SEC542 Notes

A study guide for SEC542: Web App Penetration Testing and Ethical Hacking. Visit the SEC542 webpage For additional information.

Study Guide Menu

• Appendix of concepts, methods and tools in the SEC542 course.
  • Concepts
  • Methods
  • Tools
  • Snippets
• Cheatsheets for quick reference.
• Glossary of terms in the SEC542 course.
• Index of references to terms in the SEC542 course.
• Labs in the SEC542 course, abridged versions.
  • 542.1 Introduction and Information Gathering
    • Why the Web
    • Understanding the Web
    • Course Logistics
    • Web App Pen Tester's Toolkit
    • Interception Proxies
    • WHOIS and DNS
    • Exercise: DNS Harvesting
    • Open Source Information
    • HTTP Protocol
    • HTTP Methods
    • HTTP Status Codes
    • WebSocket
    • Exercise: Examining HTTP Requests and Responses
    • HTTPS
    • Testing for Weak Ciphers
    • Exercise: Testing HTTPS
    • Heartbleed
    • Exercise: Exploiting Heartbleed
    • Demo: Burp Suite Introduction
  • 542.2 Configuration, Identity and Authentication Testing
    • Scanning with Nmap
    • Exercise: Gathering Server Info
    • Testing Software Configuration
    • Shellshock
    • Exercise: Shellshock
    • Spidering Web Applications
    • Exercise: Spidering
    • Analyzing Spidering Results
    • Exercise: ZAP Forced Browse
    • Fuzzing
    • Exercise: Burp Fuzzing
    • Information Leakage
    • Exercise: Directory Browsing
    • Authentication
    • Exercise: Authentication
    • Username Harvesting
    • Exercise: Username Harvesting
  • 542.3 Injection
    • Session Tracking
    • Session Fixation
    • Bypass Flaws
    • Exercise: Authentication Bypass
    • Vulnerable Web Apps: Mutillidae
    • Command Injection
    • Exercise: Command Injection
    • File Inclusion and Directory Traversal
    • Exercise: Local/Remote File Inclusion
    • SQL Injection Primer
    • Discovering SQLi
    • Exercise: Error-Based SQLi
    • Exploiting SQLi
    • SQLi Tools
    • Exercise: sqlmap + ZAP
  • 542.4 JavaScript and XSS
    • JavaScript
    • Document Object Model (DOM)
    • Exercise: JavaScript
    • Cross-Site Scripting
    • Exercise: Reflective XSS
    • XSS Tools
    • XSS Fuzzing
    • Exercise: HTML Injection
    • XSS Exploitation
    • BeEf
    • Exercise: BeEf
    • AJAX
    • API Attacks
    • Data Attacks
    • Exercise: AJAX XSS
  • 542.5 CSRF, Logic Flaws and Advanced Tools
• Outline of the SEC542 course.
  • 542.1 Introduction and Information Gathering
  • 542.2 Configuration, Identity and Authentication Testing
  • 542.3 Injection
  • 542.4 JavaScript and XSS
  • 542.5 CSRF, Logic Flaws and Advanced Tools
• Cheatsheets for quick reference of the SEC542 course.
  • Foo
  • Bar

---

Study Guide: Outline, Index, Labs, Glossary, Appendix or Cheatsheets.