Introduction to Web Applications Fundamental

In the Introduction to Web Applications module, you will learn all of the basics of how web applications work and begin to look at them from an information security perspective.

Created by 21y4d
Co-Authors: mrb3n

Back to Catalogue Preview

To start this course Sign Up!

Summary

This module is your first step in starting web application pentesting. It teaches important aspects of web applications, which will help you understand how web application pentesting works.

This module will cover the following topics:

Intro to Web Applications

Intro to Web Applications
Web Application Architectures
Front-end vs. Back-end

Front-end Components

HTML
CSS
JavaScript

Front-end vulnerabilities

Data Exposure
HTML Injection
XSS/CSRF

Back-end Components

Back-end Servers
Web Servers
Databases
Development Frameworks & APIs

Back-end vulnerabilities

Public Vulnerabilities
Common Web Vulnerabilities

The following are also some of the covered topics:

What is a web application?
What are the common web application architectures?
What are the most common web servers, and what are the advantages of each?
What types of databases are there, and where is each one used?
Common Web Application Development Frameworks
What are APIs, and how are they used?
Public Web Application vulnerabilities
Intro to OWASP Top 10 for Web Applications

As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts introduced in each section. You can do this in the Pwnbox provided in the interactive sections or your own virtual machine.

You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

The module is classified as "Fundamental" but assumes a working knowledge of the Linux command line and an understanding of information security fundamentals.

A firm grasp of the following modules can be considered prerequisites for successful completion of this module:

Web Requests

Sections

Introduction
Web Application Layout
Front End vs. Back End
HTML
Cascading Style Sheets (CSS)
JavaScript
Sensitive Data Exposure
HTML Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Back End Servers
Web Servers
Databases
Development Frameworks & APIs
Common Web Vulnerabilities
Public Vulnerabilities
Next Steps

Relevant Paths

This module progresses you towards the following Paths

Bug Bounty Hunter

Medium 257 Sections

Cubes Required: 1410

The Bug Bounty Hunter Job Role Path is for individuals who want to enter the world of Bug Bounty Hunting with little to no prior experience. This path covers core web application security assessment and bug bounty hunting concepts and provides a deep understanding of the attack tactics used during bug bounty hunting. Armed with the necessary theoretical background, multiple practical exercises, and a proven bug bounty hunting methodology, students will go through all bug bounty hunting stages, from reconnaissance and bug identification to exploitation, documentation, and communication to vendors/programs. Upon completing this job role path, you will have become proficient in the most common bug bounty hunting and attack techniques against web applications and be in the position of professionally reporting bugs to a vendor.

20 Modules

Web Requests

Fundamental 8 Sections

This module introduces the topic of HTTP web requests and how different web applications utilize them to communicate with their backends.

Introduction to Web Applications

Fundamental 17 Sections

In the Introduction to Web Applications module, you will learn all of the basics of how web applications work and begin to look at them from an information security perspective.

Using Web Proxies

Easy 15 Sections

Web application penetration testing frameworks are an essential part of any web penetration test. This module will teach you two of the best frameworks: Burp Suite and OWASP ZAP.

Information Gathering - Web Edition

Easy 10 Sections

This module covers techniques for identifying and analyzing an organization's web application-based attack surface and tech stack. Information gathering is an essential part of any web application penetration test, and it can be performed either passively or actively.

Attacking Web Applications with Ffuf

Easy 13 Sections

This module covers the fundamental enumeration skills of web fuzzing and directory brute forcing using the Ffuf tool. The techniques learned in this module will help us in locating hidden pages, directories, and parameters when targeting web applications.

JavaScript Deobfuscation

Easy 11 Sections

This module will take you step-by-step through the fundamentals of JavaScript Deobfuscation until you can deobfuscate basic JavaScript code and understand its purpose.

Cross-Site Scripting (XSS)

Easy 10 Sections

Cross-Site Scripting (XSS) vulnerabilities are among the most common web application vulnerabilities. An XSS vulnerability may allow an attacker to execute arbitrary JavaScript code within the target's browser and result in complete web application compromise if chained together with other vulnerabilities. This module will teach you how to identify XSS vulnerabilities and exploit them.

SQL Injection Fundamentals

Medium 17 Sections

Databases are an important part of web application infrastructure and SQL (Structured Query Language) to store, retrieve, and manipulate information stored in them. SQL injection is a code injection technique used to take advantage of coding vulnerabilities and inject SQL queries via an application to bypass authentication, retrieve data from the back-end database, or achieve code execution on the underlying server.

SQLMap Essentials

Easy 11 Sections

The SQLMap Essentials module will teach you the basics of using SQLMap to discover various types of SQL Injection vulnerabilities, all the way to the advanced enumeration of databases to retrieve all data of interest.

Command Injections

Medium 12 Sections

Command injection vulnerabilities can be leveraged to compromise a hosting server and its entire network. This module will teach you how to identify and exploit command injection vulnerabilities and how to use various filter bypassing techniques to avoid security mitigations.

File Upload Attacks

Medium 11 Sections

Arbitrary file uploads are among the most critical web vulnerabilities. These flaws enable attackers to upload malicious files, execute arbitrary commands on the back-end server, and even take control over the entire server and all web applications hosted on it and potentially gain access to sensitive data or cause a service disruption.

