The Web Application Penetration Testing course (WAPT) is an online, self-paced training course that provides all the advanced skills necessary to carry out a thorough and professional penetration test against modern web applications.
Enroll now and get access to all of our material and labs!
Plans and Pricing
In this module, the student will learn the methodologies and the reporting best practice in order to become a confident and professional penetration tester.
In this module, the student will understand the basics of Web applications. An in-depth coverage of the Same Origin Policy in its latest developments and the Cookie RFC will help experienced and non-experienced penetration testers gain critical foundational skills useful for the rest of the training course.
Let the Penetration test start! Every penetration test begins with the Information gathering phase.
In this module he most widespread web application vulnerability will be dissected and studied in all its parts. Students will gain all the skills needed to fully unleash the power of cross site scripting exploitation!
In this module will be studied the most advanced techniques to find and exploit SQL Injections.
During this module, the student will learn the most common authentication mechanisms, their weaknesses and the related attacks.
The student will learn how sessions work and what are the most common attacking patterns. Moreover they will study how to prevent session attacks.
The student will first study the Flash security model and its pitfalls. Then will use the most recent tools to find and exploit vulnerabilities in Flash files.
In this module we will be discussing the most important elements of HTML5: cross origin resource sharing, cross window messaging, websockets, sandboxing and web storage. The student will learn how to leverage these features to mount successful attacks.
The student will learn how to identify and exploit path traversal, file inclusion and unrestricted file upload vulnerabilities.
The student will practice a number of vulnerabilities that, despite being less known or publicized, are still affecting a number of web applications.
During this highly in depth module the student will first become familiar with web services paradigms and protocols and then learn all the most important related security issues.
In this module, the student will learn advanced XPath injection techniques, in theory and practice in Hera lab.
This module, covers the whole range of penetration testing activities against CMS, from information gathering, enumeration and brute force attacks, to host exploitation through vulnerable plugins and lateral movement through credential reuse. More specifically, the student will get accustomed to identifying vulnerabilities like XSS, SQLi, RCE, SOME and CSRF on WordPress and Joomla CMS, as well as chaining various vulnerabilities for maximum exploitation.
In this module, the student will learn how to manually identify and exploit vulnerabilities in NoSQL databases or NoSQL-powered web applications, as well as execute elaborate attacks against exposed NoSQL-related APIs.Transitioning from a compromised NoSQL database to full host exploitation, as well as effective data exfiltration methods are also covered in this module.
The WAPT course is a practice-based curriculum. Being integrated with Hera Lab, the most sophisticated virtual lab on IT Security, it offers an unmatched practical learning experience. Hera is the only virtual lab that provides fully isolated per-student access to each of the real world network scenarios available on the platform. Students can access Hera Lab from anywhere through VPN.
|Lab 1||Introduction - 2 Challenging Labs||Educational|
|Lab 2||Information Gathering - 2 Challenging Labs||Educational|
|Lab 3||Cross Site Scripting - 7 Challenging Labs||Educational|
|Lab 4||SQL Injection - 10 Challenging Labs||Educational|
|Lab 5||Authentication and Authorization - 14 Challenging Labs||Educational|
|Lab 6||Session Security - 9 Challenging Labs||Educational|
|Lab 7||Flash Security - 1 Challenging Lab||Educational|
|Lab 8||HTML5 - 4 Challenging Labs||Educational|
|Lab 9||File and Resources Attacks - 4 Challenging Labs||Educational|
|Lab 10||Other Attacks - 1 Challenging Lab||Educational|
|Lab 11||Web Services - 4 Challenging Labs||Educational|
|Lab 12||XPath - 5 Challenging Labs||Educational|
|Lab 13||Exploiting Wordpress - 5 Challenging Labs||Educational|
|Lab 14||From Static Analysis to WordPress Exploitation - 1 Challenging Lab||Educational|
|Lab 15||Chaining Vulnerabilities To Remotely Extract WP Admin Credentials - 1 Challenging Lab||Educational|
|Lab 16||Redis Exploitation - 3 Challenging Labs||Educational|
|Lab 17||NoSQL Injections Against MongoDB - 4 Challenings Labs||Educational|
|Lab 18||CouchDB Exploitation - 2 Challenging Labs||Educational|
Dimitrios Bougioukas, Training Director of eLearnSecurity, holds a B.Sc. in Computer Science from the Athens University of Economics and Business. For the past 5 years, he has worked as a Business Information Security Engineer and Information Security Analyst for a major financial institution, as a Penetration Tester within EY's practice and as a Senior IT Security Researcher and Trainer within eLearnSecurity. Dimitrios specializes in advanced cyber threat simulation, threat intelligence and purple team tactics. He has been engaged on numerous penetration testing activities against critical infrastructure, web applications and mobile applications. In terms of research, Dimitrios has presented at information security conferences such as BSides and has received acknowledgements from security, telecom and other major companies for finding and reporting vulnerabilities in their web applications, in a responsible manner (IBM Trusteer, LG etc.). In the context of his professional career, his work led to international and regional information security awards in prestigious and highly competitive contests such as Retail Banker International Awards.
With nearly 20 years of experience in the Information Security industry in both Offensive and Defensive roles within the private and public sectors, and with the last seven years primarily focused on the offensive side of the house, Fabrizio brings his real-world experience to the eLearnSecurity body-of-knowledge to provide the latest in information security research and techniques.
Previous Authors include Armando Romeo, Francesco Stillavato, Davide Girardi
Enroll now and get access to all of our material and labs!
The mix of Video Tutorials, exercises and support from fellow students on the forum was fantastic. Anyone who wants to specialize in Web Penetration Testing, this course is a must to get you started. Thanks for your efforts in making this happen
Manager Consulting Pty Ltd
Having been in the security field for over 5 years I assumed this would be a quick and easy certification. After getting into the training course I was pleased to find that I was learning new things and that the course was certainly more challenging than I had anticipated. I found that it filled in several knowledge gaps when it comes to pentesting, and I would recommend this course to both veterans and newcomers to the security field.
eLearnSecurity's training really dives deep into the underlying concepts beneath pentesting tools.
Timothy E. Everson