Session 1: Introduction to Security Testing (45 Minutes)
 |
 |
 |
- Introduction
- Importance of Security Testing
- Jobs and their demand
- Course Walkthrough
- Questions on Course and Security Testing
Session 2: Basic Concepts – Part 1 (1 hour)
|
|
|
- CIA Triad
- Confidentiality
- Integrity
- Availability
- Vulnerability
- Threat
- Risk
- HTTP Protocol basics
- HTTP Methods
- HTTP Response Codes
- Cookie
- Session
- Cookie Versus Session
- Cryptography (Introduction)
Session 3: Basic Concepts – Part 2 (1 hour)
|
|
|
- Cryptography
- Encryption
- Symmetric Key Encryption
- Asymmetric Key Encryption
- Encoding
- Hashing
- Encryption
Session 4: Basic Concepts – Part 3 (55 Minutes)
|
|
|
- Encryption, Encoding, and Hashing – CIA Triad
- Input Validation
- Output Encoding
- Client-side Validation versus Server-side Validation
- Client-side validation
- Server-side validation
- Client-side Vs Server-side Validation
- BlackList validation
- WhiteList validation
- BlackList validation versus WhiteList validation
- SDLC Process and Secure SDLC Process
- Secure SDLC-Advantages
Session 5: Basic Concepts – Part 4 (1 hour)
|
|
|
- Threat Modelling
- STRIDE Methodology
-
- Spoofing Identity
- Tampering with data
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of privilege
-
- SSL – Secured Socket Layer
- HTTP versus HTTPS
- SSL and TLS Versions
Session 6: Basic Concepts – Part 5 (1 hour)
|
|
|
- SSL Handshaking Process
- Authentication versus Authorization
Session 7: Basic Concepts – Part 6 and SQL Injection – Part 1 (1 hour)
|
|
|
- 5 Phases of Security Testing
- OWASP Top 10 Vulnerabilities
- How to understand the vulnerabilities?
- SQL Injection
- What is SQL?
- SQL Query Generation
- SQL Injection Definition
- SQL Injection Types
- Impact of SQL Injection
- SQL Injection Demonstration (Single quote and advanced)
Session 8: BurpSuite Tool and SQL Injection – Part 2 (1 hour)
|
|
|
- Installing BurpSuite Tool
- BurpSuite – Configuration
- BurpSuite – Demonstration
- BurpSuite – Purpose
- SQL Injection – Error Based
- SQL Injection – Demonstration of different Error Based SQL Injections
- SQL Injection – Approach and Process
- SQL Injection – Client recommendations in day to day real time projects
- Comparision between Free and Premium versions of BurpSuite
- Comparing BurpSuite with other similar tools available in the market
- SQL Injection – Discussion, Questions/Doubts clarifications
Session 9: SQL Injection – Part 3 (1 hour)
|
|
|
Session 10: SQL Injection – Part 4 (1 hour 30 minutes)
|
|
Session 11: Cross Site Scripting – Part 1 (1 hour)
|
|
 |
Session 12: Cross Site Scripting – Part 2 and BrupSuite Features – Part 1 (1 hour)
|
|
Session 13: Cross Site Request Forgery – Part 1 (1 hour)
|
|
Session 14: Cross Site Request Forgery – Part 2 (45 Minutes)
|
|
Session 15: Insecure Direct Object Reference and Failure to restrict URL access – 1 hour (1 hour)
|
|
Session 16: Insecure Direct Object Reference – Part 2, Failure to restrict URL access – Part 2 and Sensitive Data Exposure (1 hour)
|
|
Session 17: Broken Authentication and Session Management – 1 hour (1 hour)
|
|
Session 18: Broken Authentication and Session Management – Part 2 (1 hour)
|
|
Session 19: Broken Authentication and Session Management – Part 3, Security Misconfiguration and Using components with known vulnerabilities (1 hour)
|
|
Session 20: Security Misconguration – Part 2, Malicious/Unrestricted File Uploads, Misssing Cookie Attributes and Dangerous/unsafe http methods enabled (1 hour)
|
|
Session 21: Cacheable HTTPS response, Unsafe CORS Policy, XML External Entity (1 hour)
|
|
Session 22: Insecure Deserialization and Insufficient Logging & Monitoring (1 hour)
|
|
Session 23: Network Security Testing – Part 1 (50 minutes)
|
|
|
- What is a Network?
- What will a Network generally contain?
- Purpose of Network Security Testing
- Network Security Testing Basics
- IP Address
- Port
- Protocol
- Understanding Protocol
- Examples for Network Protocol
- TCP
- UDP
- ARP
- FTP
- DNS
- Telnet
- SSH
- Network Security Testing is all about
- Is Network Security Testing an easy task?
- Network Security Testing Tools
- Questions, Discusssions and Testing Focus
Session 24: Network Security Testing – Part 2 (1 hour 15 minutes)
|
|
Session 25: Mobile Security Testing – Part 1 (1 hour 10 minutes)
|
|
 |
Session 26: Mobile Security Testing – Part 2 (1 hour)
|
|
Session 27: BurpSuite and Kali Linux Tools (1 hour)
|
Other Stuff
 |
 |
Live Project Session (2 hours)
 |
 |
- Steps to configure a vulnerable Live Project in your machine
- Live Project Demonstration
Happy Learning 🙂
Arun Motoori (www.qafox.com)