WEBVTT 0:00:09.560000 --> 0:00:14.380000 Hello everyone and welcome to the Advanced Web Application Penetration 0:00:14.380000 --> 0:00:18.500000 Testing course. In this video we're going to be getting started with the 0:00:18.500000 --> 0:00:22.860000 course overview or the introduction to the course and the objective for 0:00:22.860000 --> 0:00:27.640000 this video is to give you a high level overview of what we'll be covering 0:00:27.640000 --> 0:00:32.080000 in this course. So taking a look at some of the major topics as well as 0:00:32.080000 --> 0:00:36.640000 the learning outcomes and the prerequisites I'll also be laying down or 0:00:36.640000 --> 0:00:43.980000 sort of laying out the key objectives for this course in terms of at a 0:00:43.980000 --> 0:00:49.940000 macro level what you know how this course will be useful to you as a web 0:00:49.940000 --> 0:00:51.620000 application penetration tester. 0:00:51.620000 --> 0:00:56.440000 So this video is quite important because we'll be revisiting the learning 0:00:56.440000 --> 0:01:00.880000 objectives or the learning outcomes in the course summary video at the 0:01:00.880000 --> 0:01:04.060000 end of this course to actually see whether we covered everything. 0:01:04.060000 --> 0:01:09.300000 But with that being said let's you know go over or get some of the formalities 0:01:09.300000 --> 0:01:11.860000 out of the way. Who am I? 0:01:11.860000 --> 0:01:13.940000 My name is Alexis Ahmed. 0:01:13.940000 --> 0:01:18.420000 I am the offensive security instructor or red team instructor here at 0:01:18.420000 --> 0:01:23.380000 INE and I'm also a senior penetration tester and red team lead at Hack 0:01:23.380000 --> 0:01:30.440000 Exploit with more than 500 pen tests you know performed on web applications. 0:01:30.440000 --> 0:01:34.360000 So I have an extensive experience in traditional network pen testing as 0:01:34.360000 --> 0:01:40.300000 well as web application pen testing and so with this course as we'll actually 0:01:40.300000 --> 0:01:47.200000 explore shortly we are really looking to get an intro to what I would 0:01:47.200000 --> 0:01:52.040000 consider advanced penetration testing where at least in this course the 0:01:52.040000 --> 0:01:56.240000 focus is not going to be on any particular pen testing technique but more 0:01:56.240000 --> 0:02:04.260000 so explaining how you know or explaining at a deeper level what the penetration 0:02:04.260000 --> 0:02:08.800000 web application penetration testing methodology looks like the phase is 0:02:08.800000 --> 0:02:22.980000 involved and what a web example is to explain or to give you a better 0:02:22.980000 --> 0:02:26.820000 idea of what to expect and in that I'm going to be breaking down each 0:02:26.820000 --> 0:02:33.680000 phase that you're likely to go through and that's in essence that's going 0:02:33.680000 --> 0:02:34.880000 to be the starting point. 0:02:34.880000 --> 0:02:39.340000 So over here you can see I've listed out the major topics of this course 0:02:39.340000 --> 0:02:44.900000 and this is an overview that gives you an idea of the primary topics or 0:02:44.900000 --> 0:02:49.360000 categories within this course that sort of outline the subject matter 0:02:49.360000 --> 0:02:51.000000 will be covering. 0:02:51.000000 --> 0:02:54.040000 So we'll start off with the web application penetration testing methodology 0:02:54.040000 --> 0:02:58.600000 and that's fairly simple as I've already explained but more importantly 0:02:58.600000 --> 0:03:01.740000 we'll turn our attention to something that goes overlooked quite frequently 0:03:01.740000 --> 0:03:05.640000 and that is the process of planning a web application penetration test 0:03:05.640000 --> 0:03:10.600000 because again if you work in a team or you're a pen test team lead or 0:03:10.600000 --> 0:03:17.480000 a red team or whatever you're going to be dealing with you have an understanding 0:03:17.480000 --> 