Application Security Assessment


Application Security Assessment


Application Security Assessment

The mission of the Application Security Assessment course is to educate, introduce and demonstrate application security assessment technics for penetration testing purposes only.


During this course you will learn, understand and execute the approach and technics as described in the OWASP Testing Guide. From defining the scope of an application security assessment to the write-up and reporting, this course does teach the practical skills to execute an application security assessment, aka hack test or application penetration test.


This course will benefit developers, application administrator and security professionals.



Klassikaal en Maatwerk


Module 1: Introduction
Into Penetration Testing
-what is Penetration Testing
– why Penetration Testing
– black-box Test
– Grey-box Test
– White-box test
Determine the scope:
– Whom do you test for
– Why are you testing
– What is your target
– "out of jail" card
Module 2: Passive Techniques
Information Gathering I,
– Spider, Robots and Crawlers
– Search Engine Discovery/Reconnaissance
Information Gathering II
– Identify application entry points
– Testing for WebApplication Fingerprint
Information Gathering III
– Application Discovery
– Analysis of Error Codes
Module 3: Pentest I, Configuration Management
– DB Listener
– Infrastructure Configuration Management
– Application Configuration Management
– File Extensions Handling
– Old, Backup and Unreferenced Files
– Infrastructure and Application Admin Interfaces
– HTTP Methods and XST
Module 4: Pentest II, Business Logic 109
– Business rules, limits and restrictions
– Business scenarios
– Workflow
– Different user roles
– Different groups or departments
– Permissions of various user roles and groups
– Privilege table
– Developing and execution of logical tests
Module 5: Pentest III, Authentication
– Credentials transport over an encrypted Channel
– User enumeration
– Guessable (dictionary) user account
– Brute Force
– Bypassing Authentication Schema
– Vulnerable remember Password reset
– Logout and Browser Cache Management
– Multi Factors Authentication
– Race Conditions
Module 6: Pentest IV, Authorization
– Path Traversal
– Bypassing Authorization Schema
– Privilege Escalation
Module 7: Pentest V, Session Management
– Session Management Schema
– Cookies attributes
– Session Fixation
– Exposed Session Variables
Module 8: Pentest VI, Data Validation
– Cross site Scripting (reflected, stored, DOM based, Cross Site Flashing)
– SQL Injection (different databases, out of band, blind)
– LDAP Injection
– ORM Injection
– XML Injection
– SSI Injection
– XPath Injection
– IMAP/SMTP injection
– Code Injection
– OS Commanding
– Buffer overflow ( Heap / Stack overflow, Format string)
– Incubated vulnerability
– HTTP Splitting/Smuggling
Module 9: Pentest VII, Denial of Service (DOS)
– SQL Wildcard Attacks
– Locking Customer Accounts
– User Specified Object Allocation
– User Input as a Loop Counter
– Writing User Provided Data to Disk
– Failure to Release Resources
– Storing too Much Data in Session
Module 10: Pentest VIII, Web Services
– WS Information Gathering
– XML Structure
– XML Content-Level
– HTTP GET parameters / REST
– SOAP attachments
– Replay
Module 11: Pentest IX, Ajax
Module 12: Reporting
– Value the Real Risk
– Writing the Report
– Executive Summary
– Technical Management Overview
– Assessment Findings
– Delivering a report
Module 13: How to continue



There is no certification exam for this course. After following the course, you will receive a certification of attending the course.
To be entitled for the certification of attendance, you have to be present at all days of the course.

4 dagen

€ 2.750


Andere data?


Breda, Tilburg, Amsterdam, Rotterdam, Utrecht, Eindhoven, Antwerpen, Zwolle

Andere locatie?

SKU: ASA4 Categorieën: , , Tag:
Meer weten over een training of advies? Bel met onze opleidingsadviseurs 085 02 01 070 of gebruik het contactformulier.