Server-side Attacks

Medium 19 Sections

A backend that handles user-supplied input insecurely can lead to sensitive information disclosure and remote code execution. This module covers how to identify and exploit server-side bugs. This module introduces Server-Side Request Forgery (SSRF), Server-Side Template Injection (SSTI), and Server-Side Includes (SSI) injection attacks, alongside other server-side vulnerabilities.

Easy 11 Sections

Learn how to brute force logins for various types of services and create custom wordlists based on your target.

Broken Authentication

Medium 14 Sections

Authentication is probably the most straightforward and prevalent measure used to secure access to resources, and it's the first line of defense against unauthorized access. Broken authentication is currently listed as #7 on the 2021 OWASP Top 10 Web Application Security Risks, falling under the broader category of Identification and Authentication failures. A vulnerability or misconfiguration at the authentication stage can devastatingly impact an application's overall security.

Web Attacks

Medium 18 Sections

This module covers three common web vulnerabilities, HTTP Verb Tampering, IDOR, and XXE, each of which can have a significant impact on a company's systems. We will cover how to identify, exploit, and prevent each of them through various methods.

File Inclusion

Medium 11 Sections

File Inclusion is a common web application vulnerability, which can be easily overlooked as part of a web application's functionality.

Session Security

Medium 14 Sections

Maintaining and keeping track of a user's session is an integral part of web applications. It is an area that requires extensive testing to ensure it is set up robustly and securely. This module covers the most common attacks and vulnerabilities that can affect web application sessions, such as Session Hijacking, Session Fixation, Cross-Site Request Forgery, Cross-Site Scripting, and Open Redirects.

Web Service & API Attacks

Medium 13 Sections

Web services and APIs are frequently exposed to provide certain functionalities in a programmatic way between heterogeneous devices and software components. Both web services and APIs can assist in integrating different applications or facilitate separation within a given application. This module covers how to identify the functionality a web service or API offers and exploit any security-related inefficiencies.

Hacking WordPress

Easy 16 Sections

WordPress is an open-source Content Management System (CMS) that can be used for multiple purposes.

Bug Bounty Hunting Process

Easy 6 Sections

Bug bounty programs encourage security researchers to identify bugs and submit vulnerability reports. Getting into the world of bug bounty hunting without any prior experience can be a daunting task, though. This module covers the bug bounty hunting process to help you start bug bounty hunting in an organized and well-structured way. It's all about effectiveness and professionally communicating your findings.

Information Security Foundations

Easy 147 Sections

Cubes Required: 150

Information Security is a field with many specialized and highly technical disciplines. Job roles like Penetration Tester & Information Security Analyst require a solid technical foundational understanding of core IT & Information Security topics. This skill path is made up of modules that will assist learners in developing &/or strengthening a foundational understanding before proceeding with learning the more complex security topics. Every long-standing building first needs a solid foundation. Welcome to Information Security Foundations.

11 Modules

Introduction to Academy

Fundamental 8 Sections

This module is recommended for new users. It allows users to become acquainted with the platform and the learning process.

Learning Process

Fundamental 20 Sections

The learning process is one of the essential and most important components that is often overlooked. This module does not teach you techniques to learn but describes the process of learning adapted to the field of information security. You will learn to understand how and when we learn best and increase and improve your learning efficiency greatly.

Setting Up

Fundamental 9 Sections

This module covers topics that will help us be better prepared before conducting penetration tests. Preparations before a penetration test can often take a lot of time and effort, and this module shows how to prepare efficiently.

Linux Fundamentals

Fundamental 18 Sections

This module covers the fundamentals required to work comfortably with the Linux operating system and shell.

Windows Fundamentals

Fundamental 14 Sections

This module covers the fundamentals required to work comfortably with the Windows operating system.

Introduction to Bash Scripting

Easy 10 Sections

This module covers the basics needed for working with Bash scripts to automate tasks on Linux systems. A strong grasp of Bash is a fundamental skill for anyone working in a technical information security role. Through the power of automation, we can unlock the Linux operating system's full potential and efficiently perform habitual tasks.

Introduction to Networking

Fundamental 12 Sections

As an information security professional, a firm grasp of networking fundamentals and the required components is necessary. Without a strong foundation in networking, it will be tough to progress in any area of information security. Understanding how a network is structured and how the communication between the individual hosts and servers takes place using the various protocols allows us to understand the entire network structure and its network traffic in detail and how different communication standards are handled. This knowledge is essential to create our tools and to interact with the protocols.

Intro to Network Traffic Analysis

Medium 15 Sections

Network traffic analysis is used by security teams to monitor network activity and look for anomalies that could indicate security and operational issues. Offensive security practitioners can use network traffic analysis to search for sensitive data such as credentials, hidden applications, reachable network segments, or other potentially sensitive information "on the wire." Network traffic analysis has many uses for attackers and defenders alike.

Introduction to Active Directory

Fundamental 16 Sections

Active Directory (AD) is present in the majority of corporate environments. Due to its many features and complexity, it presents a vast attack surface. To be successful as penetration testers and information security professionals, we must have a firm understanding of Active Directory fundamentals, AD structures, functionality, common AD flaws, misconfigurations, and defensive measures.

Introduction to Web Applications

Fundamental 17 Sections

In the Introduction to Web Applications module, you will learn all of the basics of how web applications work and begin to look at them from an information security perspective.

Web Requests

Fundamental 8 Sections

This module introduces the topic of HTTP web requests and how different web applications utilize them to communicate with their backends.

Back to Catalogue

To start this course Sign Up!