As security testers and ethical hackers, we are all looking for a better and more efficient way to infiltrate our clients’ target networks. For some time now, breaching an organization from the external-facing network has been much more difficult, as security has been more tightly controlled. Next Generation Firewalls (NGFW), Intrusion Detection/Prevention Systems (IDP/IPS), Demilitarized Zones (DMZ), and other implementations of layered security have become increasingly prevalent in security conscious organizations. As the defense has adapted, so has the offense. Both the good and the bad guys alike have turned more attention towards attacking weak web applications and are finding that these websites are the gateways into the network of the target organization. To keep up with this trend and to provide the required knowledge and skills to those responsible for testing web security, new courses have arisen with a focus on web applications. Enter eLearnSecurity Web Application Penetration Testing (WAPT), a new course by the provider of online security training.
EH-Net Exclusive 10% discount with code: WAPT-10P3M
Expires August 31st 11.59 PM PST
Most high profile attacks in the news these days happened because not only is web and cloud usage skyrocketing, but it has also become the low hanging fruit in many organizations. Web vulnerabilities may lead to information disclosure, session hijacking, stolen sensitive information, and even system compromise. Is your organization ready to handle these types of attacks? Do you have newer employees that need to get up to speed with their co-workers? Are you a seasoned professional looking to keep up with the latest attack trends? Stick with us after the break as we take an extensive look into the latest online course and certification for web application security.
Introduction to eLearnSecurity Web Application Penetration Testing (WAPT)
The eLearnSecurity (eLS) Web Application Penetration Testing (WAPT) course is designed to provide the student with direct, to-the-point information about attacking web applications. The syllabus and course content topics include Cross-Site Scripting, Session Hijacking, SQL Injection, and even newer technology such as HTML5. Taken directly from eLS, the training course “provides all the necessary advanced skills to carry out a thorough and professional penetration test against modern web applications.” The course is not designed to provide just theory with no practicality – in fact, just the opposite is true. This course gives the student practical knowledge and skills, with easy-to-understand diagrams, code examples, and techniques to get up and running with web penetration testing immediately. A handful of different tools are examined and used throughout the course with a few examples including Burp Suite, SQLMap, BeEF, W3AF, and DirBuster. If the student has never used any of these tools before, he will quickly become familiar with how and when to use them properly. There are not only plenty of discussions and use cases for these tools within the course, but also multiple instructional videos walk the student through using them in a clear and concise manner.
A practical web application penetration testing course wouldn’t be complete without some sort of hands-on hacking – and WAPT is no exception! The labs, called “Coliseum,” include guides with step-by-step instruction and a virtual environment that can be started, stopped, and reset by the student at any time. Each lab exercise is contained within its own sandboxed environment, and the unique URL is generated and provided to the student upon startup. This is where you’ll get to practice against live targets while being guided on how to configure and use the testing tools. In addition to the guided labs, there are a variety of “challenge” labs. The challenge labs are where the student can really put his skills to the test. Most challenges contain a “trophy” that the student must find by performing real-world attacks against the target web application. If the student gets stuck, fear not! There is a helper named Cicero that can provide tips to help solve the challenge.
And lastly, the course ends with an attempt at earning the eLearnSecurity Web Application Penetration Tester (eWPT) certification. The student will be required to attack a real-world web application by connecting to the eLS VPN lab environment. Knowledge on the OWASP Top 10, Cross-Site Scripting, SQL Injection, and other techniques learned throughout the course will be put to the test. At the end of the technical assessment the student must write a report based on the findings of the assessment and provide that to eLS for grading as part of the certification exam. If the candidate has completed everything and successfully passed the exam, the eWPT designation will be earned.
Package deals are available that include the WAPT course, 60 hours of access to Coliseum WAPT and the eWPT exam for $899 USD. Other packages are available that can add time to your labs or include other lab environments. The largest bundle they currently have is for $1398 (normally $1598) that includes WAPT + Coliseum WAPT(60H) + eWPT + Professional v2 + Hera (30H) + eCPPT.
