Application Pentesting Fundamentals

Implementing and Testing applications security has always been a challenge for developers and penetration testers. Every application has different business requirements, different functionality, different workflows and, as a result, different code and attack vectors.

In addition, the increasing variety of technologies (HTML5, JavaScript, API) often require different testing approach and sometimes different tools to achieve the same goal of properly testing, finding vulnerabilities and better secure the application before making it public.

This introductory hands-on session will teach attendees how to approach, plan and conduct an application penetration test against a different type of applications\technologies using commonly available tools and techniques often used by attackers as well.

During the training session, participants will be provided with hands-on lab exercises to experience and test against vulnerable web applications. Labs will include introduction to commonly used tools and testing methodologies, overview of common vulnerabilities based on the OWASP top 10, how to perform automatic and manual discovery, execute fuzzing tests to identify potential weaknesses/entry points, exploitation of vulnerabilities such as cross-site scripting, SQL injections Cross-Site Request Forgery, testing for authentication, authorization, session management issues and more. In addition, testing scenarios will include testing of application leveraging different technologies such as HTML based application, Web Services/APIs and console/smart-client based apps to show the differences and similarities of conducting tests and the vulnerabilities between them.

By the end of the session, attendees will have the foundation required to conduct different aspects of an application security penetration test and learn the different steps from initial discovery, evaluating potential attack vectors to an actual exploitation of the application level vulnerabilities they have found.

Trainer: Chuck Ben-Tzur
Max participants: 50
Cost: $2000

This is a Two Day Course
October 7-8, 2019

Technical Requirements:

Attendees must bring and use their own device.

Attendees will be required to install a virtual machine (VM) that will include several tools before the class begins.

Memory: Minimum of 4GB (8GB preferred) RAM to allocate for the virtual machine
Disk Space: 20+ GB available
Network: Ethernet port (preferred) or Wireless

This session is recommended for:

  • Software Developers and DevOps Engineers
  • Penetration Testers
  • Information Security and IT Team Leaders
  • Information Security Students

Attendees should have a basic understanding of web applications including HTML, JavaScript, APIs, HTTP Protocol and be comfortable using a Linux and Windows.


Monday October 7


09:00 – 10:00 Doors open. Continental breakfast and networking
10:00 – 10:10 Introduction
10:10 – 10:30 Reviewing and Initializing the Lab Environment
10:30 – 10:50 Application Security Testing Methodology Overview (Lab 1 Intro)
10:50 – 11:10 Lab 1: Initial Discovery (Spider)
11:10 – 11:20 Break
11:20 – 11:40 Fuzz Testing (Lab 2 Intro)
11:40 – 12:10 Lab 2: Fuzz Testing
12:10 – 13:00 Lunch (Provided)
13:00 – 13:15 Client-Side Attacks: Script Injections (Lab 3 Intro)
13:15 – 14:30 Lab 3: Cross Site Scripting
14:30 – 14:40 Break
14:40 – 14:50 Authentication and Session Testing (Lab 4 Intro)
14:50 – 15:40 Lab 4: Authentication Testing
15:40 – 15:50 Cross-Site Request Forgery (Lab 5 Intro)
15:50 – 16:30 Lab 5: Cross-Site Request Forgery
16:30 – 17:00 Recap of Labs and Day 1

Tuesday October 8


09:00 – 10:00 Doors open. Continental breakfast and networking
10:00 – 10:10 Review of Day 1 and Plan for Day 2
10:10 – 10:20 Authorization Testing (Lab 6 Intro)
10:20 – 11:00 Lab 6: Bypassing Authorization (Lateral and Vertical)
11:00 – 11:10 Break
11:10 – 11:20 Insecure Deserialization (Lab 7 Intro)
11:20 – 12:10 Lab 7: Insecure Deserialization
12:10 – 13:00 Lunch (Provided)
13:00 – 13:10 Server-Side Attacks: SQL Injection (Lab 8 Intro)
13:10 – 13:40 Lab 8: SQL Injection
13:40 – 13:50 Passive Scanning and Findings (Lab 9 Intro)
13:50 – 14:40 Lab 9: Passive Scanning and Findins
14:40 – 14:50 Break
14:50 – 15:00 Testing API (Lab 10 Intro)
15:00 – 15:40 Lab 10: API Testing
15:40 – 16:00 Recap of Labs, Next Steps and Closing Remarks

*Timing and content subject to change

Meet Your Trainer

Chuck Ben-Tzur

Chuck Ben-Tzur is an IT Security professional with over 15 years of experience as a consultant and a senior manager. Chuck has helped leading Canadian and international organizations to build their corporate security program, assess and implement effective security controls and maintain ongoing compliance. To keep his technical knowledge fresh and up-to-date, Chuck likes to “keep his hands dirty” by researching the security of new technologies and is continuously performing hands-on penetration testing, vulnerability assessments and threat risk analysis.

Chuck has presented at many conferences and in front of professional groups including SecTor, EnrgizeIT, PMI (Project Management Institute), TASK (Toronto’s Security User Group), Federated Press and more.