Tried, Tested and Proven



Description of the Course

This course is designed to offer further training for performing an application penetration test, and builds on the knowledge gained within the beginner course.

The course will cover the further methodologies for application penetration tests and focus on exploiting identified vulnerabilities and more complex attack vectors for both Cross Site Scripting (XSS) and SQL injection. The course will also cover an introduction to “thick client”, AJAX and SOAP applications.

Furthermore, the course will provide further reading material around the solutions for the issues covered which could be used as a preparation for the “secure application development” course.

This is a three day course.

Delegate Requirements

Minimum Skills Needed

All skills required for “application penetration testing – beginner”;

A working knowledge of basic application testing tools, including intercepting proxies and web scanners;

Experience of various application technologies such as ASP, JSP and PHP;

Previous experience of using Javascript;

Functional knowledge of XML;

Knowledge of different application architectures and designs

A basic knowledge of SOAP, AJAX, JSON

A basic knowledge of “thick” client applications

A background in development is not a requirement, but may be advantageous. If there is concern over a potential candidate’s suitability, we can arrange a discussion with the course leader to assess this.


As part of the course delivery, participants will need to access a purpose built test environment, in which techniques can be practiced. Therefore, participants will require:

Laptop with local administrator access and permission to load 3rd party software onto it. Hire laptops available on request for an additional fee;

A bootable image will be provided as part of the course materials and can be used as the operating system for the duration of the course. Candidates may also use their own preferred build.


What will be covered in the course (overview):

Exploiting Cross Site Scripting (XSS);
Finding and exploiting more advanced SQL injections (such as blind SQL injection);
Finding and exploiting Cross Site Request Forgery (CSRF);
Testing “thick” client applications;
Testing applications that make use of AJAX and SOAP.

What will be covered in the course (specifics):

Exploiting XSS;
Blind SQL injection;
Time based & differing response based SQL injection;
Exploiting SQL injection to gather data & get code execution;
“thick” client applications;





Cost (per participant)

Application penetration testing Intermediate 3 £1,800