Modern Webapp Pentesting is unique in its approach to testing webapps. Too many courses are built around the assumption that a webapp pentester’s skills should grow along a straight line, starting with something like the OWASP Top Ten and culminating in something like Attacking Web Cryptography. Real webapps don’t follow that same path, and neither should real webapp pentesters. Attacking Web Sockets is not more difficult than attacking HTTP traffic, it’s just different. Web APIs are not something you’re qualified to test only after you’ve put your time in on traditional webapps … they’re just different.
This course doesn’t worry about where a student falls on the imaginary scale of beginner to expert but instead focuses on finding and exploiting the kinds of issues found in real webapps today, based on the instructor’s many years of ongoing experience in testing … real webapps today.
- A reliable methodology for testing today’s webapps
- Hands-on experience with the kinds of defects that modern webapps actually have.
- Tips and Tricks for effective reporting so the issues you find can be fixed
WHO SHOULD TAKE THIS COURSE
- Pentesters who want to do more than “The OWASP Top Ten”
- Bug Bounty Hunters looking for new avenues of attack.
- Web Developers who want to see what attackers see
AUDIENCE SKILL LEVEL
Motivated Beginners: the course begins with a brief review of protocols and tools so we have a shared mental framework to process the more advanced topics that come later.
Experienced Testers: the majority of the course addresses features and technologies that are not so much “advanced topics” that rely heavily on deep understanding of arcane topics as “newer things that nobody talks about attacking”
If you test webapps exclusively, all day every day, you may still appreciate the time spent on focused practice, methodology, and reporting. Anyone else will also find some new things they can take back to work or bounty-hunting right away.
- Curiosity and tenacity
- Computer with 8GB RAM and 10GB free disk space
- VMWare (Workstation, Fusion, or Player)
- OR Free accounts at Github and Heroku and a fast internet connection
WHAT EACH STUDENT SHOULD BRING
- A laptop that can run VMWare and one virtual machine (8GM RAM, 10GB free disk).
- OR one with Docker pre-installed (the course does not include any Docker instruction, so do this only if you’re already comfortable troubleshooting your own Docker issues.)
- Current Firefox web browser.
WHAT STUDENTS WILL BE PROVIDED WITH
- Slide deck and links to all the material and tools needed with instructions.
- Virtual machine with all the necessary tools and targets for the course.
- Contact information for the instructor and a 6-week window of direct one-on-one access in case you have questions after the class is over.
- 6 Months free access to our Cyber Range
TRAINER & AUTHOR
BB King has been pentesting webapps since 2008. He was the second hire into his employer’s application security team at a time when “PCI” was brand new and long before bug bounty programs – when experienced webapp pentesters had to be made, not found. His internal training and coaching efforts built a successful team of 30 testers, few of whom had significant experience pentesting before joining the team.
BB believes that webapps are the best targets for pentesting because although they all look familiar on the surface, they’re all different, often in surprising ways. Each webapp is a collection of puzzles for a pentester and the first puzzle is figuring out where the other puzzles are! Once you get started, each test can be an engaging chance to practice your problem-solving skills and dive into new technologies.