The breadth of knowledge required to be a proficient Web Application Security professional can be overwhelming. Web applications are becoming more complicated by the day, meaning full-coverage Web Application Penetration Tests require an ever expanding quantity of technical knowledge and experience. To make matters worse, the complexity of modern applications creates massive blind spots for automated tooling, leaving people as the lone means of discovery for the vulnerabilities concealed by these limitations. The end result is an industry job market that demands highly skilled Web Application Penetration Testers, but a lack of qualified candidates. With a desire to to fill this gap, Practical Security Services designed PWAPT to provide comprehensive Web Application Penetration Testing training that meets two objectives:
PWAPT provides comprehensive training on the latest open source tools and manual techniques for performing end-to-end Web Application Penetration Testing engagements. After a quick overview of the Web Application Penetration Testing methodology, the instructor will lead students through the process of testing multiple targets using the techniques and approaches developed from a career of real world Web Application Penetration Testing experiences. Students will be introduced to the best tools currently available for the specific steps of the methodology, including Burp Suite Pro, and taught how to integrate these tools with automated and manual testing techniques to quickly identify vulnerabilities. A major goal of this course is teaching students the glue that brings the tools, techniques, and methodology together to successfully perform Web Application Penetration Tests that provide maximum value to the application owner. The end result is an individual with the confidence and skill to perform comprehensive Web Application Penetration Tests.
The majority of the course will be spent performing a hands-on simulated Web Application Penetration Test of several target applications. These targets consist of custom built server-side and client-side rendered frontends, REST APIs, and various authentication schemes, in order to demonstrate modern architectural design and real vulnerability patterns as encountered in the wild.
PWAPT is a PortSwigger preferred Burp Suite Training course. PWAPT students will learn basic and advanced usage techniques for Burp Suite Pro, as well as discover obscure functionality hidden within the vast capabilities of the tool. Students will also receive a trial license for Burp Suite Pro to use during and after the course.
Students taking this course should have introductory knowledge of the OWASP Top 10 and a thorough understanding of the HTTP protocol. Students do not need to be comfortable finding or exploiting common web vulnerabilities, but a general understanding is ideal. However, understanding the HTTP protocol is vital. PWAPT does not cover basic HTTP, but will reference it repeatedly assuming students are familiar with the protocol. PWAPT may also do this with some vulnerabilities, but will discuss them in further detail at a later time during the class. Knowledge of web technologies and programming constructs will also be helpful, but are not required, as PWAPT uses code to discover and validate vulnerabilities where necessary. Practical Security Services offers an optional HTTP primer add-on that covers the basics of HTTP, Object-Oriented programming as it applies to the Document Object Model, and architectural design patterns for web applications.
While this is not an advanced course, PWAPT will strive to cover advanced topics if the ability level of the student population allows. Please prepare yourselves for the above requirements if you do not already meet them coming into the course. Anyone looking to get into Web Application Security or hone their craft should be working on their software development skills. If not already doing so, this is a good time to get started.
"I just completed my first paid pen test as an after hours gig. Thanks to your class, I had a solid methodology to follow. I went down the list and it went better than I expected. I found stored XSS, IDOR, Session Fixation, insecure JWT storage, CSRF and more. I would have never been able to do this without you. Thank you so much. I can’t wait to take the class again!!"
"This is the most beneficial, real-world applicable course I have ever attended on web application penetration testing. In three days, Tim walked us through his expert methodology on assessing web applications and provided insight on the most recent vulnerabilities that are currently being found and how to test for them. Excellent course."
"I've been in IT for 24 years and have taken dozens and dozens of training classes. I've left most of those classes feeling like the value of the class for the cost wasn't worth it. That was completely the opposite for your class. I left wondering why it was so cheap. Without a doubt it was some of the best training I've received in my career."
"I've taken several different trainings/certifications to include: OSCP, eMAPT, ePPT, Sans (GCFE and GMOB); your training and method of instruction blew these away. You've given me the gift of knowledge and I greatly appreciate it!"
"Thank you for an amazing class! Truly inspirational. I'm probably one of the newest from your Springfield class to the security world, but you were able to teach and present all of the information in a way that was not only at a level that could be easily understood, but was engaging and fun!"
"Seriously can't recommend the PWAPT and any other PractiSec's trainings enough. Learned so much and will be using the course content as a resource for a long, long time."
"If you are a Web App Pen Tester and have not taken a class from PractiSec you are missing out! Do yourself a favor and check it out! Without a doubt the best training I have ever taken!"
"If you prefer in-person training, the best out there, hands down, is PractiSec."
"Had the opportunity to attend PBAT & PWAPT by PractiSec last week. Tremendous insight and tradecraft within this Burp-centric course. Great content, highly energetic instructor, tons of real-world examples, many hands-on exercises. Highly recommended!"
"It has been a long time since I have taken a course where I gained new knowledge and insights plus be able to immediately implement it within my team!! Good for beginners and experienced testers."
"Just finished best security training I’ve done yet! Learned everything, high level methodology, foundational concepts, tools, tips, tricks, everything. ABSOLUTELY worth your time! Thanks PractiSec!"
"Just wrapped up PWAPT with PractiSec! By far, one of the best technical courses I have ever taken with an exceptional instructor. Putting Tim’s methodology immediately into action to get the job done! Amazing value! Thanks for all you do for the community, Tim!"
"I recently attended the PWAPT taught by PractiSec. By far the best security training that I have attended in my career. Tim built and executed this course like a Jedi master. Not only great content, but the wisdom to deliver on the materials at every step."
"Tim did an awesome job teaching PWAPT. One of the best teachers in this industry. Went back to work with immediate value to enhance Security of my workplace web app Security."
"I can't say enough good things about PractiSec's Practical Web Application Penetration Testing course. Tim delivers information in a very digestible, and immediately useful way. I highly recommend this course to all AppSec professionals."