0845 450 6120

Certified Security Testing Professional - Web Application Hacking

This 2-day web application ethical hacking course covers the fundamentals of the industry-recognised OWASP Top Ten – to quote OWASP: “the ten most critical web application security risks”.


Learning Objectives

You will have access to a functional ASP.NET and PHP application through which theory is reinforced by way of practical exercises. The course demonstrates hacking techniques - there’s no better way to understand attacks than by doing them yourself - but this is always done with defence in mind and countermeasures are taught throughout. Knowledge of, and protection against, the OWASP Top Ten is a core requirement of the Payment Card Industry Data Security Standard (PCI DSS) and therefore CSTP is ideally suited to web developers and QSAs as well as IT security officers and budding penetration testers.


A basic understanding of how a web page is requested and delivered:

  • Are you familiar with the high-level components involved, e.g. browsers, web servers, web applications and databases?
  • What is HTTP?
  • What is HTML?

A basic understanding of databases and SQL would be an advantage:

  • Do you understand the concept of data storage in tables within a relational database?
  • Can you construct a simple SELECT statement to extract data from a table?

Course Content


• Web refresher

• Proxies

• The OWASP Top Ten

• Web application security auditing

• Tools and their limitations

• HTTP request and response modification

• Logic flaws


• Types

• Databases over view – data storage,


• SQL injection – data theft, authentication

• bypass, stored procedures

• Information leakage through errors

• Blind SQL injection

Cross-site Scripting (XSS)

• Email spoofing

• Phishing

• JavaScript – tabnabbing

• Reflected and Stored/Persistent XSS

• Cookies, sessions and session hijacking

Broken Authentication and Session Management

• Scenarios

• Attacking authentication pages

• Insecure Direct Object Reference

• Direct vs indirect object references

• Authorisation

• Cross-site Request Forgery (CSRF)

• Exploiting predictable requests

Security Misconfiguration

• Scenarios

Insecure Cryptographic Storage

• Identifying sensitive data

• Secure storage methods

Failure to Restrict URL Access

• Scenarios

• Information leakage through logs

Insufficient Transport layer protection

• Scenarios

Unvalidated Redirects and Forwards

• Scenarios



Exams & Certification

Delegates who successfully complete the exam included at the end will be awarded the CSTP qualification. Completion of CSTP satisfies the prerequisites for CAST course (advanced web application security) and is an excellent foundation towards the CREST Registered Tester qualification, along with CSTA

Privacy Notice

In order to provide you with the service requested we will need to retain and use your contact information in accordance with our Privacy Notice. If you choose to provide us with this information you explicitly consent to us using the information as necessary to provide the request service to you. If you do not agree please do not proceed to request the service from us.

Marketing Permissions

Would you like to receive our newsletter and other information on products and services which we think will be of interest to you by email. We will always treat your information with care and in accordance with our Privacy Notice. You are free to withdraw this permission at any time.


Online Courses

You may prefer an online course if you are looking for a flexible and cost-effective solution. Online courses allow you to study at your own pace, at a time that suits you.

We have the following eLearning options available:

Our Customers Include