Support & Downloads

Quisque actraqum nunc no dolor sit ametaugue dolor. Lorem ipsum dolor sit amet, consyect etur adipiscing elit.

s f

Contact Info
198 West 21th Street, Suite 721
New York, NY 10010
youremail@yourdomain.com
+88 (0) 101 0000 000
Follow Us

Web Security - Vulnerability Analysis

réf : CYB-WS
Formation ONTAP-Implémentation de VMware sur stockage NetApp

Objectif de formation : Cette formation englobe analyse et compréhension des différents éléments axés applications web pour une exploration du domaine des vulnérabilité et attaques orientées WEB

Objectifs pédagogiques

  • Apply techniques used to audit and test the security of web applications
  • Apply techniques used to conduct discovery, exploration and investigation of a website and web application features
  • Apply tools and techniques used to discover and exploit vulnerabilities
  • Understand and Apply port scanning techniques
  • Understand application flowcharting and session analysis
  • Understand Client Injection Attacks
  • Understand Cross-Site & Server-Side Request Forgery (CSRF / SSRF)
  • Understand Cross-Site Scripting (XSS)
  • Understand how a web application manages client sessions
  • Understand how a web application tracks user activity
  • Understand how a web application uses SSL/TLS in modern web communications
  • Understand how to bypass and exploit weak authentication
  • Understand how to enumerate users
  • Understand HTTP, HTTPS, and AJAX within the context of security, vulnerabilities, and essential operations
  • Understand identifying services and configurations
  • Understand processes and mechanisms used to secure web applications by authentication
  • Understand spidering web applications
  • Understand SQL injection attacks and how to identify SQL injection vulnerabilities in applications
  • Understand the attacks leveraged against flaws in session states
  • Understand the technologies, programming languages and structures involved in the construction and implementation of a website
  • Understand the tools and techniques used to audit and identify flaws in the design or implementation in the configuration of a website
  • Understand the use of proxies, fuzzing, scripting, and application logic attacks
  • Understand tools and techniques required to perform web application security testing on modern web-based languages such as JavaScript with AJAX

Pré-requis

Avoir des connaissances dans la sécurité des SI, dans la sécurité des applications web et en programmation Web (PHP, JavaScript, HTML)

Public concerné

Auditeurs de sécurité, Développeurs chargés de la sécurité des applications web, Responsables DSI, Consultants en sécurité informatique, Responsables sécurité informatique, Toute personne en charge de la sécurité informatique