0:03:21.420000 of how to correctly plan a web application penetration test and as you 0:03:21.420000 --> 0:03:26.220000 can probably tell or you probably know a web app pen test can be quite 0:03:26.220000 --> 0:03:29.900000 complex or it can be quite simple and you need to know how to adapt more 0:03:29.900000 --> 0:03:34.100000 specifically when things get quite complex or you're dealing with you 0:03:34.100000 --> 0:03:39.380000 know quite a few or quite a lot of assets within scope or endpoints if 0:03:39.380000 --> 0:03:43.180000 you will. We'll then be exploring the pre-engagement phase so what you 0:03:43.180000 --> 0:03:46.940000 do before you actually get started with a web app pen test and again that'll 0:03:46.940000 --> 0:03:52.380000 go down to you know setting up systems or organizing the pen test for 0:03:52.380000 --> 0:03:56.280000 maximum efficiency because remember with pen tests you always have to 0:03:56.280000 --> 0:04:00.740000 factor in time that's one of the factors that again as a beginner you 0:04:00.740000 --> 0:04:04.660000 may not consider but as you begin working in the field you'll actually 0:04:04.660000 --> 0:04:07.160000 come to appreciate. 0:04:07.160000 --> 0:04:11.360000 We'll then be exploring some what you know I would call technical aspects 0:04:11.360000 --> 0:04:16.300000 or you know technical techniques if that made sense apologies for the 0:04:16.300000 --> 0:04:20.960000 double entendre there but we'll sort of revisit web application mapping 0:04:20.960000 --> 0:04:25.700000 and crawling and the objective here is to sort of understand how the professionals 0:04:25.700000 --> 0:04:30.420000 do it with regards to you know mapping a web application so understanding 0:04:30.420000 --> 0:04:40.460000 how it works or the various endpoints that a web proxy like burp suite 0:04:40.460000 --> 0:04:43.880000 or zap and more importantly we'll be taking a look at various plugins 0:04:43.880000 --> 0:04:47.780000 and automations that can make this process a whole lot faster and more 0:04:47.780000 --> 0:04:51.620000 efficient. We'll then be touching briefly on reconnaissance and how to 0:04:51.620000 --> 0:04:55.600000 again leverage multiple data sources to perform reconnaissance both passive 0:04:55.600000 --> 0:04:59.380000 and active and we'll finally touch on session security which I know is 0:04:59.380000 --> 0:05:03.300000 a bit of a technical you know we're actually exploring an actual vulnerability 0:05:03.300000 --> 0:05:07.280000 here but the reason we'll be covering it will be made will become apparent 0:05:07.280000 --> 0:05:12.440000 as we progress in this particular course all in all the objective of this 0:05:12.440000 --> 0:05:16.360000 course is to kick things off in this learning path and then as we progress 0:05:16.360000 --> 0:05:20.940000 with other courses you'll be introduced to advanced techniques so on and 0:05:20.940000 --> 0:05:25.320000 so forth but that's the overview and that then brings us to the learning 0:05:25.320000 --> 0:05:29.440000 outcomes or the learning objective so this is where I lay out at the beginning 0:05:29.440000 --> 0:05:34.140000 of the course what knowledge you will have and you know what you'll be 0:05:34.140000 --> 0:05:38.760000 able to do by the end of the course so firstly by the end of the course 0:05:38.760000 --> 0:05:41.920000 you'll have a solid understanding of the web application penetration testing 0:05:41.920000 --> 0:05:47.340000 methodology you'll also be able to plan and orchestrate a web application 0:05:47.340000 --> 0:05:50.740000 penetration test or I should say professional web application penetration 0:05:50.740000 --> 0:05:56.400000 test you'll be able to perform web web application reconnaissance which 0:05:56.400000 --> 0:06:00.640000 includes mapping to a certain extent but I'm going to treat mapping as 0:06:00.640000 --> 0:06:05.380000 its own learning outcome because that's have the