eLearnSecurity Web Application Penetration Testing (WAPT) - Course Review

As years passed by, we have seen an upward progression in the layer of insecurity starting from the physical layer attacks (Layer 1)  towards Application layer attacks (Layer 7) inside of the OSI model. Application layer attacks are where we are at right now, and frankly speaking from my experience i find application layer attacks more easy to learn and exploit as compared with network layer attacks. The defenses are more easy to break and there are lots of attack vectors involved. All you need is right tools to be able to automatically scan and exploit application layer vulnerabilities, talking about bug bounty programs for an instance this is exactly the same what's happening, i have literally seen people with absolutely zero security knowledge finding/reporting bugs and getting listed in hall of fames and making money. The question arises, If it's that easy to exploit applications, what if they could use the knowledge for a negative cause. However, That's a different story which we are not gonna talk about today.

It's super easy to download a vulnerability scanner such as netsparker, acunetix, netstalker and start scanning websites and reporting vulnerabilities, however what separates an actual penetration tester from some one who takes on bug bounty program as a hobby is the ability to understand the underlying technologies, and frankly speaking, it's what is the fundamental of all the penetration testing, the more better you understand the application and it's underlying technology, the more chances are that you would find critical bugs within it. With that being said there are certain restrictions to what a scanner can do and cannot, for example A scanner cannot find logical bugs, second order sql injections etc since it doesn't knows the context, therefore i only use for them  for quality assurance or for pointing out an interesting part of the webapplication, which i could look furthur.

To keep up with the knowlege and the trend, i regularly take new courses on penetration testing. Recently i got a chance to  take the elearnsecurity's "Web Application Penetration Testing course" and it turned out to be an amazing experience.

Introduction

The elearnsecurity's WAPT was specifically designed for beginners who have just came into the field of web application penetration testing and security and want to take their knowledge to the next level. The authors of this course have done a great job of putting all covering most of the aspects of web application penetration testing.

Course Contents

The course is divided into several modules and personally i feel that every module is covered in extensive depth and does it's job of being clear and self-explanatory to the readers. Following are modules that you would come up, i would talk briefly about what's inside of them.



Introduction

This module introduces the readers to the fundamentals of web security, it talks about some of the important concepts in security such as same origin policy and other stuff necessary for understanding the rest of the course.

Penetration 

This particular module is what i find it missing inside most of the courses of web application security, penetration testing is not only about finding the vulnerabilities and exploiting them, it's about learning the art of the reporting which turns out to the most important step of a penetration test, if your report such, you suck. You might argue by saying that "Did they hire a web designer or a penetration tester to do the job?", however it's true that clients do take your reports seriously and this is what this chapter aims at explaining, the art of of reporting. I would have liked this module more, if they had given up a sample penetration testing report to the readers so that they can exactly figure out how the actual report looks.

Testing Information Gathering 

This particular module talks about enumerating web applications, things such as subdomains, backend services, backend databases etc. Once again the author do a great job of explaining things in a very simple manner.

Cross-Site Scripting 

This module talks about various types of cross site scripting attacks and how to end up detecting them inside of real application, for me this module was a bit basic as i was expecting an extensive coverage of things such as DOM XSS and WAF Byapss. Nevertheless, the module is perfect from a beginners perspective.



SQL Injections 

I personally really liked this module, since it talks about most of the types of sql injection attacks. The best part of this module is that it talks about the concepts and how things are done manually, instead of talking about tools such as havij, sqlmap to exploit the vulnerabilities in an automated fashion.

Session Security 

This module talks about wide variety of session attacks such as session id prediction, session fixation etc, to quote them "Session related vulnerabilities will be the subject of this module with extensive coverage of the most common attacking patterns. Code samples on how to prevent session attacks are provided in PHP, Java and .NET At the end of the module the student will master offensive as well as defensive procedures related to session management within web applications".

Flash Security and Attacks 

Flash although has been taken over by HTML 5, it is still present on lots of websites and it's not going away anytime soon. This module first talks about flash security models and then talks about how to go about attacking flash based files, which in my opinion is a great approach.

Authentication 

This module talks about wide variety of authentication based attacks, to quote them "During this module the student will learn the most common authentication mechanisms, their weaknesses and the related attacks. From Inadequate password policies to weaknesses in the implementation of common features".

HTML5 and New Frontiers 

This module is the main essence of the course, with the arrival of html 5 and things such as local storage, web storage etc lots of new attack vectors have been introduced, this module talks about wide variety of html 5 based attack vectors in detail.



Common Vulnerabilities 

This module talks about less publicized vulnerabilities such as clickjacking, RFI, LFI, http response splitting etc.

Web Services 

This module talks about pentesting webservices such as webservices, rest api etc. As their growing popularity has brought us new attack vectors.

XPath Injection

I don't really know why they needed a different module to cover xpath injection, they might had created a module called "Injection Attacks" and would had included all the types of injection attacks under that module. Anyways, this module talks about xml structure first and then talks about xml injection and how to go about exploiting it.

 VA and Exploitation Tools

This module talks about popularly used vulnerability assessment tools such as acunetix, netsparker etc to effectively scan for vulnerabilities, this module also talks about using these tools to actually exploit some of the vulnerabilities.

Coliseum Lab

The course comes up with coliseum lab, which itself is divided into two types of labs, guided labs and unguided labs which are actual challenges. The labs are built into the cloud and destroyed after a certain time by default. The labs allow you to practice what you learned through out the course.

Examination

After you have completed the course, you can schedule the examination. You would be provided a web application and your objective would be to gain administrative access to the web application and document all high risk vulnerabilities. The total time frame for the exam is 7 days and after that you would given given more 7 days to document the report and submit your findings. It was a fun and a challenging exam, it took me 2 days to complete the challenge, it might have been even faster if it were not for my slow internet connection.

Areas for Improvement

The overall course is good, but it certainly has some areas it should be worked on:
  • Recently due to the increase in the use of client side javascripts, we have seen rise in security issues such as DOM based XSS. I didn't see any in-depth coverage of this attack, it was taught at a very basic level. 
  • Web Application firewalls are very common now a days, the course didn't cover the art of bypassing web application firewalls or common techniques that could be use to evade them. 

Overall,  i would rate the course 8/10 as from a beginners perspective it's a must to do course, the best is that they don't only teach you how to find vulnerabilities, but they also teach you how to document them.

For more information, please visit the official website - elearnsecurity.com/