Today, most organizations use web portals to inform and interact better with customers, and many processes are performed by web applications. This issue allows the intruder to gain access to the sensitive information of the organization and its customers by breaking into these portals, which will be irreparable for a business. The web penetration testing course, which is designed based on OWASP and SANS company standard topics, gives people the ability to evaluate and find the vulnerabilities of web applications, and after completing this course, people can find the weak points of web applications using their individual knowledge. and provide a solution to improve it.
Familiarity with basic concepts
• Introduction of basic concepts and protocols
• Internet network model and architecture
• Getting to know the server and web servers
Familiarity with network layering models
• Familiarity with basic security definitions
• Knowledge of web security standards
Information gathering and configuration review
• Check web server information
• Checking user programs on the web server
• Check frameworks and content management systems
• Reviewing descriptions and metadata of web pages
• Checking infrastructure configuration
Authentication and access control
• Checking security mechanisms and user login
• Enumeration of user accounts
• Bypass captcha
• Examining the mechanisms of changing and resetting the password
• Changing the access level of users
• Investigating vulnerabilities related to access level (IDOR)
Cookies and Sessions
• You are the manager of the meeting
• Fixed session and exposed variables
• Request falsification
• Cookie features and their expiration
Server side attacks
• XSS attack
• SQL injection attack
• Code injection attack
• File Inclusion attack
• Business logic
• Error handling
User-side attacks
• HTML injection
• CSS injection
• Transfer URL
• Steal clicks
Review of web vulnerability scanning software
• Burpsuite
• Nmap
• Owasp – ZAP
• W3af
• SkipFish
• Some important Kali tools