Security Testing Training – Batch Two


Session 1: Introduction to Security Testing (45 Minutes)

  • Introduction
  • Importance of Security Testing
  • Jobs and their demand
  • Course Walkthrough
  • Questions on Course and Security Testing

Session 2: Basic Concepts – Part 1 (1 hour)

  • CIA Triad
    • Confidentiality
    • Integrity
    • Availability
  • Vulnerability
  • Threat
  • Risk
  • HTTP Protocol basics
    • HTTP Methods
    • HTTP Response Codes
  • Cookie
  • Session
  • Cookie Versus Session
  • Cryptography (Introduction)

Session 3: Basic Concepts – Part 2 (1 hour)

  • Cryptography
    • Encryption
      • Symmetric Key Encryption
      • Asymmetric Key Encryption
    • Encoding
    • Hashing

Session 4:  Basic Concepts – Part 3 (55 Minutes)

  • Encryption, Encoding, and Hashing – CIA Triad
  • Input Validation
  • Output Encoding
  • Client-side Validation versus Server-side Validation
    • Client-side validation
    • Server-side validation
    • Client-side Vs Server-side Validation
  • BlackList validation
  • WhiteList validation
  • BlackList validation versus WhiteList validation
  • SDLC Process and Secure SDLC Process
  • Secure SDLC-Advantages

Session 5:  Basic Concepts – Part 4 (1 hour)

  • Threat Modelling
  • STRIDE Methodology
      • Spoofing Identity
      • Tampering with data
      • Repudiation
      • Information Disclosure
      • Denial of Service
      • Elevation of privilege
  • SSL – Secured Socket Layer
  • HTTP versus HTTPS
  • SSL and TLS Versions

Session 6:  Basic Concepts – Part 5 (1 hour)

  • SSL Handshaking Process
  • Authentication versus Authorization

Session 7:  Basic Concepts – Part 6 and SQL Injection – Part 1 (1 hour)

  • 5 Phases of Security Testing
  • OWASP Top 10 Vulnerabilities
    • How to understand the vulnerabilities?
  • SQL Injection
    • What is SQL?
    • SQL Query Generation
    • SQL Injection Definition
    • SQL Injection Types
    • Impact of SQL Injection
    • SQL Injection Demonstration (Single quote and advanced)

Session 8:  BurpSuite Tool and SQL Injection – Part 2 (1 hour)

  • Installing BurpSuite Tool
  • BurpSuite – Configuration
  • BurpSuite – Demonstration
  • BurpSuite – Purpose
  • SQL Injection – Error Based
  • SQL Injection – Demonstration of different Error Based SQL Injections
  • SQL Injection – Approach and Process
  • SQL Injection – Client recommendations in day to day real time projects
  • Comparision between Free and Premium versions of BurpSuite
  • Comparing BurpSuite with other similar tools available in the market
  • SQL Injection – Discussion, Questions/Doubts clarifications

Session 9:  SQL Injection – Part 3 (1 hour)


Session 10:  SQL Injection – Part 4 (1 hour 30 minutes)


Session 11:  Cross Site Scripting – Part 1 (1 hour)


Session 12:  Cross Site Scripting – Part 2 and BrupSuite Features – Part 1 (1 hour)


Session 13:  Cross Site Request Forgery – Part 1 (1 hour)


Session 14:  Cross Site Request Forgery – Part 2 (45 Minutes)


Session 15:  Insecure Direct Object Reference and Failure to restrict URL access  – 1 hour (1 hour)


Session 16:  Insecure Direct Object Reference – Part 2, Failure to restrict URL access – Part 2 and Sensitive Data Exposure (1 hour)


Session 17:  Broken Authentication and Session Management – 1 hour (1 hour)


Session 18:  Broken Authentication and Session Management – Part 2 (1 hour)


Session 19:  Broken Authentication and Session Management – Part 3, Security Misconfiguration and Using components with known vulnerabilities (1 hour)


Session 20:  Security Misconguration – Part 2, Malicious/Unrestricted File Uploads, Misssing Cookie Attributes and Dangerous/unsafe http methods enabled (1 hour)


Session 21:  Cacheable HTTPS response, Unsafe CORS Policy, XML External Entity (1 hour)


Session 22:  Insecure Deserialization and Insufficient Logging & Monitoring (1 hour)


Session 23:  Network Security Testing – Part 1 (50 minutes)

  • What is a Network?
  • What will a Network generally contain?
  • Purpose of Network Security Testing
  • Network Security Testing Basics
    • IP Address
    • Port
    • Protocol
      • Understanding Protocol
      • Examples for Network Protocol
      • TCP
      • UDP
      • ARP
      • FTP
      • DNS
      • Telnet
      • SSH
  • Network Security Testing is all about
  • Is Network Security Testing an easy task?
  • Network Security Testing Tools
  • Questions, Discusssions and Testing Focus

Session 24:  Network Security Testing – Part 2 (1 hour 15 minutes)


Session 25:  Mobile Security Testing – Part 1 (1 hour 10 minutes)


Session 26:  Mobile Security Testing – Part 2 (1 hour)


Session 27:  BurpSuite and Kali Linux Tools (1 hour)


Other Stuff


Live Project Session (2 hours)

  • Steps to configure a vulnerable Live Project in your machine
  • Live Project Demonstration

Happy Learning  🙂

Arun Motoori (www.qafox.com)