Training

Pentesting web applications

Objectifs

This training is intended for people with a technical background who are seeking to improve their skills regarding modern and impactful web vulnerabilities. With the support of multiple practical cases, it aims to present the various thoughts and observations that help a pentester in their vulnerability research. Indeed, these step-by-step practical works are intended to let the trainees establish the relation between first observations and the actual discovery of a vulnerability . In other words, it aims to sharpen the pentester’s « instinct » by clarifying the relationship between the available technical information and the vulnerabilities.

 

5 days / 16 theoretic hours / 19 practical hours

 

The training can be adjusted to fit in 3 or 4 days as well, depending on the chosen language-specific modules.

Contenu

  • Introduction

    • Intrusion proceedings

    • Methodology / general concepts

    • Resources

 

  • BurpSuite

    • Using BurpSuite in blackbox

    • Strengths & Weaknesses of BurpSuite

    • Shortcuts and automation

    • Plugins

       

  • Reconnaissance

    • Attack surface

    • Tooling

       

  • Methodology and approach

    • General notions: iterative nature of the process, logical vulnerabilities

    • Handling of usual mechanisms

      • authentication,

      • access control

      • user input

    • Identification of the client-side and server-side technologies

       

  • Advanced Vulnerabilities

    • Vulnerabilities overview (XXE, SSRF, Injections, SSTI, Prototype Pollution)

    • Cryptographic attacks

    • Authentication mechanisms flaws

    • GraphQL

    • Cloud-specific vulnerabilities

       

  • Java

    • Applicative servers identification

    • Frameworks identification

    • Commonly exposed admin panels

    • Specific vulnerabilities exploitation

      • XXE

      • Unserialize

      • HQL Injectoins

      • Expression languages

         

  • PHP

    • Frameworks identification

    • Specific vulnerabilities exploitation

      • Type juggling & magic hashes

      • Stream wrapers and filters

      • Phar

    • Unserialize and popchains

    • Post-compromise

      • Bypass disable_functions & open_basedir

      • Command execution via FastCGI

      • PHP engine vulnerabilities

         

  • Python/Django

    • Frameworks identification

    • Specific vulnerabilities exploitation

      • Debug mode

      • Cookies signature weakness

      • Arbitrary unserialize

      • Mass-assignement

      • SSTI DTL & Jinja2

         

  • Perl

    • Language-related notions

    • Applications identification

    • Twiki & Bugzilla vulnerabilities

    • Specific vulnerabilities exploitation

      • Passing arrays in parameters

      • system() & exec() functions