So now that everyone knows what to expect from the eLearnSecurity Web Application Penetration Testing course, let’s dig a little further into my personal experience. I’ll share some of my thoughts and feedback about the course. Rather than spoil the course for you by walking through each individual module (there are thirteen by the way), I’m going to pick bits and pieces from several of them that I really enjoyed or think should be highlighted here, as well as make some general comments about the course. First, let me provide the quick list of modules for those now wondering what’s included but haven’t gone to the eLS website yet:
- Penetration Testing
- Information Gathering
- Cross-Site Scripting
- SQL Injections
- Session Security
- Flash Security and Attacks
- HTML5 and New Frontiers
- Common Vulnerabilities
- Web Services
- XPath Injection
- VA and Exploitation Tools
eLS WAPT – Courseware Screenshot 1
One of my favorite modules from WAPT, and this may seem strange considering what this course is really focused on, was Module 2, Penetration Testing. The reason being is that for the people who are looking to take these skills and use them professionally, they really need to have a grasp on the “business” aspect of things – not just the technical. There are many great technical courses out there about security testing and penetration testing but scoping the engagement, setting up the rules, and reporting are often overlooked topics yet more important than the testing itself. The eLS team does a great job in this module of hammering home some of the important pieces of conducting a professional penetration test. The student needs to understand the audience for their deliverables (the report) may not always be technical (and often is not). When you present your findings to a C-level executive, they aren’t often interested in the fact that you found a cross-site scripting vulnerability in their helpdesk application or a SQL injection vulnerability in their HR/personnel management software. They want to know what the business impact and risk to the organization is. It is your job as the security tester to be able to put your findings into terms they will understand. While this is obviously not a technical module, it is fundamental for anyone wanting to do penetration testing professionally, and I think this course module does a great job introducing this to the student.
Now that the “boring” part is out of the way, let’s talk about some of the more fun modules. The Introduction module is just as you’d expect – introductory explanations about the web, HTTP traffic, cookies, and sessions among other things. This is also where the student is first introduced to what is surely to become one of their favorite web app testing tools – Burp Suite (http://portswigger.net/burp/). For those of you not familiar with Burp Suite, it is “an integrated platform for performing security testing.” A little vague isn’t it? More accurately, Burp is a web proxy that allows you to intercept web traffic between your browser and the application. You have the ability to manipulate traffic, inject new data, or replay web requests such as POST and GET. There are many more powerful features as well, but I’ll leave you to explore that on your own. This module will get you running with Burp by walking you through its configuration and providing a nice video tutorial as well.
Modules 4 and 5 (Cross-Site Scripting and SQL Injection) walk you through each of the respective attack vectors from basic attacks to more advanced attacks. Again, if these concepts are foreign to you, the training material does a great job of explaining the attacks, using diagrams where necessary, and providing step-by-step instruction and code examples for you to follow along. Various techniques for each topic are discussed in detail such as reflected vs. persistent cross-site scripting and standard SQL injection vs. blind SQL injection. Most importantly, what type of data you can potentially gain access to is highlighted. There are multiple labs associated with these modules as well – not just the guided labs. You’ll also find some challenges around both cross-site scripting and SQL injection. One thing that I don’t believe is explained anywhere is the use of an icon like this in the upper-right of the presentation:
eLS WAPT – Lab Icon
What this is pointing you to is the existence of a lab within Coliseum (and the associated ID number). One suggested enhancement to the course here could be to have these icons actually be ‘live’ and link you directly to the lab.
I also want to highlight Modules 9 and 10 (HTML 5 and Common Vulnerabilities). The former is important, because it starts discussing the future of the web and, inherently, the future of web security testing. Many new objects and capabilities are available to developers within HTML5 which includes LocalStorage and SessionStorage, and with HTTP Access Control Headers known as Cross-Origin Resource Sharing (CORS). These are all interesting topics in their own rights, and eLS digs into each explaining what they are, how they are used, and the potential security flaws associated with them. The Common Vulnerabilities module includes a bunch of different attack techniques and vectors such as path traversal, file uploads, HTTP response splitting, and file uploads. Each includes the well done explanations with code samples and diagrams.
