The past few years were a sort of lull for me. While I’ve continued to read and review books, watch and listen to webcasts and podcasts and do my best to stay ‘fresh’ on the pentesting front, I’ve not had a good opportunity to squeeze in any more ‘structured’ training courses. Ever since completing the OSCE course by Offensive Security (OffSec), I’d been feeling good about much of my repertoire but had been itching to get some solid web courses under my belt. I had contemplated OffSec’s OSWE, but as it’s only offered at BlackHat, has no self-study options and because my work and personal life haven’t offered me time to go down that road, I’d been itching for other options. Enter the eLearnSecurity WAPTX online course.
Rewind the clock to a couple of months ago. I’ve long been familiar with eLearnSecurity, having previously reviewed the eCPPT certification training here at The Ethical Hacker Network (EH-Net) and discussing their various offerings with CEO and Founder, Armando Romeo. Each time I’ve looked at their materials in the past, I’ve been pleased with both the materials presented and the overall ‘bang for the buck’ that they’ve provided. Most recently, I’d been looking at the web application courses they offer, specifically Web Application Penetration Testing – WAPT and Web Application Penetration Testing Extreme – WAPTX. On the one hand I knew that eLearnSecurity was soon to be releasing an updated version of the WAPT course. But the subject matter and descriptions of the WAPTX were really intriguing to me, so I decided to go to the extreme (pun intended). Suffice it to say, I have been very happy with that decision. This course has been outstanding, and I’ve learned a TON from the material in these past two months! Let’s take an in-depth look.
Before I go into any specifics of the material itself, I need to confess that I’ve not yet attempted the eWPTX Certification exam. I’m still re-reviewing all of the material to ensure that I feel comfortable accepting the challenge. Also, I really want to compliment eLearnSecurity on the structure and delivery of the material. In their early days, with the ‘original’ eCPPT (which has also progressed in the newer revisions), while the material was excellent, I found myself wanting more. The formatting was good, but I often wished I had access to the materials and videos offline, so that I could take them with me on the road or when going to places where internet access wasn’t always readily available. I’d mentioned those things to Armando, although I’m certain they were already aware and that other students had wanted the same. I am very happy to say that has changed at least with regard to eLearnSecurity WAPTX.
Training is provided in various formats: slides are presented in Flash, HTML5 and PDF for downloading, and videos (also downloadable) accompany each section. This has been a great asset to the course as this past month, between heavy storms and other internet outages, it’s been great to be able to review the materials offline and on pretty much any of my devices. One minor issue I had was that on my iPhone I had issues with the mp4 format of the videos. However, in all honesty, I probably wouldn’t have been happy viewing on my phone anyway, so I really wasn’t overly concerned about that. If you have more issues or thoughts on how this material is viewed on various devices, please let us know in the comments.
Additionally, I’ve been very happy with the Hera Labs that are included with the course. Each section has corresponding labs that the student can work through in conjunction with the reading and videos. The labs are structured the same way as the videos progress in order for the student to see how each exploit works as well as to progress through finding new / other methods of exploiting the vulnerabilities, should the security team responsible for the target implement fixes for the initial flaws. It’s nice to not only SEE how these exploits can be accomplished, but also to PERFORM the exploits. Often, for me, that extra effort of “doing it for myself” helps me to digest the material better, so I appreciated the way this was done.
The only drawback I’ve found with regard to the labs so far is that they DO so closely match the videos. I know… I sound like I’m setting a double standard. In reality, the labs are excellent, and I have nothing bad to say about what’s there at all. On the contrary, they’ve done fantastic work with the course labs. However, personally, I might’ve liked having a few MORE labs beyond what was given, in order that I could be challenged to figure some things out for myself. I have found in my own experiences that sometimes being forced to figure something out entirely on my own (or with minimal guidance from the study materials) helps me to digest the concepts better. Also, my learning style is typically to read all materials and watch all videos once, before diving into any labs. Going in, had I known the labs so closely mimicked the videos, I might’ve waited to view them until AFTER at least attempting the labs once, so as not to come to the realization later that I’d already seen it all so closely in the videos. That’s my own experience though, so take that as you will as, again, what IS in the material is solid as it stands. Credit should also be given for the extra SQL labs they do include, whereby the student can try out various things on varying SQL platforms to learn how each responds to different methods. That is a very valuable lab by itself, as too often a student might lean on one DBMS or another and not have the opportunity to ‘try new things’ across each platform.
