Testing applications security has always been a challenge for penetration testers. Every application has different business requirements, different functionality, different workflows and, as a result, different code and attack vectors.
This introductory hands-on session will teach attendees how to approach, plan and conduct an application penetration test against a different type of applications\technologies using commonly available tools and techniques often used by attackers as well.
During the session, participants will be provided with lab exercises to experience and test against vulnerable applications. Labs will include introduction to commonly used tools and testing methodologies, overview of common vulnerabilities based on the OWASP top 10, how to perform automatic and manual discovery, execute fuzzing tests to identify potential weaknesses/entry points, exploitation of vulnerabilities such as cross-site scripting, SQL injections Cross-Site Request Forgery, testing for authentication, authorization and session management issues and more. In addition, testing scenarios will include testing of application leveraging different technologies such as HTML based application, Web Services/APIs and console/smart-client based apps to show the differences and similarities of conducting tests and the vulnerabilities between them.
By the end of the session, attendees will have the foundation required to conduct different aspects of an application security penetration test and learn the different steps from initial discovery, evaluating potential attack vectors to an actual exploitation of the application level vulnerabilities they have found.