eLS WAPT – Courseware Screenshot 2
Overall I really enjoyed the course. The content is well developed, well thought out, and the instruction is definitely top notch. I have not taken a web app penetration testing course before this one, so I didn’t have any extravagant expectations for a web testing course. For some quick background, I started building web sites using basic HTML4 which then became XHTML. I started on that route around 14 years ago. Soon after, I jumped into PHP, because I wanted to build dynamic sites. This really enabled me to quickly grasp the concepts of various security vulnerabilities that I had heard about at the time but didn’t fully understand (such as SQL injection). Since then, I’ve come a long way and have done web app testing in my professional career. I’ve also setup numerous test labs and have even written a review of a webapp product right here on EH-Net. That all said, here’s a few of the things that I’ve commonly seen and, in turn, what I expect to see in an entry-to-intermediate level course (in no particular order):
- Cross-Site Scripting
- Code Injection
- Authentication Attacks
- Session Attacks
- File Inclusion
I’m happy to say that each of those was discussed in the WAPT course. Obviously, much more was included and talked about in great levels of detail as well. I would strongly recommend this course for those who are new to web application penetration testing. At the intermediate level, I believe this course will also have some benefits for you as well and will definitely help reinforce many core attack techniques. If you’re a heavily experienced web app tester, this particular course is probably not for you. Personally, I never refer to myself as an expert or say that I have an advanced level of skill at anything, and I definitely have some great takeaways from this course. If you have an interest in learning this stuff, this is the place.
I’ve talked a little about the labs, but let’s take a closer look. The labs, called Coliseum, are split up into two parts: guided and challenges. When you first open up the control panel for the labs, you’re given a brief overview of the system and the time remaining in your subscription. Each lab is considered a Battle within a sandboxed virtual environment, an Arena (following the theme here?). The guided labs are broken down by attack vector. For example, there are labs around cross-site scripting, SQL injection, web services, session attacks, and others. Each lab has an ID number associated with it (recall this is shown in the course content as displayed in the image above), a name (e.g., PersistentXSS.1), and a topic (which is slightly more descriptive of the attack used in the lab – e.g., persistent XSS). You have the ability to power on, reset, or destroy each Arena on-demand. A lab manual accompanies each lab and provides the scenario, objectives of the lab, tools used, learning objectives, and the appropriate steps to follow to successfully complete the lab. As is eLS typical fashion, everything is explained step-by-step in a very easy to follow manner with screenshots included.
The challenges however, are slightly different. The concept with the Battles and Arenas is still the same, though it is laid out slightly differently. Each challenge has an associated ID (“code”), challenge name, level of difficulty (easy, medium, hard), and the type of vulnerabilities present (XSS, SQL injection). When you start a challenge you are taken to a new page, where you can review your Battle Orders and then Commence the Battle. The Battle Orders are similar to the lab manual, providing the scenario, challenge objectives, a recommended list of tools to use, learning objectives, and any trophies hidden within the challenge. Beyond that, you are on your own to attack the target application and identify the trophy. There are multiple options to seek help through the challenge Battles. There is a quick Help guide available that explains how the system and challenges work and where to go to support. If tech support is currently available, you can open a chat window for live support – unknown whether they will provide any additional challenge hints though.
Lastly, there is Cicero, “a Roman philosopher, his wisdom will help anyone who is struggling to reach the objective.” If you really get stuck, you can “ask” your friendly neighborhood philosopher for a hint on the challenge objectives. Once you have obtained the trophy, you can return to the main Arena page and click the trophy icon to enter it. You then have the option to share your trophy through social media (Facebook). Beyond that, I don’t believe there is anywhere that tracks your trophies. I think another suggested enhancement would be to give you points or credits for each trophy successfully found. If nothing else, you could compete with friends (“I have 45 points, how many do you have?”). The Challenges labs should probably also track which challenges you’ve successfully completed as this feature isn’t implemented as of this review.
As of writing this review I have not yet taken the eLearnSecurity Web Application Penetration Tester Certification (eWPT) exam, so unfortunately I cannot share my experience. To put all of the information in one place though, here is an excerpt from the eLS website detailing exam information:
“By Obtaining the eWPT, your skills in the following areas will be assessed and certified:
- Penetration testing processes and methodologies
- Web application analysis and inspection
- OSINT and information gathering techniques
- Vulnerability assessment of web applications
- OWASP Top 10 2013 / OWASP Testing Guide
- Manual exploitation of XSS, SQLi, Web Services, HTML5, LFI/RFI
- Exploit development for web environments
- Advanced reporting skills and remediation
The candidate will be provided with a real world engagement within the renowned Hera Lab: the virtual labs in VPN powered by cutting edge virtualization technology where thousands of penetration testers worldwide already practice different kinds of penetration testing techniques against real targets.
