0845 450 6120

Certified Security Testing Professional - Web Application Hacking

This 2-day web application ethical hacking course covers the fundamentals of the industry-recognised OWASP Top Ten – to quote OWASP: “the ten most critical web application security risks”.

Learning Objectives

You will have access to a functional ASP.NET and PHP application through which theory is reinforced by way of practical exercises. The course demonstrates hacking techniques - there’s no better way to understand attacks than by doing them yourself - but this is always done with defence in mind and countermeasures are taught throughout. Knowledge of, and protection against, the OWASP Top Ten is a core requirement of the Payment Card Industry Data Security Standard (PCI DSS) and therefore CSTP is ideally suited to web developers and QSAs as well as IT security officers and budding penetration testers.


A basic understanding of how a web page is requested and delivered:

  • Are you familiar with the high-level components involved, e.g. browsers, web servers, web applications and databases?
  • What is HTTP?
  • What is HTML?

A basic understanding of databases and SQL would be an advantage:

  • Do you understand the concept of data storage in tables within a relational database?
  • Can you construct a simple SELECT statement to extract data from a table?

Course Content


• Web refresher

• Proxies

• The OWASP Top Ten

• Web application security auditing

• Tools and their limitations

• HTTP request and response modification

• Logic flaws


• Types

• Databases over view – data storage,


• SQL injection – data theft, authentication

• bypass, stored procedures

• Information leakage through errors

• Blind SQL injection

Cross-site Scripting (XSS)

• Email spoofing

• Phishing

• JavaScript – tabnabbing

• Reflected and Stored/Persistent XSS

• Cookies, sessions and session hijacking

Broken Authentication and Session Management

• Scenarios

• Attacking authentication pages

• Insecure Direct Object Reference

• Direct vs indirect object references

• Authorisation

• Cross-site Request Forgery (CSRF)

• Exploiting predictable requests

Security Misconfiguration

• Scenarios

Insecure Cryptographic Storage

• Identifying sensitive data

• Secure storage methods

Failure to Restrict URL Access

• Scenarios

• Information leakage through logs

Insufficient Transport layer protection

• Scenarios

Unvalidated Redirects and Forwards

• Scenarios



Exams & Certification

Delegates who successfully complete the exam included at the end will be awarded the CSTP qualification. Completion of CSTP satisfies the prerequisites for CAST course (advanced web application security) and is an excellent foundation towards the CREST Registered Tester qualification, along with CSTA

One Month
Two Months
Three Months
More than Three Months
PRINCE2 Foundation & Practitioner
MSP Foundation & Practitioner
APMP Certificate
ITIL Foundation
Scrum in One Day
Certified ScrumMaster
ISTQB Software Test Foundation
Microsoft Project
BCS Business Analysis Practice
Other - Please Specify Below

Online Courses

You may prefer an online course if you are looking for a flexible and cost-effective solution. Online courses allow you to study at your own pace, at a time that suits you.

We have the following eLearning options available:

Our Customers Include