25,000+ Courses Nationwide
0203 908 2376

Certified Security Testing Professional - Web Application Hacking

Web application flaws can leave an organisation and its customers vulnerable to attacks. This web application ethical hacking course will give you the knowledge of, and protection against, the ‘OWASP Top Ten Web Application Security Vulnerabilities’, an essential component of modern information security strategies and a requirement of the Payment Card Industry Data Security Standard (PCI DSS).

This three-day course is designed to give you the skills you need to undertake an application penetration test in order to ensure valuable data and assets are effectively protected. You will have access to a functional ASP.NET and PHP application through which theory is reinforced by way of practical exercises in order to demonstrate hacking techniques with defensive countermeasures always in mind.


Anyone with responsibility for, or an interest in, the security of web applications, including:

  • System administrators
  • Software developers
  • Budding penetration testers
  • Anyone subject to the requirements of the Payment Card Industry Data Security Standard (PCI DSS)

Select specific date to see price, venue and full details.

Learning Objectives

  • A number of methodologies for undertaking a web application penetration test

  • How to exploit vulnerabilities to access data and functionality
  • A range of defensive countermeasures as well as sufficient knowledge as to how to counter these attacks


A basic understanding of how a web page is requested and delivered:

  • Are you familiar with the high-level components involved, e.g. browsers, web servers, web applications and databases?
  • Do you have a basic understanding of HTTP?
  • Do you have a basic understanding of HTML?

A basic understanding of databases and SQL would be an advantage:

  • Do you understand the concept of data storage in tables within a relational database?
  • Can you construct a simple SELECT statement to extract data from a table?

Course Content

  1. Principles
    1. Web refresher
    2. Proxies
    3. The OWASP Top Ten
    4. Web application security auditing
    5. Tools and their limitations
    6. HTTP request and response modification
    7. Logic flaws
  2. Injection
    1. Types
    2. Databases overview – data storage, SQL
    3. SQL injection – data theft, authentication
    4. Bypass, stored procedures
    5. Information leakage through errors
    6. Blind SQL injection
  3. Broken Authentication and Session Management
    1. Scenarios
    2. Attacking authentication pages
    3. Insecure Direct Object Reference
    4. Direct vs indirect object references
    5. Authorisation
    6. Cross-site Request Forgery (CSRF)
    7. Exploiting predictable requests
  4. Cross-site Scripting (XSS)
    1. JavaScript
    2. Email spoofing
    3. Phishing
    4. Reflected and Stored/Persistent XSS
    5. Cookies, sessions and session hijacking
  5. Insecure Direct Object Reference
    1. Scenarios
    2. Information leakage through logs
  6. Security Misconfiguration
    1. Scenarios
  7. Sensitive Data Exposure
    1. Identifying sensitive data
    2. Secure storage methods
  8. Unvalidated Redirects and Forwards
    1. Scenarios
  9. Conclusions

Exams & Certification

Delegates who successfully complete the exam included at the end will be awarded the CSTP qualification. Completion of CSTP satisfies the prerequisites for CAST course (advanced web application security) and is an excellent foundation towards the CREST Registered Tester qualification, along with CSTA

Related Courses

Privacy Notice

In order to provide you with the service requested we will need to retain and use your contact information in accordance with our Privacy Notice. If you choose to provide us with this information you explicitly consent to us using the information as necessary to provide the requested service to you. If you do not agree please do not proceed to request the service from us.

Marketing Permissions

Would you like to receive our newsletter and other information on products and services which we think will be of interest to you by email. We will always treat your information with care and in accordance with our Privacy Notice. You are free to withdraw this permission at any time.


We work with the best