ability to map a web 0:06:05.380000 --> 0:06:09.360000 application through techniques like crawling for example and you'll have 0:06:09.360000 --> 0:06:13.620000 a solid understanding of session management and security and again this 0:06:13.620000 --> 0:06:17.000000 will make sense if it's a bit too vague it'll make sense as you progress 0:06:17.000000 --> 0:06:22.580000 in this course now for the prerequisites so what do I expect you to know 0:06:22.580000 --> 0:06:26.280000 or what do I expect you you know to be able to do before you actually 0:06:26.280000 --> 0:06:30.380000 get started with this course well you know given that this is an advanced 0:06:30.380000 --> 0:06:34.700000 learning path and an advanced course I would assume that you have a good 0:06:34.700000 --> 0:06:39.880000 understanding of the web how it works and more specifically the HTTP protocol 0:06:39.880000 --> 0:06:43.940000 again diving into that a little bit you need to have an understanding 0:06:43.940000 --> 0:06:49.720000 of the various HTTP options headers etc what requests look like what responses 0:06:49.720000 --> 0:06:54.440000 look like how to modify requests analyze responses stuff like that and 0:06:54.440000 --> 0:06:59.300000 that brings us to the second prerequisite which is having a tacit or I 0:06:59.300000 --> 0:07:02.580000 should say a very good experience with web proxies like burp suite or 0:07:02.580000 --> 0:07:06.080000 zap because those are going to be you know arguably one of the most important 0:07:06.080000 --> 0:07:10.980000 tools that you utilize you know for web for web app testing also API pen 0:07:10.980000 --> 0:07:14.240000 testing and obviously given that you know you're generally going to be 0:07:14.240000 --> 0:07:18.440000 using Linux I would also recommend that you have a familiarity with Linux 0:07:18.440000 --> 0:07:22.780000 command line tools or how to use Linux which again by this point you probably 0:07:22.780000 --> 0:07:28.120000 already will have and finally you know don't want to take too much of 0:07:28.120000 --> 0:07:31.220000 your time here I really want to get started the course but before we do 0:07:31.220000 --> 0:07:35.180000 that I actually want to outline the primary objectives for this course 0:07:35.180000 --> 0:07:39.400000 and this is again I said a little bit abstract you know to give you a 0:07:39.400000 --> 0:07:42.900000 macro view of you know what you're really going to get out of this course 0:07:42.900000 --> 0:07:47.700000 if you extrapolate it over a period of two years so the primary objective 0:07:47.700000 --> 0:07:51.740000 of this course is to be process of planning orchestrating and managing 0:07:51.740000 --> 0:07:56.200000 a professional web application security assessment or a web application 0:07:56.200000 --> 0:08:00.760000 penetration test and this course seeks to demonstrate how to professionally 0:08:00.760000 --> 0:08:05.040000 plan and orchestrate a web application penetration test and you're also 0:08:05.040000 --> 0:08:08.440000 and this is very important you'll also learn how to streamline your activities 0:08:08.440000 --> 0:08:12.780000 you know within a pen test and improve the efficiency of your pen test 0:08:12.780000 --> 0:08:17.340000 while maintaining the technical accuracy and rigor so I'll show you how 0:08:17.340000 --> 0:08:22.380000 to become more efficient without sacrificing you know your rigor or the 0:08:22.380000 --> 0:08:28.940000 the thoroughness of the pen test as well as again maintaining the technical 0:08:28.940000 --> 0:08:33.440000 accuracy so not actually sacrificing on the quality of a report or your 0:08:33.440000 --> 0:08:38.440000 findings and that's quite important so I'm really excited to get started 0:08:38.440000 --> 0:08:42.600000 with this course and with that being said that's going to be it for this 0:08:42.600000 --> 0:08:45.820000 video and I'll see you in the first video in the course.