Scribd
Upload
206 views

Web 200 Syllabus

Uploaded by

Muhib Chy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
206 views

Web 200 Syllabus

Uploaded by

Muhib Chy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

WEB 200 Syllabus

Web Attacks with Kali Linux OSWA Syllabus

Learning Module Learning Units Learning Objectives

Introduction to Secrets of Success with ● Understand some of the general concepts


WEB 200 WEB 200 surrounding application security

● Recognize the unique mindset of a


successful application security
professional

● Understand the pillars of prerequisite


knowledge for application security

Introduction to Security ● Understand the CIA triad and what it


Concepts means

● Understand other key terms and unique


traits of this field

● Understand the basic tools available to


students

Getting Started With ● Understand the basic tools available to


WEB 200 students

● Understand how to be "hands-on" with


the material

● Understand how to connect to the VPN

Tools Getting Started ● Learn how to edit the /etc/hosts file

● Understand how to test and confirm that


our host file changes are working

● Develop a basic understanding of proxies

Burpsuite ● Learn how to leverage Burp Suite's built-in


browser

● Understand how to work fluently with the


Proxy tab and Intercept functionality

● Understand how to use both Repeater and


Intruder

Nmap ● Understand how to execute an Nmap NSE


Script

WEB 200 - Copyright ©2023 OffSec Ltd. All rights reserved. 1 of 11


WEB 200 Syllabus

● Learn how to scan a specific port

Wordlists ● Develop an understanding of the wordlist


concept

● Understand how we attempt to select the


best wordlist for our scenario

● Learn the basics needed to construct our


own wordlist

Gobuster ● Learn about Retrieval Practice

● Understand Spaced Practice

Wfuzz ● Learn how to discover files using Wfuzz

● Discover how to find directories with


Wfuzz

● Understand how to discover parameters


with Wfuzz

● Learn how to leverage Wfuzz to fuzz


parameters

● Develop the skills to fuzz POST data using


Wfuzz

Hakrawler ● Learn what a crawling or spidering tool is

● Understand how hakrawler works with


https://archive.org The Wayback
Machine) to gather its results

Shells ● Learn how to determine specific the web


technology of a web application

● Understand how to choose the correct


shell (matching the web technology)

Cross-Site Scripting Introduction to the Sandbox ● Understand how to use the custom
Introduction and sandbox
Discovery
JavaScript Basics for ● Understand fundamentals of JavaScript
Offensive Uses
● Read and understand basic JavaScript
code

● Use JavaScript APIs to exfiltrate data

Cross-Site Scripting - ● Understand the different types of XSS


Discovery
● Exploit reflected server XSS

WEB 200 - Copyright ©2023 OffSec Ltd. All rights reserved. 2 of 11


WEB 200 Syllabus

● Exploit stored server XSS

● Exploit reflected client XSS

● Exploit stored client XSS

Cross-Site Scripting Cross-Site Scripting - ● Cross-Site Scripting - Exploitation


Exploitation and Case Exploitation
Study ● Case Study: Shopizer Reflected XSS

Case Study: Shopizer ● Discover an XSS vulnerability in Shopizer


Reflected XSS
● Create advanced payloads to load external
JavaScript resources

● Discover application-specific attack


vectors

● Exploit a Shopizer user using


application-specific attacks

Cross-Origin Attacks Same-Origin Policy ● Understand what an origin is


Penetration Testing Reports
● Understand the Same-Origin Policy and
how it interacts with cross-origin requests

