This course provides customized training on the latest open source tools and manual techniques for performing end-to-end web application penetration testing engagements. After a quick overview of the penetration testing methodology, the instructor will lead students through the process of testing and exploiting a target web application using the techniques and approaches developed from a career of real world application penetration testing experiences. Students will be introduced to the best open source tools currently available for the specific steps of the methodology, including Burp Suite Pro, and taught how these tools integrate with manual testing techniques to maximize effectiveness. A major goal of this course is teaching students the glue that brings the tools and techniques together to successfully perform a web application penetration test from beginning to end, an oversight in most web application penetration testing courses.
The majority of the course will be spent performing an instructor lead, hands-on web application penetration test. Students won't be given overly simplistic steps to execute independently. Rather, at each stage of the test, the instructor will present the goals that each testing task is to accomplish and perform the penetration test in front of the class while students do it on their own machine. Primary emphasis of these instructor led exercises will be placed on how to integrate the tools with manual testing procedures to improve the overall workflow. This experience will help students gain the confidence and knowledge necessary to perform web application penetration tests as an application security professional.
* Automated Discovery
* Manual Discovery
* Capture the Flag (time permitting)
* Laptop with at least two (2) USB ports.
* Latest VMware Player, VMware Workstation, or VWware Fusion installed. Other virtualization software such as Parallels or VirtualBox will probably work if the attendee is familiar with its functionality. However, VMware Player should be prepared as a backup.
* Ability to disable all security software on their laptop such as Antivirus and/or firewalls (Administrator).
* At least twenty (20) GB of hard drive space.
* At least four (4) GB of RAM.
Tim (lanmaster53) Tomes is the Managing Consultant at nVisium with extensive experience in Application Security and Software Development. Tim currently manages multiple open source software projects such as the Recon-ng Framework, the HoneyBadger Geolocation Framework, and PeepingTom, writes technical articles at lanmaster53.com, and frequently instructs and presents on Application Security topics at major Information Security conferences such as DerbyCon, ShmooCon, Black Hat and SANS.