoding
1.1.1.2. HTML Encoding
Character references
1.1.1.3. Base (36|64) encoding
Base 36
Base 64
1.1.1.4. Unicode encoding
1.1.2. Multiple (De|En)codings
1.2. Filtering basics
1.2.1. Regular Expressions
1.2.1.1. Metacharacters
1.2.1.2. Shorthand character classes
1.2.1.3. Non-printing characters
1.2.1.4. Unicode
1.2.2. Web Application Firewall
1.2.2.1. WAF Detection and Fingerprinting
1.2.3. Client-side Filters
Introduction
2.1. Base64 Encoding evasion
2.2. URI Obfuscation techniques
2.2.1. URL shortening
2.2.2. URL Hostname obfuscation
2.3. JavaScript Obfuscation Techniques
2.3.1. JavaScript Encoding
2.3.1.1. Non-alphanumeric
2.3.2. JavaScript Compressing
2.3.2.1. Minifying
2.3.2.2. Packing
2.4. PHP Obfuscation Techniques
2.4.1. Basic Language Reference
2.4.1.1. Type Juggling
2.4.1.2. Numerical Data types
2.4.1.3. String Data types
2.4.1.4. Array Data types
2.4.1.5. Variable Variables
2.4.2. Non-alphanumeric Code
2.4.2.1. String generation
2.4.2.2. Hackvector.co.uk
Introduction
3.1. Cross-Site Scripting
3.1.1. Reflected XSS
3.1.2. Persistent XSS
3.1.3. DOM XSS
3.1.4. Universal XSS
3.2. XSS Attacks
3.2.1. Cookie Grabbing
3.2.1.1. Script Injection
3.2.1.2. Cookie Recording & Logging
3.2.1.3. Bypassing HTTPOnly flag
Cross-site Tracing (XST)
CVE: 2012-0053
BeEFs Tunneling Proxy
3.2.2. Defacements
3.2.2.1. Virtual Defacement
3.2.2.2. Persistent Defacement
3.2.3. Phishing
3.2.4. Keylogging
3.2.4.1. Keylogging with Metasploit
3.2.4.2. Keylogging with BeEF
3.2.5. Network Attacks
3.2.5.1. IP detection
3.2.5.2. Subnet detection
3.2.5.3. Ping Sweeping
3.2.5.4. Port Scanning
Simple Port Scanner
HTML5 alternatives
3.2.6. Self-XSS
3.2.6.1. Browsers security measures
Chromium based browser
Mozilla Firefox based browser
Internet Explorer
Safari
3.2.6.2. JavaScript console limitations
3.3. Exotic XSS Vectors
3.3.1. Mutation-based XSS
3.3.1.1. mXSS Examples
3.3.1.2. mXSS Multiple Mutations
Introduction
4.1. Bypassing Blacklisting Filters
4.1.1. Injecting Script Code
4.1.1.1. Bypassing weak <script> tag banning
4.1.1.2. ModSecurity > Script tag based XSS
4.1.1.3. Beyond <script> tagUsing HTML
attributes
4.1.2. Keyword based filter
4.1.2.1. Character escaping
Unicode
Decimal, Octal, Hexadecimal
4.1.2.2. Constructing Strings
4.1.2.3. Execution Sinks
4.1.2.4. Pseudo-protocols
Data
Vbscript
4.2. Bypassing Sanitization
4.2.1. String Manipulations
4.2.1.1. Removing HTML Tags
4.2.1.2. Escaping Quotes
4.2.1.3. Escape Parenthesis
4.3. Bypassing Browser Filters
4.3.1. (Un)Filtered Scenarios
4.3.1.1. Injecting inside HTML attributes
4.3.1.2. Injecting inside SCRIPT tag
4.3.1.3. Injecting inside event attributes
4.3.1.4. DOM Based
4.3.1.5. Other scenarios
Introduction
5.1. XSRF: Recap & More
5.1.1. Vulnerable scenario
5.2. Attack Vectors
5.2.1. Force Browsing with GET
5.2.1.1. Example: Change email address
5.2.2. Post Requests
5.2.2.1. Auto-submitting from > v1
5.2.2.2. Auto-submitting form > v2
5.3. Exploiting Weak Anti-CSRF Measures
5.3.1. Using Post-only requests
5.3.2. Multi-Step Transactions
5.3.3. Checking Referer Header
5.3.4. Predictable Anti-CSRF token
5.3.5. Unverified Anti-CSRF token
5.3.6. Secret Cookies
5.4. Advanced CSRF Exploitation
5.4.1. Bypassing CSRF defenses with XSS
5.4.1.1. Bypassing Anti-CSRF Token
Request a valid form with a valid
token
Extract the valid token from the
source code
Forge the form with the stolen
token
5.4.2. Bypassing Anti-CSRF Token Brute forcing
Module 6: HTML 5
6.
