No one wants to hire a Web Application Penetration Tester without experience, but it's difficult to gain experience unless you already work in the field or breach ethical boundaries. This is a challenge that many "green" Web Application Security professionals face. Born out of this need, Practical Security Services designed PWAPT to provide real world web application penetration testing experience in a classroom environment, allowing for the growth required to enter the work force with confidence and competence. PWAPT was also designed to provide experienced Web Application Security consultants with a better defined testing methodology complimented by obscure vulnerability discovery techniques and "quality of life" tips and tricks to improve on a developed skill set. Regardless of skill level, PWAPT has something for everyone.
PWAPT provides comprehensive training on the latest open source tools and manual techniques for performing impactful web application penetration testing engagements. After a quick overview of the web application penetration testing methodology, the instructor will lead students through the process of testing and exploiting multiple targets using the techniques and approaches developed from a career of real world web application penetration testing experiences. Students will be introduced to the best tools currently available for the specific steps of the methodology, including Burp Suite Pro, and taught how to integrate these tools with automated and manual testing techniques to quickly identify vulnerabilities that can be exploited to penetrate the target environment. A major goal of this course is teaching students the glue that brings the tools, techniques, and methodology together to successfully perform web application penetration tests that maximize the impact of unsafe development practices. The end result is an individual with the confidence and skill to perform web application penetration tests as a Web Application Security professional.
The majority of the course will be spent performing a hands-on simulated web application penetration test of several target applications. These targets consist of custom built server-side and client-side rendered frontends, REST and GraphQL APIs, and various authentication schemes, in order to demonstrate modern architectural design and real vulnerability patterns as encountered in the wild.
PWAPT is a PortSwigger preferred Burp Suite Training course. PWAPT students will learn basic and advanced usage techniques for Burp Suite Pro, as well as discover obscure functionality hidden within the vast capabilities of the tool. Students will also receive a trial license for Burp Suite Pro to use during and after the course.
Students taking this course should have introductory knowledge of the OWASP Top 10 and a thorough understanding of the HTTP protocol. Students do not need to be comfortable finding or exploiting common web vulnerabilities, but a general understanding is ideal. However, understanding the HTTP protocol is vital. PWAPT does not cover basic HTTP, but will reference it repeatedly assuming students are familiar with the protocol. PWAPT may also do this with some vulnerabilities, but will discuss them in further detail at a later time during the class. Knowledge of web technologies and programming constructs will also be helpful, but are not required, as PWAPT uses code to explain and demonstrate some vulnerabilities. Practical Security Services offers an optional HTTP primer add-on that covers the basics of HTTP, Object-Oriented programming as it applies to the Document Object Model, and architectural design patterns for web applications.
While this is not an advanced course, PWAPT will strive to cover advanced topics if the ability level of the student population allows. Please prepare yourselves for the above requirements if you do not already meet them coming into the course. Anyone looking to get into Web Application Security or hone their craft should be working on their software development skills. If not already doing so, this is a good time to get started.