Programme

  • Penetration Testing
  • Application Penetration Testing
  • Risk Assessment and Management
  • OWASP Testing Guide
  • Web Application Security Consortium Threat Classification
  • Penetration Testing Execution Standard
  • Pre-Engagement Interactions
  • Intelligence Gathering
  • Threat Modelling
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation
  • Reporting
  • OWASP Zed Attack Proxy (ZAP)
  • BurpSuite
  • Browser Exploitation Framework (BeEF)
  • Other Tools
  • Reconnaissance – WHOIS
  • Reconnaissance – Domain Name System (DNS)
  • Reconnaissance – Virtual Host (vHost) Discovery
  • Open-Source Intelligence (OSINT) – Definitions
  • Open-Source Intelligence (OSINT) – Frameworks & Tools
  • Protocols – Hypertext Transfer Protocol (HTTP)
  • Protocols – Hypertext Transfer Protocol (HTTP) – Cookies
  • Protocols – Hypertext Transfer Protocol (HTTP) – Headers
  • Protocols – Hypertext Transfer Protocol (HTTP) – Request Methods
  • Protocols – Hypertext Transfer Protocol (HTTP) – Status Codes
  • Protocols – Hypertext Transfer Protocol (HTTP) – 1.0, 1.1, 2.0 & 3.0
  • Protocols – Hypertext Transfer Protocol (HTTP) – Cross-Origin Resource Sharing (CORS)
  • Protocols – Hypertext Transfer Protocol (HTTP) – Content Security Policy
  • Protocols – Secure Sockets Layer (SSL)
  • Protocols – Secure Sockets Layer (SSL) – Configuration
  • Protocols – Secure Sockets Layer (SSL) – Weaknesses
  • Interception Proxies – Definitions & Types
  • Interception Proxies – Fiddler
  • Interception Proxies – BurpSuite Proxy
  • Interception Proxies – OWASP Zed Attack Proxy (ZAP) Proxy
  • SSL Proxying – Definition
  • SSL Proxying – Through BurpSuite Pro
  • SSL Proxying – Through OWASP Zed Attack Proxy (ZAP)
  • Content Discovery – Logging and Monitoring
  • Content Discovery – Website Spidering
  • Content Discovery – Content Analysis
  • Authentication – Web Authentication Mechanisms – Cookie-Based Authentication
  • Authentication – Web Authentication Mechanisms – Token-Based Authentication
  • Authentication – Web Authentication Mechanisms – Third Party Access (OAuth, API Token)
  • Authentication – Web Authentication Mechanisms – OpenID
  • Authentication – Web Authentication Mechanisms – SAML
  • Authentication – Username Harvesting
  • Authentication – Password Guessing
  • Authentication – Authentication and Authorisation Bypass
  • Session Testing – Brute Forcing Unlinked Files
  • Session Testing – Brute Forcing Directories
  • Session Testing – Burp Sequencer
  • Tools – Fuzzing with ZAP
  • Tools – Fuzzing with ffuf
  • Tools – Fuzzing with Burp Intruder
  • Sessions – Session Management
  • Sessions – Session Attacks
  • Training Platforms – Mutillidae
  • Traversal Attacks – Directory Traversal
  • File Inclusion Attacks – Local File Inclusion (LFI)
  • File Inclusion Attacks – Remote File Inclusion (RFI)
  • SQL Attacks – SQL Injection
  • SQL Attacks – Blind SQL Injection
  • SQL Attacks – Error-Based SQL Injection
  • SQL Attacks – Exploiting SQL injection
  • SQL Attacks – Tools – sqlmap
  • Injection Attacks – Command Injection
  • Injection Attacks – Insecure Deserialisation
  • Injection Attacks – XML External Entity (XXE)
  • Client-Side Attacks – Cross-Site Scripting (XSS)
  • Tools – Browser Exploitation Framework (BeEF)
  • Techniques – Asynchronous JavaScript and XML (AJAX)
  • Languages – Extensible Markup Language (XML)
  • Languages – JavaScript Object Notation (JSON)
  • Models – Document Object Model (DOM)
  • Attacks – Application Programming Interface (API)
  • Attacks – Application Programming Interface (API) – Authentication Hijacking
  • Attacks – Application Programming Interface (API) – Data Exposure
  • Attacks – Application Programming Interface (API) – Parameter Tampering
  • Attacks – Application Programming Interface (API) – Unencrypted Communications
  • Principles – Representational State Transfer (REST)
  • Protocols – Simple Object Access Protocol (SOAP)
  • Web Attacks – Cross-Site Request Forgery (CSRF)
  • Web Attacks – Server-Side Request Forgery (SSRF)
  • Web Attacks – Application Logic Attacks
  • Programming – Python for Web Application Penetration Testing
  • Tools – WPScan
  • Tools – ExploitDB
  • Tools – BurpSuite Pro Scanner
  • Tools – Metasploit
  • Business of Penetration Testing – Preparation
  • Business of Penetration Testing – Post Assessment and Reporting

Équipe pédagogique

Professionnel expert technique et pédagogique

Moyens pédagogiques et techniques

  • Espace intranet de formation.
  • Documents supports de formation projetés.
  • Exposés théoriques
  • Étude de cas concrets
  • Mise à disposition en ligne de documents supports à la suite de la formation.

Dispositif de suivi

  • Émargement numérique.
  • Mises en situation.
  • Formulaires d’évaluation de la formation.
  • Certificat de réalisation de l’action de formation.

Vous avez une question ?

    Jours

    4 (28 heures)

    Prix

    2750 € HT

    Télécharger

    Catégories

    Tous

    Certifications

    Initiation

    Forensics

    Hacking & sécurité technique

    Sécurité organisationnelle

     

    Parcel Sandbox