SameSite Cookies ● Understand the concept of cross-origin


requests

● Understand the SameSite attribute and its


three possible settings

Cross-Site Request Forgery ● Construct an Executive Summary


CSRF
● Understand how to identify cross-site
request forgery vulnerabilities

● Understand how to exploit cross-site


request forgery vulnerabilities

Case Study: Apache OFBiz ● Discover a CSRF vulnerability in a


real-world web application

● Exploit a CSRF vulnerability to create a


new user

● Use JavaScript to chain multiple CSRF


requests

● Understand how the SameSite attribute


influences different versions of CSRF

WEB 200 - Copyright ©2023 OffSec Ltd. All rights reserved. 3 of 11


WEB 200 Syllabus

attacks

Cross-Origin Resource ● Understand the concept of CORS


Sharing CORS
● Understand the common headers found on
CORS requests

● Understand the common headers found on


CORS responses

Exploiting Weak CORS ● Understand how to identify CORS


Policies response headers

● Understand how CORS policies that trust


arbitrary origins can be exploited

● Understand how CORS policies that


implement incomplete allowlists can be
exploited

Introduction to SQL SQL Overview ● Understand the basic syntax of SQL

● Understand how to retrieve data from a


table

Enumerating MySQL ● Understand how to identify the version of


Databases a MySQL database

● Understand how to identify the version of


a MySQL database

● Understand how to identify the schemas


within a MySQL database

● Understand how to identify the tables


within a schema in a MySQL database

● Understand how to identify the column


names and data types in a table in a
MySQL database

Enumerating Microsoft SQL ● Understand how to identify the version of


Server Databases a SQL Server database

● Understand how to identify the current


user of a SQL Server database

● Understand how to identify the databases


within a SQL Server instance

● Understand how to identify the tables


within a database in a SQL Server instance

WEB 200 - Copyright ©2023 OffSec Ltd. All rights reserved. 4 of 11


WEB 200 Syllabus

● Understand how to identify the column


names and data types in a table in a SQL
Server database

Enumerating PostgreSQL ● Understand how to identify the version of


Databases a PostgreSQL database

● Understand how to identify the current


user of a PostgreSQL database

● Understand how to identify the schemas


within a PostgreSQL database

● Understand how to identify the tables


within a schema in a PostgreSQL database

● Understand how to identify the column


names and data types in a table in a
PostgreSQL database

Enumerating Oracle ● Understand how to identify the version of


Databases an Oracle database

● Understand how to identify the current


user of an Oracle database

● Understand how to identify other users or


schemas in an Oracle database

● Understand how to identify the tables


within a schema in an Oracle database

● Understand how to identify the column


names and data types in a table in an
Oracle database

SQL Injection Introduction to SQL Injection ● Understand the concept of SQL injection

● Understand how the OR operator can


modify the results of a SQL query

Testing for SQL Injection ● Understand how to test web applications


to identify SQL injection vulnerabilities

● Understand the basics of where injections


points may occur in SQL queries

● How to use fuzzing tools to identify SQL


injection vulnerabilities

Exploiting SQL Injection ● Understand how to build and use


Error-based payloads

WEB 200 - Copyright ©2023 OffSec Ltd. All rights reserved. 5 of 11


WEB 200 Syllabus

● Understand how to build and use


Union-based payloads

● Understand how to use Stacked Queries

● Understand how to use SQL injection to


read and write filesinjection vulnerabilities

● Understand the basics of remote code


execution in Microsoft SQL Server

Database dumping with ● Understand how to use sqlmap to identify


Automated Tools SQL injection vulnerabilities

● Understand how to use sqlmap to obtain a


basic OS shell

● Understand how to use sqlmap to create a


web shell

Case Study: Error-based ● Discover the parameter vulnerable to SQL


SQLi in Piwig injection

● Craft an error-based payload to extract


information from the database

Directory Traversal Directory Traversal Overview ● Understand and work with the results of a
Attacks vulnerability scan with Nessus

● Provide credentials to perform an


authenticated vulnerability scan

● Gain a basic understanding of Nessus


Plugins

Understanding Suggestive ● Understand the basics of the Nmap


Parameters Scripting Engine NSE

● Perform a lightweight Vulnerability Scan


with Nmap

● Work with custom NSE scripts

Relative vs. Absolute Pathing ● Understand what a Traversal String is

● Understand basics of Relative Pathing

● Understand basics of Absolute Pathing

Directory Listing ● Understand what a Directory Listing is

● Understand how to analyze a web


application's parameter for directory listing

WEB 200 - Copyright ©2023 OffSec Ltd. All rights reserved. 6 of 11


WEB 200 Syllabus

● Understand what successful exploitation


of directory listings looks like

Directory Traversal Sandbox ● Understand how to successfully exploit


Directory Traversal

● Understand how to implement


Wordlists/Payload Lists

● Understand how to fuzz a potentially


vulnerable parameter with Wfuzz

Case Study: Home Assistant ● Understand how our case study of Home
Assistant would initially be assessed

● Understand how to exploit this real-world


case study

● Understand how to find and discover the


documentation for a web application

XML External Entities Introduction to XML ● Understand the basic syntax of XML

● Understand the basic concepts of XML


Entities

Understanding XML External ● Understand the basic concepts of XML


Entity Processing External Entity injection
Vulnerabilities

Testing for XXE ● Understand how to test for XXE injection


vulnerabilities

● Learn several techniques for exfiltrating


data using XXE vulnerabilities

Case Study: Apache OFBiz ● Identify an XXE vulnerability


XXE Vulnerability
● Exploit an XXE vulnerability to exfiltrate
data

● Use an error-based XXE payload to


exfiltrate data

● Use an out-of-band XXE payload to


exfiltrate data

Server-side Template Templating Engines ● Understand the purpose of templating


Injection - Discovery engines
and Exploitation
● Understand the difference between

