In addition to taking the GSE lab exam at Network Security 2011, I also enrolled to take the Web Application Penetration Testing and Ethical Hacking course. It was a 6 day course taught by Kevin Johnson. Some portions were taught by Justin Searle. They are both great instructors.
My overall impression of the 6 days of this course is very positive. Kevin is an engaging instructor, who uses real-world examples to drive home important points. Like the rest of us, he sometimes veers off on tangents. I found these tangents entertaining!
What’s the most significant thing I learned from taking this course? First off, I came away with an awareness of some of the things that I still do not know. Second, I have a much better understanding of what good practice is when developing a web application. Third, I now know enough to be dangerous with testing, and I need to actually start using what I’ve learned.
Ok, so that was 3 things that I learned!
Here is a brief overview of what the course covered:
- The course starts at the beginning with a review of some basic web application and penetrating testing concepts.
- The next day walks through gathering information about the organization and application (recon and mapping).
- The third day covers discovering vulnerabilities and weaknesses in the application (server-side discovery).
- Day 4 addresses vulnerabilities and weaknesses in the client-side piece of the application.
- Day 5 is where exploitation of the previously discovered vulnerabilities is taught.
- Finally, Day 6 is the culmination of the learning with a Capture The Flag exercise. This was done in an isolated network environment where we had to discover and exploit vulnerabilities in some common web applications. The goal was to find certain specific pieces of information – the “Flags”.
I highly recommend this course for anyone needing a better understanding of web applications and how to find vulnerabilities in them. Much of the class is spent learning how to use automated tools such as proxies, scripting, and injection/cross-site attacks. it is very hands-on.
Beyond just the technical aspects of the course, there are always people who enhance the learning. I found the folks sitting around me to be valuable contributors to my learning. Asking questions and working together to find answers is very beneficial. Thanks Kevin, Tim, Justin, Brian, Patrick, Craig, Richard and others.
Go to the conference. Take the class. You will enjoy it.
- Dan
