CFI 2088 - Web Application Hacking Credits: 3 Hours/Week: Lecture 2 Lab 2 Internship hours per week 0 Course Description: This course builds on the topics covered in Introduction to Ethical Hacking, but focuses on web applications. The major phases of penetration testing (reconnaissance, vulnerability analysis and exploitation) remain the same, however, the tools and techniques for web applications vary greatly. The course will cover how to identify and exploit common web application flaws such as cross-site scripting, SQL injection, authentication flaws and more through hands-on labs. Course activities include a comprehensive hands-on exercise, conducting a penetration test against a unique lab web application. MnTC Goals None
Prerequisite(s): CFI 1085 and CFI 2086 with grades of C or higher OR instructor consent. Corequisite(s): None Recommendation: None
Major Content 1. Web Application Security
-
Current State of Web Application Security
-
Web Application Technologies
2. Web Application Enumeration/Reconnaissance
-
Application Usage
-
Spidering
-
Nikto
-
Error Messages
3. Client-Side Controls
-
Bypassing JavaScript
-
Parameter Tampering
4. Authentication and Session Management Flaws
-
Failing Open
-
Cookies
-
Session Hijacking
-
Authentication Design Flaws
5. Cross-Site Scripting
-
Identifying and Exploiting XSS
-
Automated Exploitation
-
Bypassing XSS Filters
-
Escaping/Encoding User Input
6. SQL Injection
-
DBMS Technologies
-
Identifying SQL injection
-
Enumerating Information with SQL injection
-
Gaining shell from SQL injection
7. Web Application Exploitation
-
Cross-Site Request Forgery
-
File Inclusion Attacks
-
Click Jacking
-
Server/Application Misconfigurations
-
Sensitive Data Exposure
-
OS Command Injection
Learning Outcomes At the end of this course, students will be able to:
- describe the different technologies making up web applications.
- explain the phases of ethical hacking and how they relate to web applications.
- perform web application security testing in a lab environment.
- report ethical hacking findings in a professional format.
- identify vulnerabilities in a lab web application.
- describe fixes/recommendations for identified vulnerabilities.
- identify tools and resources needed to perform ethical hacking against web applications.
- describe source code coding and logic flaws that lead to exploitable weaknesses in web applications.
- identify cross-site scripting flaws.
- identify SQL Injection flaws.
- identify file inclusion flaws.
- identify OS command injection flaws.
- identify authentication flaws.
Minnesota Transfer Curriculum (MnTC): Goals and Competencies Competency Goals (MnTC Goals 1-6) None Theme Goals (MnTC Goals 7-10) None
Courses and Registration
Add to Portfolio (opens a new window)
|