Scribd
Upload
41 views

05CS2203 MSc CS 2 - Web Penetration Testing

Uploaded by

rivicer412
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
41 views

05CS2203 MSc CS 2 - Web Penetration Testing

Uploaded by

rivicer412
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

FACULTY OF COMPUTER APPLICATIONS

Master of Science – Cyber Security and Cyber Law

▪ Course : M.Sc. Cyber Security and Cyber Law


▪ Sem :2
▪ Subject Code : 05CS2203
▪ Subject : Web Penetration Testing
▪ Objectives :
1. The purpose is to understand Web basics.
2. Understand Web application with methodologies.
3. Apply techniques used for penetrating a machine using
tools.
4. Apply defensive technique for web attacks.
5. Able to generate web analysis report.
▪ Prerequisites : Basics of Cyber Security, Network Security, Javascript,
and any of the web based language.

No of
Unit
Topics Covered lectures
No
required
1 Introduction of penetration testing 8

Introduction to web applications: HTTP/S protocol,


Encoding, SOP, Introduction of web from a
penetration tester's perspective, Introduction of
various servers and clients, Discussion of the various
web architectures, Penetration testing methodology,
Reconnaissance: objective, basic research for
penetration testing technology.

2 Vulnerability testing and serve-client side 12


attack:

Discussion of the different types of vulnerabilities,


Vulnerability assessment, exploitation, exploiting
email system, Brute force attack, Man in middle
attack, Client side attack : Social engineering, social
FACULTY OF COMPUTER APPLICATIONS
Master of Science – Cyber Security and Cyber Law

engineering toolkit(SET), MiMT Proxy, Host Scanning,


Obtaining and cracking user password, Kali password
cracking and other penetration tools.

3 Authentication attack: 13

Scanning with Nmap, Discovering the infrastructure


within the application, Identifying the machines and
operating systems, Exploring virtual hosting and its
impact on testing, Learning methods to identify load
balancers, Attacking session management, Hijacking
web session cookies, Web session tools, Session
tracking, Authentication bypass flaws, Mutillidae,
Command Injection, Directory traversal Local File
Inclusion (LFI), Remote File Inclusion (RFI), SQL
injection, Blind SQL injection, Error based SQL
injection, Exploiting SQL injection, , DVWA, Cross-site
scripting: Anatomy of an XSS exploitation, XSS
exploitations.

4 Web Attacks and Defensive countermeasures: 9

Browser exploitation framework, FoxyProxy, BURP


Proxy, OWASP, DoS and DDos with other kali tools,
Testing system defense: Baseline security, STIG,
Patch management and password police, HTTP track,
Man-in-Middle defensive, Cookie defensive
clickjacking defense, Bypassing Authorizations.

5 Web application Report preparation: 6

SDLC, Application threat modelling in real life,


practical example of threat modelling, Penetration
testing report: Compliance, Industry standards,
Professional services, Documentation requirement,
Report format, Statement of work (Sow), Kali
reporting tools.
FACULTY OF COMPUTER APPLICATIONS
Master of Science – Cyber Security and Cyber Law

▪ Course Outcomes :
1. Understand web basics and web applications
2. Recognize the techniques of Web hacking
3. To identify security vulnerabilities and weaknesses in the target
applications
4. To identify how security controls can be improved to prevent hackers
gaining access to operating systems and networked environments.
5. Apply fundamental principles of problem solving in software engineering.

Course Outcomes – Program Outcomes Mapping Table :

PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO1 PO1 PO1
0 1 2
CO1 L M H M L M L M L M M M
CO2 L H M L H L M M L H M M
CO3 M H M H M M L M M M H L
CO4 M M H M L H M L M H H M
CO5 H M H M H H H H M H H H

Text Book :

1. Web Penetration Testing with Kali Linux, Joseph Muniz & Aamir Lakhani,
ISBN-13: 978-78216-316-9.
2. Practical Web Penetration Testing, Gus Khawaja, ISBN-13:
978-1-78862-403-9.

Reference Books :

1. Kali Linux Web Penetration testing Cookbook, Gilberto Najera-Gutierrez,


ISBN 978-1-78439-291-8
2. Hacking Exposed Web Applications, 3rd edition, JOEL SCAMBRAY,
VINCENT LIU, CALEB SIMA
3. Rich Bowen, Ken Coar, “Apache Cookbook”, O’Reilly

▪ Web References :
1. https://www.tutorialspoint.com/web_application_penetration_testing/ind
ex.asp

▪ Syllabus Coverage from text /reference book & web/app reference:

Unit No Chapter Numbers


FACULTY OF COMPUTER APPLICATIONS
Master of Science – Cyber Security and Cyber Law

1 Book 1: Chapter 1,2


2 Book 1: Chapter 3 and 4

3 Book 1: Chapter 5
4 Book 1: Chapter 6 and 7
5 Book 1: Chapter 8 Book 2: Chapter 7
FACULTY OF COMPUTER APPLICATIONS
Master of Science – Cyber Security and Cyber Law

PRACTICALS
Sr. No List of Practical
1 Building a Vulnerable Web Application Lab: installing mutillidae,
DVWA, BWAPP and installing Klai Linux in virtual box.
2 Intercepting the requests/responses using Burp Proxy
Setting the proxy in your browser
BURP SSL certificate
Burp Proxy options
Fuzzing web requests using the Intruder tab
3 Perform a file inclusion attack
Remote File Inclusion
Local File Inclusion
4 Executing Cross-Site Scripting attacks
Reflected XSS
Stored XSS
Exploiting stored XSS using the header
DOM XSS
JavaScript validation
5 Perform SQL Injection attack using SqlMap
Authentication bypass
Extracting the data from the database
Error-based SQLi enumeration
Blind SQLi
6 Cross-Site Request Forgery using Burp Suit and Mutillidae as the
target
7 Using automated tools to scan web applications for vulnerability
(acunetix and Open Vas)
8 Using known exploits to exploit web applications (Metasploit).
9 Cookie Theft/Session Hijacking using firesheep
10 Executing MITM attack to grab username and password of non-ssl
traffic.
Executing MITM attack to grab username and password from ssl
traffic using SslStrip.
11 Source code review of web application.
12 Demonstrate Dos and DDos attack.
13 Use OSINT framework for deep analysis of target.
14 Make a case study on threat molding.
15 Analyze and prepare penetration testing report of web application.

You might also like