WAPT Training

Note: We are not authorised partners of any of these vendors

Web Application Penetration Testing

wapt training

Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services. At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. Typically web applications are developed using programming languages such as PHP, Java EE, Java, Python, Ruby, ASP.NET, C#, VB.NET or Classic ASP.
In the race to develop online services, web applications have been developed and deployed with minimal attention given to security risks, resulting in a surprising number of corporate sites that are vulnerable to hackers. Prominent sites from a number of regulated industries including financial services, government, healthcare, and retail, are probed daily. Some banks have reported being probed as many as 50 times a day. The consequences of a security breach are great: loss of revenues, damage to credibility, legal liability and loss of customer trust. Web applications are used to perform most major tasks or website functions. They include forms that collect personal, classified and confidential information such as medical history, credit and bank account information as well as user satisfaction feedback. Gartner has noted that almost 75 percent of attacks are tunneling through web applications. Web application security is a significant privacy and risk compliance concern that remains largely unaddressed.
This course covers the basic concepts and terminology for understanding application security issues. It provides a definition of application-level security and demonstrates how its concerns extend beyond those of traditional infrastructure security. The course explains common application security vulnerabilities, such as SQL injection, CrossSite Scripting (XSS) and authorization issues. Using this knowledge, developers, QA testers and security personnel will be able to address application-level threats.

Who to Attend:

Security Professionals, Developers, Project Managers, Quality Assurance Staff. Programmers who want to design and develop secure applications & identify potential security vulnerabilities early in the development process.


Strong Programming skills & good knowledge of Web technologies (C, HTML, JAVA/.NET, PHP is an added advantage)

Basic Knowledge about web servers & web Architecture

Basic Knowledge of TCP/IP Protocols


5 Days

Course Outline:

Module-1: Introduction to Web Application

Introduction to Web Application

Types Of Web Application

Use Of Web Application

Advantage And Disadvantage Of Web Application

Design Your First Web Application

Common Attacks On Web Application

Module-2: Introduction to Database

Introduction to Database

Different Types Of Database

Use Of Database

Advantages and Disadvantages of Database

Connecting Database With Web Application

Common Attacks On Database

Module-3: Basics Of Web Application Programming





Module-4: OWASP Top 10

SQL Injection

Cross Site Scripting

Broken Authentication & Session Management

Insecure direct Object References

Cross Site Request Forgery (CSRF)

Security Misconfiguration

Insecure Cryptographic Storage

Failure to Restrict URL Access

Insufficient Transport Layer Protection

Unvalidated Redirects and Forwards

Module-5: Implementation of OWASP on DVWA

Overview of DVWA

Installation of DVWA

Performing WAPT on DVWA

Module-6: Implementation of OWASP on Bwapp

Introduction to Bwapp

Installation of Bwapp

Performing WAPT on Bwapp

Module-7: PHP & JAVA Injection

Introduction to PHP Injection

Introduction to JAVA Injection

Bypass Authentication using PHP & JAVA Injection

Injection of Malicious Script Using PHP & Java Injection

Module-8: CMS Hacking(Joomla, WordPress)

CMS Overview

Introduction to Joomla & WordPress

Installation and Configuration of Joomla & WordPress

Control Panel Handling Of Joomla & WordPress

Your First Site In Joomla & WordPress

Hack CMS Using Vulnerable Plugins


Module-9: Manual WAPT & Automation

Find Vulnerabilities Using Search Engines

Vulnerabilities Findings Using Browser Addons & Plugings

Tools For Finding Vulnerabilities


Module-10: Web Scanners & Proxy ( Hands on Practice )










Zap Proxy






Beef Exploitation Framework

Module-11: Sniffing & DNS-ARP Poisioning


Cain & Abel



Network Miner

Module-12: Web Server(Apache, IIS) Vulnerability Testing

Common Vulnerabilities in Web Servers

Tool Based Testing

Manual Testing


Module-13: Documentation & Reporting
Download Soft Copy