Home About
Services
Consulting and Expertise Security Management Security Governance Business Continuity Security Awareness
Formations
SECURITE OFFENSIVE - ETHICAL HACKING
Cybersecurity Awareness Hacking & Security: Fundamentals Hacking & Security: Advanced Hacking & Security: Expert Certified Ethical Hacker v10 Penetration Testing: Audit Simulation Web Site Audit Social Engineering and Countermeasures Conducting a Security Audit: SI Audit Method Certified Web Application Security Pentester Python for Pentesting Advanced Exploitation with Metasploit Certified of Cloud Security Knowledge Intelligent Android Application Testing Computer Hacking Forensic Investigator v9
INFORENSIQUE
Computer Hacking Forensic Investigator v9 Advanced Forensic Analysis and Incident Response Mobile Device Forensics
MANAGEMENT
ISO 27001: Certified Lead Implementer ISO 27001: Certified Lead Auditor ISO 27005: Certified Risk Manager ISO 27005: Certified Risk Manager + EBIOS Method Certified Information Systems Auditor Certified Information Systems Security Professional Certified Data Protection Officer Certified Information Security Manager ISO 31000: Certified Risk Management ISO/IEC 22301 Certified Lead Auditor ISO/IEC 22301 Certified Lead Implementer ISO/IEC 27032 Certified Cybersecurity Manager ISO/IEC 27034 Certified Lead Auditor ISO/IEC 27034 Certified Lead Implementer ISO/IEC 27035 Lead Incident Manager Certified Lead Pen Test Professional ISO 9001 Certified Lead Auditor ISO 9001 Certified Lead Implementer
SECURITE DEFENSIVE
Android Device Security Awareness >Linux Security Windows Security Network Security Technology Watch Security SIEM Implementation Secure Web Development: Python Session Secure Web Development: PHP Session
Team Contact

Language

FR EN AR
Home / Training / Web Site Audit

Web Site Audit

Master web site security auditing, from methodology to technical practice.

Web
Audit
Offensive training

Objective

This course will teach you how to implement a real web site audit procedure. You will be confronted with web application security issues. You will study the audit process, both from a methodological and technical perspective. The different aspects of an analysis will be highlighted through several practical exercises. This training is intended for people who want to be able to perform technical tests during a web site audit or deployment.

Specific objectives:

  • Understand and exploit different web site vulnerabilities
  • Expand the scope of vulnerability exploitation for penetration testing

Prerequisites

  • HSA course level
  • Knowledge of web development languages

General Information

  • Code: AUDWEB
  • Duration: 3 days
  • Schedule: 8:30 AM - 5:30 PM
  • Location: Training Center, Centre Urbain Nord, Tunis

Target Audience

  • Security Consultants
  • Engineers / Technicians
  • Developers

Resources

  • Course materials
  • 40% demonstration
  • 40% theory
  • 20% practical exercises

Program

  • Day 1
    • Introduction
    • Audit methodology reminder and Action plan
    • Information gathering and Scanning
    • Vulnerability research and exploitation
    • Reconnaissance
    • Passive reconnaissance
    • WHOIS databases
    • Active reconnaissance
    • Site visit as a user
    • Search for admin pages
    • Search for default files (robots.txt, sitemap)
    • Detection of used technologies
    • Countermeasures
    • Limit network exposure
    • Filter access to admin pages and sensitive pages
    • Replace verbose error messages with generic ones
    • Scanning
    • Different types of scanners
    • Scanner limitations
  • Day 2
    • Design vulnerabilities
    • Update policy
    • Communication encryption
    • Password policy
    • Inter-account isolation
    • Access to other users' data
    • Modification of personal information
    • Session management
    • Web vulnerabilities
    • Setting up a Proxy solution
    • Cross-site Scripting (XSS)
    • Cross-site Request Forgery (CSRF)
    • SQL Injection
    • Command Injection
    • Server Side Includes (SSI)
    • Object Injection
    • Exploitation and Countermeasures
  • Day 3
    • Web vulnerabilities (continued)
    • File Inclusion
    • Local File Inclusion (LFI)
    • Remote File Inclusion (RFI)
    • Countermeasures
    • File Upload
    • Basic exploitation
    • Content-type verification
    • Blocking dangerous extensions
    • Countermeasures
    • XML External Entity (XXE)
    • Entities
    • Discovering the vulnerability
    • Exploiting the vulnerability
    • Countermeasures
    • Server Side Template Injection (SSTI)
    • Example of Twig usage
    • Example of Twig exploitation
    • Example of Flask exploitation
    • Countermeasures
    • Final Challenge

Do not hesitate to contact our experts for any additional information, study, and free calculation of an audit service.

Information security is essential for any company that must protect and enhance its information assets.

Contact Us