Details of eLearnSecurity WAPTX
Section 1 is a dive into encoding and filtering. For many pentesters, different encoding schemes might be familiar (Base64 comes to mind as a frequently seen standard). But in web application pentesting, very often the tester will find the need to use a variety of encoding types such as Unicode and Base36. I understand bases completely, but admittedly, Base36 threw me for a loop as it’s one I haven’t used very often in the past. Thanks to the inclusion of it in this course, I found myself practicing it for much of a couple afternoons just trying to ‘wake myself up’. Additionally, concepts like using multiple encoding methods on data were discussed in order to drive home the value of each type of encoding, depending on a specific example or usage scenario. This section then progressed into a good explanation of regex / filtering, detection and fingerprinting of Web Application Firewalls (WAFs), client-side filtering, browser add-ons and some ins and outs of specific browsers and their native mechanisms for filters. The final few slides were full of valuable reference hyperlinks for further self-study.
eLearnSecurity WAPTX – Screenshot
In Section 3, the student moves into Cross-Site Scripting (XSS). The student is introduced to this section with a bit of history / background into the origins of XSS and soon progresses into the main categories thereof: server-side and client-side XSS (noting that in the end, XSS affects the client-only). Moving further into explanations, the four main types of XSS flaws and their differences are explained: Reflected, Persistent (Stored), DOM, and Universal. The discussion moves into actual XSS attacks such as cookie grabbing, defacements, phishing, keylogging, various network attacks (IP and subnet detection, ping sweeping and port scanning), and self-xss (tricking the user into pasting URLs into their browsers). Examples of each are discussed as well as various security measures that different browsers employ in order to try to disallow or prevent various XSS attacks. The section concludes with a more recent technique called Mutation-based XSS, where the browsers, themselves, can actually allow a string in, then mutate it through their own built-in functions into something that is malicious (unintentionally) as a result. Quite an interesting technique and one that I’ll be spending some additional time researching, although I am not yet ‘in the know’ enough to truly understand how common this attack method is today.
Section 5 carried the study into Cross-Site Request Forgery. The authors did a great job explaining the ins and outs of cross-site requests, noting that in many instances there’s nothing malicious about them, but that if misused or abused, these vulnerabilities can definitely be devastating in that operations can be effected with the permissions of the target user without their awareness. The various attack vectors were explained such as forcing browsing with GET, weak token prediction and / or token stealing / reuse, among others.
The following section moved into a discussion about the good and bad of HTML5, most importantly the bad – that being the fact that with more features comes a larger attack surface. The section begins by explaining many of the newer features of HTML5, specifically semantics that web developers can employ in their applications such as media elements, form types and attributes. Examples are provided for how these might be utilized to evade XSS filtering, hijack sessions / access webstorage, gather data from end devices and accomplish various other nefarious deeds. <geek_thrill> My favorite topic from this section was the use of HTML5 web workers to perform brute force operations. I’d seen / heard some BlackHat presentations on the topic, but… It was really cool not only to learn more about them, but also to actually be able to use them in the labs and really see them at work for myself. Honestly, for me this was the icing on the cake for this course, as it was one of those things that really took me into something new! </geek_thrill>
Ok, stepping back from my ‘geek out’, the course moved on to SQL Injection (SQLi). This chapter is another one of those that really acted not only as a refresher, but also as a learning tool. While SQLi is a topic I understand, often I don’t get enough hands-on with it to really feel accomplished with it. I deal with SQL every day, but day-to-day SQL administration and exploiting a SQL database from the web are two very different things. This section began with a good informative introduction to SQLi then quickly moved into various classifications of techniques used in practice (INBAND, OUT-OF-BAND and INFERENCE) and what each classification would look like. For instance, the material explained that INFERENCE would often employ techniques like time-based queries, where a delay in response might indicate success (or lack thereof) of a query or presence of data. The student is introduced to methods for identifying the DBMS in use and how to enumerate data and structures present in the datastore as well as differences between the various types of DBMS (Oracle, MySQL, MS SQL, etc). They explained second order SQLi (exploits are submitted in one DB request but triggered by another request) and how they can be difficult to detect. Finally, they explain that, with SQLi, the biggest security item for developers to note is: “NEVER trust user input.” As previously noted, the extra SQL labs were a great bonus here!
