Security Testing Training – Batch Two

Hi all,

Thanks for attending Security Testing Training sessions. Please find the recorded sessions and other details of the sessions below:

Note: People from this batch two, Login to your Gmail address to which we have provided access and click on the below links to open them in the same browser window where your Gmail address is logged in.


Session 1: Introduction to Security Testing and Basic Concepts – Part 1 (1 hour)

  • Introduction
  • Importance of Security Testing
  • Jobs and their demand
  • Course Walkthrough
  • Questions on Course and Security Testing
  • CIA Triad
    • Confidentiality
    • Integrity
    • Availability
  • Vulnerability
  • Threat
  • Risk
  • HTTP Protocol basics
    • HTTP Methods
    • HTTP Response Codes
  • Cookie
  • Session
  • Cookie Versus Session

Session 2: Basic Concepts – Part 2 (1 hour)

  • Input Validation
  • Output Encoding
    • Client-side validation
    • Server-side validation
    • Client-side Vs Server-side Validation
  • BlackList validation
  • WhiteList validation
  • BlackList validation versus WhiteList validation

Session 3: Basic Concepts – Part 3 (1 hour)

  • Cryptography
    • Encryption
      • Symmetric Key Encryption
      • Asymmetric Key Encryption
    • Encoding
    • Hashing

Session 4: Basic Concepts – Part 4 (1 hour)

  • Encryption, Encoding, and Hashing – CIA Triad
  • SSL – Secured Socket Layer
  • HTTP versus HTTPS
  • SSL Handshaking Process

Session 5: Basic Concepts – Part 5 (1 hour)

  • SDLC Process and Secure SDLC Process
  • Secure SDLC-Advantages
  • Threat Modelling
  • STRIDE Methodology
  • Spoofing Identity
  • Tampering with data
  • Repudiation
  • Information Disclosure
  • Denial of Service
  • Elevation of privilege
  • SSL and TLS Versions
  • SSL Handshaking Process – Part 2
  • Authentication versus Authorization

Session 6: Basic Concepts – Part 6 (1 hour)

  • 5 Phases of Security Testing
  • OWASP Top 10 Vulnerabilities
  • BurpSuite Installlation and Configuration (Check notes)
  • XAMPP and BWAPP Installation (check last Button)

Session 7: Cross Site Scripting – Part 1 (1 hour)

  • What is Cross Site Scripting (XSS)?
  • Definition of XSS
  • Consequences of XSS
  • XSS: Where to test?
  • XSS: Payloads
  • XSS: Where to test?
  • XSS: Countermeasures/Recommendations/Remedy/Fix

Session 8: Cross Site Scripting – Part 2 (1 hour)

  • What is Cross Site Scripting (XSS)?
  • Definition of XSS
  • Consequences of XSS
  • XSS: Where to test?
  • XSS: Payloads
  • XSS: Where to test?
  • XSS: Countermeasures/Recommendations/Remedy/Fix

Session 9: Cross Site Scripting – Part 3 (1 hour)


Session 10: Cross Site Scripting – Part 4 (1 hour)


Session 11: Cross Site Scripting – Part 5 and Troubleshooting BurpSuite & XAMPP issues (1 hour)


Session 12: SQL Injection – Part 1 (1 hour)


Session 13: SQL Injection – Part 2 (1 hour)


Session 14: SQL Injection – Part 3 (1 hour)


Session 15: SQL Injection – Part 4 (1 hour)


Session 16: SQL Injection – Part 5 (1 hour)


Session 17: Cross Site Request Forgery – Part 1 (1 hour)


Session 18: Cross Site Request Forgery – Part 2 (1 hour)


Session 19: Insecure Direct Object Reference (1 hour)


Session 20: Failure to restrict access url and Sensitive Data exposure (1 hour)


Session 21: Broken Authentication and Session Management – Part 1 (1 hour)


Session 22: Broken Authentication and Session Management – Part 2 (1 hour)


Session 23: Broken Authentication and Session Management – Part 3 (1 hour)


Session 24: Broken Authentication, Session Management and Using components with known vulnerabilities – Part 3 (40 minutes)


Session 25: Unvalidated Redirects/Forwards and Malicious File Uploads (1 hour)


Session 26: Other Vulnerabilities – Part 1 (1 hour)

  • Missing Cookie Attributes: HTTP Only and Secure flags
  • Missing HSTS Header
  • Dangerous/unsafe HTTP methods enabled
  • Cacheable HTTPS response/Browser cache weakness

Session 27: Other Vulnerabilities – Part 2 (1 hour)

  • Clickjacking
  • Insufficient Password Policy
  • XXE-XML External Entity

Session 28: Other Vulnerabilities – Part 3 (1 hour)

  • Insecure Deserialization
  • Insufficient Logging and Monitoring

Session 29: Security Testing Tools Demo(1 hour)

  • Acunetix Tool Demonstration
  • ZAP Tool Demonstration

Session 30: Network Security Testing – Part 1(1 hour)

  • IP Addresses
  • Ports
  • Protocols
  • Its all about
  • Network Security Testing Types
  • Approach

Session 31: Network Security Testing – Part 2(1 hour)

  • NMAP
  • Common Reported Vulnerabilities

Session 32: Android Security Testing – Part 1(1 hour)

  • Android Architecture
  • Android Versions
  • Android Application: .apk
  • Android Manifest.xml file
  • Android Application Components: Manifest.xml file
  • Tools required
  • Approach
  • Installing the apk file
  • Decompiling the apk file
  • Local data storage

Session 33: Android Security Testing – Part 2(1 hour)

  • Reversing the target application
  • Hard Coded Issues
  • Insecure Logging
  • Insecure Data Storage
  • Input Validation: SQL Injection
  • Input Validation: Part 2
  • Access Control Issues: Part1

Session 34: Live Project Session (2 hours)

  • Steps to configure a vulnerable Live Project in your machine
  • Live Project Demonstration

Other Stuff


Happy Learning  🙂

Arun Motoori (www.qafox.com)