Web Application Hacking: Pro Level

This is a two days, fully hands on training on web application security and penetration testing. For more details, contact: training@enciphers.com

Training Date: 18th-19th January 2020

Training Venue: Classroom Venue will be in New Delhi (NCR), India. Exact address to be shared with registered delegates.

Unique benefits of this training: 

• Two days training on advanced level attacks on web applications.
• Access to a specifically designed virtual private server (for the training duration)
• Access to one of the best web application penetration testing lab. 
• Access to separate channel for asking questions and taking help.
• No virtual machine set up needed. 

Training Agenda:

• Module 1 - Bug Hunter's VPS :
•    - What is unique about the VPS?
•     - Walkthrough of the VPS:
•         - ENCIPHER pentest/bug bounty guides & tutorials
•         - VPS tools and how to use them
•         - Other resources available on VPS: payloads, onlines tools, etc
•     - Accessing your personal VPS via SSH/Remote desktop
•     - How to make best use of Bug Hunter’s VPS.
• Module 2 - Input Validation Issues:
•     - REST API with JSON & XML inputs
•        - XML injection
•        - XXE
•        - Other API related vulnerabilities
•        - SQL injection in API    
•     - Server Side Request Forgery
•        - How to test for SSRF
•        - SSRF exploitation scenarios, SSRF to AWS compromise
•        - Using tools and guide on VPS to find SSRF
•     - Pentesting GraphQL
•     - Finding and exploiting SQL injections
• Module 3 - Remote Code Execution:
•     - What is RCE? How to find it? Approach to find RCE in bug bounty or pentests.
•     - Some easy to find RCE, earning huge bounty for you.
•     - Using Metasploit and public exploits for finding RCE
•     - How to report RCE in the best way?
• Module 4 - Authentication Vulnerabilities:
•     - How does authentication work? What all types of authentication are generally used these
• days?
•     - Finding vulnerabilities in each of those authentication flow. (SAML, JWT, Cookie)
• Module 5 - Some more action: 
•     - Cross Site Scripting 
•     - Reflected | Stored | Blind XSS 
•     - Multi Factor Authentication & Bypass 
•     - Other common web vulnerabilities
• Module 6 - Let’s build some approach
•     - Attacking authentication flow of the app
•        - Login page testing
•        - API based authentication and possible security issues
•        - Testing Password reset function
•     - Testing the app for Access control:
•        - Where to look for those issues?
•        - What are the possible vulnerabilities? IDOR, Access control missing etc.
•     - Testing each feature/functionality:
•        - Input validation issues
•        - XSS/XXE/SSRF/SQLi etc
•        - RCE via known vulnerable software version
•        - RCE via misconfigurations
•        - Privilege escalations

Terms and Conditions:

• – All rates are exclusive of taxes.
• – All tickets are non-refundable. 
• – Payment gateway charges applicable additionally.
• – ENCIPHERS reserves the right to cancel the training in case of less no. of registrations, ENCIPHERS will inform the attendees at least one weeks before the actual training date in that case.
• – When registering, you explicitly agree to our Terms and Conditions, which may be modified by us from time to time and available here.
• – Registration fees do not include the cost of travel and lodging. All delegates are requested to make their arrangements and any associated fees for any other availability of services.