Section 8 deals with “SQLi: Filter Evasion and WAF Bypassing”. Similar to the way earlier sections progressed, this one builds on the previous section, flowing into use-case scenarios and various exploitation methods in order to progress and attack when supposed and / or assumed ‘fixes’ have been put in place. Here, the authors employ tricks such as abusing comments, utilizing built-in functions and operators, manipulating numbers and / or system variables, string obfuscation and concatenation, type conversion (and other tricks) in order to demonstrate that there are often ‘more than one way to skin a cat’. This was another of those sections that, while the main topic is one I’ve been familiar with for a long time, the course author brought new ideas to light for me. As I’ve often said, “In this field, there’s ALWAYS something to be learned.”
Finally, we reach Section 9 that deals with XML attacks. This topic is kind of ‘near and dear’ to me as one of the first 0-days I ever found in reference to web attacks was an XML attack. So I took plenty of time in this section, both as a review (because my past two employers have been HEAVY XML users) and to learn some more cool tricks. In this section, XML documents and entity types are discussed, XML Tag Injection attacks are explored, XSS attacks (by way of XML parser exploits or bypassing weak filters) are mentioned and the most dangerous XML Injection attacks of all, External Entity Injections, are discussed. External Entities are those which can be loaded from outside sources, completely unrelated to either the target user or the attacked website, and can be used to access sensitive data / content on a vulnerable host. Imagine if you will the consequences of an attacker having the ability to, as quoted directly from the course slide, “disclose local system files, play with network schemes, manipulate internal applications, and so forth.” Each of these attack vectors is analyzed and examined very clearly, so that the student can understand the subject matter well. Another section very well done.
Final Thoughts on eLearnSecurity WAPTX
As you can see eLearnSecurity WAPTX dives deep into a lot of different areas of web application penetration testing. The “Extreme” title is fitting, as it goes beyond the typical exploitation methods, building on them to enlighten the student and giving them the opportunity to take each attack beyond the basics. Students will better understand the how and why behind the underlying flaws, enabling them to continue to illuminate web application security weaknesses to a security team. This allows the student to make direct use of the knowledge from this course, so that they might correctly analyze and fix the problems, rather than applying the ‘quick fixes’ that only slow down, but don’t stop, a determined attacker.
eLearnSecurity has once again provided a great learning resource, and I’d encourage students to add this one to their list of considerations when selecting web app security training. It’s an affordable option with plans starting at just $899 (See All Plans and Pricing for eLearnSecurity WAPTX), and the entirety of the content is very well thought out. For those who may feel it’s perhaps too advanced, the updated eLearnSecurity WAPT v2 course would be well worth a look, as well. Perhaps I’ll add that one to my list for future studies, too – who knows? By the way, they have some great ‘launch’ discounts on that course right now as well.
Until my next review… Best wishes to you all and never stop learning!
Tim Everson, OSCE, OSCP, GPEN, C|EH AKA hayabusa is an avid pentester and security enthusiast / professional who has been involved in IT for nearly 20 years with mixed experiences in pretty much every sector of the industry from SMB to enterprise, manufacturing, education and government. He enjoys reviewing new books and courses to build his knowledgebase and challenge himself as well as to help others find appropriate learning to help them progress in the field. When he’s not tucked behind a computer screen, he’s an avid sport-bike enthusiast, a busy husband and dad, and has a passion for cartoon drawing and computer graphics / animation.