Pluralsight - Ethical Hacking: Hacking Web Applications
MP4 | AVC 421kbps | English | 1024x768 | 15fps | 4h 49mins | AAC stereo 81kbps | 667 MB
Genre: Video Training
The security profile of web applications is enormously important when it comes to protecting sensitive customer data, financial records, and reputation. Yet, web applications are frequently the target of malicious actors who seek to destroy these things by exploiting vulnerabilities in the software. Most attacks against web applications exploit well known vulnerabilities for which tried and tested defenses are already well-established. Learning these patterns - both those of the attacker and the defender - is essential for building the capabilities required to properly secure applications on the web today.

In this course, we'll look a range of different security paradigms within web applications both conceptually and in practice. They'll be broken down into detail, exploited, and then discussed in the context of how the attacks could have been prevented. This course is part of the Ethical Hacking Series.

Understanding Security in Web Applications
The State of Web Application Security
Understanding Web Application Security
Query Strings, Routing, and HTTP Verbs
The Discoverability of Client Security Constructs
Protections Offered by Browsers
What the Browser Can't Defend Against
What's Not Covered in This Course

Reconnaissance and Footprinting
Spidering with NetSparker
Forced Browsing with Burp Suite
Directory Traversal
Banner Grabbing with Wget
Server Fingerprinting with Nmap
Discovery of Development Artefacts with Acunetix
Discovery of Services via Generated Documentation
Discovering Framework Risks
Identifying Vulnerable Targets with Shodan

Tampering of Untrusted Data
OWASP and the Top 10 Web Application Security Risks
Understanding Untrusted Data
Parameter Tampering
Hidden Field Tampering
Mass Assignment Attacks
Cookie Poisoning
Insecure Direct Object References
Defending Against Tampering

Attacks Involving the Client
Reflected Cross Site Scripting (XSS)
Persistent Cross Site Scripting (XSS)
Defending Against XSS Attacks
Identifying XSS Risks and Evading Filters
Client Only Validation
Insufficient Transport Layer Security
Cross Site Request Forgery (CSRF)

Attacks Against Identity Management and Access Controls
Understanding Weaknesses in Identity Management
Identity Enumeration
Weaknesses in the 'Remember Me' Feature
Resources Missing Access Controls
Insufficient Access Controls
Privilege Elevation

Denial of Service Attacks
Understanding DoS
Exploiting Password Resets
Exploiting Account Lockouts
Distributed Denial of Service (DDoS)
Automating DDoS Attacks with LOIC
DDoS as a Service
Features at Risk of a DDoS Attack
Other DDoS Attacks and Mitigations

Other Attacks on the Server
Improper Error Handling
Understanding Salted Hashes
Insecure Cryptographic Storage
Unvalidated Redirects and Forwards
Exposed Exceptions Logs with ELMAH
Vulnerabilities in Web Services