Web Application Security Intermediate


The Web Application security course will help participants understand major web application flaws and their exploitation, as well as learn a proven process for locating these flaws consistently. This training program’s primary goal is to help security specialists understand web application risks in their organization and learn how to conduct web app security assessments, mitigate the vulnerabilities, and write technical reports.

Duration: 40 Hours

Target audience

  • Security practitioners
  • Penetration testers
  • Ethical hackers
  • Web application developers


  • ThinkCyber Level-2 Courses


  • Discovering and mitigating website vulnerabilities
  • Using tools to automate your tasks
  • Securing web servers from attacks


Module 1 – Introduction to Web App security

In this module, students will learn the concepts of web application security, techniques, and methods used by web app developers.

  • WebApp Basics
    o HTML
  • Basic Tags
  • Learning to Format
    o PHP
  • Basic Syntax
  • Defining Variables
    o Combining HTML and PHP
    o HTTP Response Codes
  • WebApp Concepts
    o Web Application Architecture
  • Client, Server, and Database
  • Fingerprinting Websites
  • Robots.txt Structure
  • Understanding Entry points
    o Authentication vulnerabilities
  • Authentication vs. Authorization
  • Role-Based Access Control
  • Securing the Admin Interface
  • Parameter Tampering
  • SSL vs. TLS
  • HTTPS Encryption
    o Session
  • Management Techniques
  • Cookies
  • Long Session Timeout
    o File Handling
  • Path Traversal
  • Handling File Size and File Type
  • Insecure File Extension Handling

Module 2 – Scanning and Analyzing

In this module, students will learn how to work with web app scanners and reconnaissance tools, review their reports, and understand the data they provide. Also, how to limit sensitive data from leaking

  • Scanning
    o Vulnerability Scanners
  • Nikto
  • Grabber
  • Zed Attack Proxy
  • SQLmap
  • Wfuzz
  • W3af
  • Vega
  • Wapiti
  • Fierce
    o DNS data exfiltration
  • DIG
  • DNSRecon
  • DNSEnum
  • Analyzing
    o Directory Discovery
  • Dirbuster
  • Dirb
    o Reconnaissance tools
  • The Harvester
  • Whois and Dimitry
  • Maltego
  • OSINT Framework

Module 3 – Exploitations and Vulnerabilities

During this module, students will learn about the most common vulnerabilities in web applications, how they can be exploited, and what impact they could pose.

  • Understanding Code injection
    o XML External Entities (XXE)
    o Cross-Site Scripting (XSS)
    o Finding Exposed Sensitive Data
  • Abusing Security Misconfiguration
    o Broken Authentication
    o Bypassing Broken Access Control
    o Insecure Deserialization
    o Finding Components with Known Vulnerabilities
    o Insufficient Logging and Monitoring

Module 4 – Gaining Access

During this module, students will learn the basics of conducting tests on web applications to detect security holes either by brute-force or by exploiting a vulnerability.

  • Attacking Basics
    o Burpsuite Fundamentals
    o Firewall Detection
  • Wafw00f
  • HTTP Headers
    o Brute-Forcing Login Pages
  • Crafting Wordlists using Cupp and Crunch
  • Using Burpsuite and Hydra
    o SQL-Database Attacks
  • Union-Based
  • Blind Injection
  • Burpsuite Automated SQL Attacks