๐Ÿ“š

Web App Pen Testing Course - Week 1 Summary

Jul 24, 2024

Web App Pen Testing Course - Week 1

Welcome and Introduction

  • Shalom and greetings to all participants!
  • Introduction of the course: Web App Pen Testing Course.
  • Acknowledgment of the active chat participants.

Course Overview

  • First lesson provides an overview and rules.

Instructor Background

  • Husband, military veteran, former accountant, now senior security engineer.
  • Owns a pen testing company called TCM Security.
  • Also involved with Veteran SecComm community for military veterans in cybersecurity.

What Will Be Covered in This Course

  • Five Steps of Pen Testing:
    1. Information Gathering
    2. Scanning and Enumeration
    3. Exploitation
    4. Maintaining Access
    5. Cleanup
  • Emphasis on methodologies applicable across all pen testing types: web, network, wireless, etc.
  • Tools to be covered include:
    • Burp Suite (including Pro version)
    • Nikto
    • Nmap
    • OWASP Top Ten vulnerabilities

Important Documentation and Resources

  • Course materials and resources will be provided.
  • Encourage students to participate in discussions and help each other.

Course Structure

  • Live lessons: Wednesdays at 8 PM (with some exceptions).
  • The session includes a Q&A (AMA) at the end.
  • Rules for the chat:
    • Be respectful.
    • No requests for illegal activities.

Resources and Tools

  • Juice Shop: A vulnerable web app for testing.
  • Mailing List: Allows for receiving homework and updates.
  • Discord Community: Over 2000 members to discuss and ask questions.

Five Steps of Hacking

  1. Reconnaissance:
    • Passive (gathering info without touching the target) vs. Active (interacting with the target).
    • Tools: Google, WHOIS, etc.
  2. Scanning and Enumeration:
    • Active scanning using tools like Burp Suite, nmap, and Nikto.
  3. Gaining Access or Exploitation:
    • Running exploits to gain access.
  4. Maintaining Access:
    • Techniques to stay connected to the target systems.
  5. Cleanup:
    • Erasing traces to avoid detection.

Enumeration Basics

  • Important for gathering useful information for exploitation.
  • Recognizing the types of reconnaissance and what is needed.

Hands-On Demo

  • Demonstrating subdomain enumeration using Sublist3r and cert.sh.
  • Discussing the use of Burp Suite for intercepting traffic and testing the Juice Shop app.
  • Using Web Apps and APIs:
    • Best practices on using tools such as Burp Suite, Nikto, and others for scanning.

Conclusion

  • Encouragement to practice the methods covered in this session with Juice Shop.
  • Reminder about the importance of enumeration and understanding vulnerabilities.
  • Next week: Covering Cross-Site Scripting (XSS) and related challenges.

Q&A Session (AMA)

  • Open floor for questions regarding the presented material.
  • Strong emphasis on continuing education and practical experiences.
  • Encouraged to share insights and strategies for studying.

Final Thoughts

  • Community engagement is vital; ask questions and interact with the group.
  • Bring your challenges, successes, and queries to the next AMA!

Important Notes

  • Stay ethical and use the course knowledge responsibly.
  • Continuous learning is encouraged throughout the course.

End of Notes
๐Ÿ“

Full transcript