Application Penetration Testing

The target of the application penetration testing course is to allow candidates acquire necessary security knowledge for performing penetration tests for web and mobile applications.  Most popular application security attacks and latest techniques will be illustrated. Students will learn techniques and tools utilized in each step of application penetration testing starting from information gathering and ending with exploitation. Defense techniques will be elaborated for each attack so that the pen tester could provide proper recommendations to developers and application operators. Demos and exercises will be utilized in order to put hands on experience on the topics presented. Real life cases will be discussed in order to relate the topics with real incidents.

course syllabus

Introduction and Objective of Methodology

  • Why web applications are targeted
  • Overview of application attack vectors
  • Overview of different testing methodologies

Information Gathering

  • Search Engine Reconnaissance
  • Identify Application Entry Points
  • Testing for Web Application Fingerprint
  • Applications Discovery
  • Analysis of Error Codes

Configurations Testing

  • Fingerprinting Architecture
  • Testing for HTTP Methods
  • SSL/TLS Testing
  • Defaults and Misconfigurations

Authentication Testing

  • Testing for User Enumeration and Brute Force
  • Testing for Bypassing Authentication
  • Testing for Vulnerable Remember Password and Password Reset
  • Testing for Logout and Browser Cache Management

Authorization Testing

  • Testing for Authorization Bypass
  • Testing for Privilege Escalation
  • Business Logic Testing
  • Testing for Path Traversal

Session Management Testing

  • Testing for Session Management Schema
  • Testing for Cookies attributes
  • Testing for Session Fixation
  • Testing for Exposed Session Variables
  • Testing for logout Features & Testing for CSRF

Testing Data Validation

  • SQL Injection
  • LDAP Injection
  • XPath Injection
  • Command Injection
  • Cross Site Scripting


  • Testing AJAX
  • Testing Mobile Apps and APIs
  • Reporting
  • Capture the Flag.

Who Should Attend?

  • Information Security Engineers.
  • Software Developers.
  • Software Testing and Quality Assurance Professionals.

Apply Now