WEB 200 - Copyright ©2023 OffSec Ltd. All rights reserved. 7 of 11


WEB 200 Syllabus

statements and expressions

● Understand the level of logic a templating


engine can have and how it impacts
security

Twig - Discovery and ● Understand the basic syntax of Twig


Exploitation
● Understand how to discover a Twig
template in a black box scenario

● Understand how to reach RCE with a Twig


Template

Apache Freemarker - ● Understand the basic syntax of


Discovery and Exploitation Freemarker

● Understand how to discover a Freemarker


template in a black box scenario

● Understand how to reach RCE with a


Freemarker Template

Pug - Discovery and ● Understand the basic syntax of Pug


Exploitation
● Understand how to discover a Pug
template in a black box scenario

● Understand how to reach RCE with a Pug


Template

Jinja - Discovery and ● Understand the basic syntax of Jinja


Exploitation
● Understand how to discover a Jinja
template in a black-box scenario

Mustache and Handlebars - ● Understand the basic syntax of Mustache


Discovery and Exploitation and Handlebars

● Understand how to discover a Handlebars


template in a black box scenario

● Understand how to read files on remote


servers using a Handlebars Template

Halo - Case Study ● Understand the Halo application

● Discover the template injection and the


templating engine used on Halo

● Exploit the template injection in the Halo


application

Craft CMS with Sprout ● Enumerating the target application


Forms - Case Study

WEB 200 - Copyright ©2023 OffSec Ltd. All rights reserved. 8 of 11


WEB 200 Syllabus

● Discovering the template injection and the


templating engine used in Craft CMS and
the Sprout Form plugin

● Exploiting the template injection in the


application

Command Injection Discovery of Command ● Understand common command injection


Injection scenarios

● Understand how to discover command


injection

● Understand why we execute the id or


whoami commands first

● Understand how we chain commands


together and why

Dealing with Common ● Understand what we mean by Input


Protections Normalization

● Understand typical means of Input


Sanitization and how we can bypass them

● Understand what Blind OS Command


Injection is and how we can work with it

Enumeration & Exploitation ● Understand common enumeration


techniques for various capabilities

● Understand how to retrieve a shell with


Netcat

● Understand how to retrieve a shell with


Python

● Understand how to retrieve a shell with


PHP

● Understand how to retrieve a shell with


Perl

● Understand how to retrieve a shell with


NodejS

● Understand how a couple of reverse shell


one-liners accomplish what they do in
various languages

● Understand how to transfer files using


command injection

WEB 200 - Copyright ©2023 OffSec Ltd. All rights reserved. 9 of 11


WEB 200 Syllabus

Case Study - OpenNetAdmin ● Understand how we discover the


ONA command injection in Open Net Admin

● Understand how we exploit the command


injection in Open Net Admin

Server-side Request Introduction to SSRF ● Understand the concept of Server-Side


Forgery Request Forgery

● Understand how SSRF can interact with


the loopback interface

● Understand how SSRF can interact with


back-end systems

● Understand how SSRF can interact with


private IP ranges

Testing for SSRF ● Understand where SSRF vulnerabilities are


likely to occur

● Understand how to test for SSRF

● Understand how to verify SSRF


vulnerabilities

Exploiting SSRF ● Understand how to exploit SSRF to


retrieve data

● Understand limitations of SSRF

● Understand how SSRF can be exploited in


cloud environments

● Become familiar with alternative URI


schemes and how they can be used with
SSRF

Case Study: Group Office ● Discover the SSRF vulnerabilities

● Exploit the SSRF vulnerabilities

Insecure Direct Object Introduction to IDOR ● Develop an understanding of Static File


Referencing IDOR findings

● Learn about Database Object Referencing


ID Based) IDOR

Exploiting IDOR in the ● Understand how to exploit Static File IDOR


Sandbox
● Learn more about exploiting ID Based
IDOR

WEB 200 - Copyright ©2023 OffSec Ltd. All rights reserved. 10 of 11


WEB 200 Syllabus

● Discover how to exploit More Complex


IDOR

Case Study: OpenEMR ● Learn how to approach IDOR from a Black


Box perspective

● Understand how to discover the


vulnerability

● Develop our knowledge of OpenEMR IDOR


exploitation

Assembling the Web Application ● Understand how to perform basic host


Pieces: Web Enumeration enumeration
Application
Assessment ● Learn how to conduct OS detection
Breakdown
● Develop a working knowledge of content
discovery

Authentication Bypass ● Discover a directory traversal vulnerability

● Exploit the directory traversal and obtain


the application config file

● Access the admin portion of the web


application

Remote Code Execution ● Discover a SQL injection vulnerability

● Exploit the SQL injection vulnerability to


obtain remote code execution

● Gain shell access to the server

WEB 200 - Copyright ©2023 OffSec Ltd. All rights reserved. 11 of 11

You might also like