Introduction
6.1. HTML5: Recap & More
6.1.1. Semantics
6.1.1.1. New attack vectors
Form Elements
Media Elements
Semantic/Structural Elements
Attributes
6.1.2. Offline & Storage
6.1.2.1. Web Storage > Attack Scenario
Session Hijacking
6.1.2.2. Offline Web Application > Attack
Scenario
6.1.3. Device Access
6.1.3.1. Geolocation > Attack Scenario
6.1.3.2. Fullscreen mode > Attack Scenario
Phishing
6.1.4. Performance, Integration & Connectivity
6.1.4.1. Attack Scenarios
6.2. Exploiting HTML5
6.2.1. CORS Attack Scenario
6.2.1.1. Universal Allow
Allow by wildcard value *
Allow by server-side
6.2.1.2. Weak Access Control
Check Origin Example
6.2.1.3. Intranet Scanning
JS-Recon
6.2.1.4. Remote Web Shell
The Shell of the Future
6.2.2. Storage Attack Scenarios
6.2.2.1. Web Storage
Session Hijacking
Cross-directory attacks
User Tracking and Confidential
Data disclosure
6.2.2.2. IndexedDB
IndexedDB vs WebSQL Database
6.2.3. Web Messaging Attack Scenarios
6.2.3.1. Web Messaging
DOM XSS
Origin Issue
6.2.4. Web Sockets Attack Scenarios
Introduction
8.1. DBMS gadgets
8.1.1. Functions
8.1.2. Constants and variables
8.1.3. System variables
8.1.4. Typecasting
8.2. Bypassing Keywords filters
8.2.1. Using comments
8.2.2. Case changing
8.2.3. Replaced keywords
8.2.4. Circumventing by Encoding
8.2.5. URL encode
8.2.6. Double URL encode
8.2.7. Characters encoding
8.2.8. Inline comments
8.2.9. Allowed Whitespaces
8.3. Bypassing Functions filters
8.4. Bypassing Regular Expression filters
Introduction
9.1. XML Attacks: Recap & More
9.1.1. Entities block
9.1.1.1. XML Document with External DTD +
Entities
9.2. XML Tag Injection
9.2.1. Testing XML Injection
9.2.1.1. Single/Double Quotes
9.2.1.2. Ampersand
9.2.1.3. Angular parentheses
9.2.1.4. XSS with CDATA
9.3. XML eXternal Entity
9.3.1. Taxonomy
9.3.1.1. External Entities: Private vs Public
9.3.2. Resource Inclusion
9.3.3. Resource Inclusion Improved
9.3.3.1. Invalid resource to extract
9.3.3.2. CDATA Escape using Parameter
Entities
9.3.3.3. php://I/O Stream
9.3.4. Bypassing Access Control
9.3.5. Out-Of-Band Data Retrieval
9.3.5.1. OOB via HTTP
9.3.5.2. OOB via HTTP using XXEServe
9.4. XML Entity Expansion
9.4.1. Recursive Entity Expansion
9.4.1.1. Billion Laugh Attack
9.4.2. Generic Entity Expansion
9.4.2.1. Quadratic Blowup Attack
9.4.3. Remote Entity Expansion
9.5. XPath Injection
9.5.1. XPath 1.0 vs 2.0
9.5.1.1. New Operations and Expressions on
Sequences
Function on Strings
Function accessors
FOR Operator
Conditional Expression
Regular Expression
Assemble/Disassemble String
9.5.1.2. Data Types
About eLearnSecurity
A leading innovator in the field of practical, hands-on IT security training.
Based in Pisa (Italy), Dubai (UAE) and in San Jose (USA), eLearnSecurity is a leading
provider of IT security and penetration testing courses including certifications for IT
professionals.
eLearnSecurity's mission is to advance the career of IT security professionals by
providing affordable and comprehensive education and certification.
All
eLearnSecurity courses utilize engaging eLearning and the most effective mix of
theory, practice and methodology in IT security - all with real-world lessons that
students can immediately apply to build relevant skills and keep their organizations
data and systems safe.
eLearnSecurity 2014
Via Matteucci 36/38
56124 Pisa, Italy
For more information, please visit http://www.elearnsecurity.com.