About the course
Cyber Security Training in London 2019
SANS is recognised around the world as the best place to develop the deep, hands-on cyber security skills most needed right now. Join us for SANS London February (February 11-16 at the Grand Connaught Rooms) for immersion training that will provide you with the skills to defend your organisation against security breaches and prevent future attacks.
“I get to connect with industry peers and gain a deeper understanding about what I do any why it is important. More tools for the tool belt.” - Thomas Dowling, Rackspace
All SANS courses are world-class cyber security courses, but every event we like to choose a course and ask the instructors to give a bit more insight into the course.
Take advantage of these opportunities to get the most of your training:
- Distinguish yourself as an information security leader by preparing for your GIAC Certification.
- Network with like-minded security professionals facing similar challenges.
- Attend evening bonus sessions led by SANS instructors and gain insight into the latest cyber security topics.
- Extend your SANS course by four months with an OnDemand Bundle.
Our mission at SANS is to deliver cutting-edge information security knowledge and skills to all students in order to protect people and assets. At the heart of everything we do is the SANS Promise: Students will be able to use the new skills they have learned as soon as they return to work. See that promise in action at SANS London February 2019.
“SANS provides you with trainers who have real-world experience. They are actively participating in investigations and providing up-to-date research on current trends.” - Leo Sanchez, Tetra Pak
To follow or tweet about this event, use the hashtag #SANSLondon. Follow SANS at: https://twitter.com/SANSEMEA
SEC542: Web App Penetration Testing and Ethical Hacking
Mon, February 11 - Sat, February 16, 2019
Contents | Additional Info
Instructor: Bojan Zdrnja
Every day of SEC542 gives you invaluable information from real-world testing you cannot find in a book.
David Fava, The Boeing Company
The final Capture-the-Flag challenge was an amazing eye opener to the real-world of web app penetration testing.
Derick Ansignia, Scarfold Consult
Web applications play a vital role in every modern organization. But, if your organization does not properly test and secure its web apps, adversaries can compromise these applications, damage business functionality, and steal data. Unfortunately, many organizations operate under the mistaken impression that a web application security scanner will reliably discover flaws in their systems.
SEC542 helps students move beyond push-button scanning to professional, thorough, high-value web application penetration testing.
Customers expect web applications to provide significant functionality and data access. Even beyond the importance of customer-facing web applications, internal web applications increasingly represent the most commonly used business tools within any organization. Unfortunately, there is no "patch Tuesday" for custom web applications, so major industry studies find that web application flaws play a major role in significant breaches and intrusions. Adversaries increasingly focus on these high-value targets either by directly abusing public-facing applications or by focusing on web apps as targets after an initial break-in.
Modern cyber defense requires a realistic and thorough understanding of web application security issues. Anyone can learn to sling a few web hacks, but effective web application penetration testing requires something deeper.
SEC542 enables students to assess a web application's security posture and convincingly demonstrate the impact of inadequate security that plagues most organizations.
Students will come to understand major web application flaws and their exploitation and, most importantly, learn a field-tested and repeatable process to consistently find these flaws and convey what they have learned to their organizations. Even technically gifted security geeks often struggle with helping organizations understand risk in terms relatable to business. Much of the art of penetration testing has less to do with learning how adversaries are breaking in than it does with convincing an organization to take the risk seriously and employ appropriate countermeasures. The goal of SEC542 is to better secure organizations through penetration testing, and not just show off hacking skills. The course will help you demonstrate the true impact of web application flaws through exploitation.
In addition to high-quality course content, SEC542 focuses heavily on in-depth, hands-on labs to ensure that students can immediately apply all they learn.
In addition to more than 30 formal hands-on labs, the course culminates in a web application pen test tournament, powered by the SANS NetWars Cyber Range. This Capture the Flag event on the final day brings students into teams to apply their newly acquired command of web application penetration testing techniques in a fun way to hammer home lessons learned.
ZAP (Zed Attack Proxy)
Blind SQL Injection
Reflected Cross-Site Scripting (XSS)
Stored Cross-Site Scripting (XSS)
Local File Inclusion (LFI)
Remote File Inclusion (RFI)
Cross-Site Request Forgery (CSRF/XSRF)
You Will Learn:
- To apply a repeatable methodology to deliver high-value penetration tests.
- How to discover and exploit key web application flaws.
- How to explain the potential impact of web application vulnerabilities.
- The importance of web application security to an overall security posture.
- How to wield key web application attack tools more efficiently.
SEC542.1: Introduction and Information Gathering
SEC542.2: Configuration, Identity, and Authentication Testing
SEC542.4: XXE and XSS
SEC542.5: CSRF, Logic Flaws and Advanced Tools
SEC542.6: Capture the Flag