Once valid credentials have been provided for the certification platform, the candidate will be able to perform the tests from the comfort of their home or office. An Internet connection and VPN software is necessary to carry out the exam.
eLearnSecurity’s eWPT is the only certification for Web application Penetration Testers that evaluates your abilities at attacking your target and providing thorough professional documentation and recommendation.”
I will follow-up in the ethicalhacker.net forums, once I have had an opportunity to take the exam and will share my experience.
The eLearnSecurity Web Application Penetration Testing (WAPT) course was definitely valuable and provided some great information that I will be able to use immediately. There were many important topics and techniques presented that were reiterated throughout the course to really drive them home. The video presentations and instructions were well done and easy to follow. I was a fan of the Thunderstruck introductory “theme song” to each video as well!
As I stated earlier, I think this course is best suited for someone already working in security but new to web application testing, or someone with intermediate level skills for web application testing. The labs provided with this course are great. The guided labs with the lab manual walk you right through what needs to be done, so the student can get the hands-on experience needed to conduct their own assessments. The challenge labs are a lot of fun as well, since you’re on your own and have the ability to test as you see fit. They range in difficulty, so you can move up as you go along.
There are two additional notes that I want to make that are important about eLearnSecurity in general. One is the way that eLearnSecurity offers you the ability to pay for the courses. If you’re on a tight budget and paying out of pocket, you can buy portions of the courses at a time. This allows you to get started sooner and make a few installment payments, as you work your way through the course on your schedule and as your budget permits. This is the only training that I’m aware of that allows you to do this. The second unique item to eLS is the way in which you can purchase lab time. You can purchase lab time for a specific duration in consecutive days or in total number of hours. For example, you could purchase 30 days of lab time April 1 and your subscription would expire at the end of the month. Alternatively, you could buy a block of 60 hours and your time will only decrease as you’re using it. In both cases, you have up to 90 days after starting the course to activate the labs and your lab time will expire after one year. Again, I’m not aware of anyone else in the industry offering lab time like this.
Finally, I’d be remiss if I didn’t mention the numerous grammatical errors throughout the course. I completely understand that this is an Italian company, so English is not their first language. But on the other hand, eLS has been around long enough and established itself as a premier provider of training. With that in mind, I feel it is long past the point of letting it slide. eLS has reported to us that they have been working with an editor and made some progress, so it is much better than it used to be. But they really need to have more professional and complete editing before releasing future versions of products. There are several other organizations in the same boat, and people start to not take them seriously not just because the grammar is horrible but also because the content is severely lacking. I’d hate for eLS to be lumped into the same category simply because of grammar issues. Because trust me when I say that the quality of the eLS course material and the presentation of that material is second to none. It is time for the rest to be on that level.
In summary, eLS has succeeded overall in producing an extremely effective course that meets the needs of the market, teaches the necessary skills of web application penetration testing and tops it off with a certification that has a practical component to it, all with ability to attain it without travel. That’s quite an accomplishment, and eLS should be commended for a great addition to their already successful slate of professional security training courses. Taking into account the very reasonable, low price point, and this new offering from eLS is hard to beat.
As a benefit of being an EH-Net reader, we’ve solidified an exclusive 10% discount with the use of code: WAPT-10P3M. It expires August 31st 11.59 PM PST, so hurry out today and jump at this opportunity for web application penetration testing training! I wish you the best of luck as you make your way through the course and please feel free to reach out with any questions. Stay tuned for my exam experience in the coming weeks.
Bill Varhol (MCSE+S, OSCP, OSWP, GPEN et al) is a 14-year veteran of the industry having worked for multiple organizations in varying sectors including Greenpath Debt Solutions (Non-profit/Finance), Defense Finance and Accounting Service (Government), KPMG (Consulting Firm), and his current role with AlixPartners (Consulting Firm). Since childhood, Bill has been building computers, poking around websites, troubleshooting problems, and enjoying every minute of it all. He realized his interest in computer security from the beginning and has successfully managed to make a professional career out of it. He regularly conducts vulnerability assessments, limited-to-full scope penetration tests, and provides InfoSec consulting services in his current role. He has also helped shape the ethical hacking landscape by being a board member of a certification organization for several years. Bill lives in Michigan with his family and enjoys spending time with his children when not busy breaking things.