0345 4506120

Certified Security Testing Professional - Web Application Hacking

Course Details

Name Certified Security Testing Professional - Web Application Hacking
Start Date:
Working Days:
£1599.00 +vat
Course ID:


Web application flaws can leave an organisation and its customers vulnerable to attacks. This web application ethical hacking course will give you the knowledge of, and protection against, the ‘OWASP Top Ten Web Application Security Vulnerabilities’, an essential component of modern information security strategies and a requirement of the Payment Card Industry Data Security Standard (PCI DSS).

This three-day course is designed to give you the skills you need to undertake an application penetration test in order to ensure valuable data and assets are effectively protected. You will have access to a functional ASP.NET and PHP application through which theory is reinforced by way of practical exercises in order to demonstrate hacking techniques with defensive countermeasures always in mind.


Anyone with responsibility for, or an interest in, the security of web applications, including:

  • System administrators
  • Software developers
  • Budding penetration testers
  • Anyone subject to the requirements of the Payment Card Industry Data Security Standard (PCI DSS)

Learning Objectives

  • A number of methodologies for undertaking a web application penetration test

  • How to exploit vulnerabilities to access data and functionality
  • A range of defensive countermeasures as well as sufficient knowledge as to how to counter these attacks


A basic understanding of how a web page is requested and delivered:

  • Are you familiar with the high-level components involved, e.g. browsers, web servers, web applications and databases?
  • Do you have a basic understanding of HTTP?
  • Do you have a basic understanding of HTML?

A basic understanding of databases and SQL would be an advantage:

  • Do you understand the concept of data storage in tables within a relational database?
  • Can you construct a simple SELECT statement to extract data from a table?

Course Content

  1. Principles
    1. Web refresher
    2. Proxies
    3. The OWASP Top Ten
    4. Web application security auditing
    5. Tools and their limitations
    6. HTTP request and response modification
    7. Logic flaws
  2. Injection
    1. Types
    2. Databases overview – data storage, SQL
    3. SQL injection – data theft, authentication
    4. Bypass, stored procedures
    5. Information leakage through errors
    6. Blind SQL injection
  3. Broken Authentication and Session Management
    1. Scenarios
    2. Attacking authentication pages
    3. Insecure Direct Object Reference
    4. Direct vs indirect object references
    5. Authorisation
    6. Cross-site Request Forgery (CSRF)
    7. Exploiting predictable requests
  4. Cross-site Scripting (XSS)
    1. JavaScript
    2. Email spoofing
    3. Phishing
    4. Reflected and Stored/Persistent XSS
    5. Cookies, sessions and session hijacking
  5. Insecure Direct Object Reference
    1. Scenarios
    2. Information leakage through logs
  6. Security Misconfiguration
    1. Scenarios
  7. Sensitive Data Exposure
    1. Identifying sensitive data
    2. Secure storage methods
  8. Unvalidated Redirects and Forwards
    1. Scenarios
  9. Conclusions

Cambridge Technology Centre


At the Cambridge Development Centre (CDC), our trainers use purpose-built facilities to create the right environment in which to provide ‘hands-on’ training.

Using the latest equipment and techniques are just some of the benefits of studying at CDC; others include:

  • Free lunch and coffees throughout your course
  • Air-conditioned training rooms in well-lit, spacious surroundings
  • Free on-site car parking with no restrictions for private car users





Directions by Car


From the M11

Take junction 10 off the M11, and head for Royston on the A505. Continue along the A505 heading for Royston and pass a service area on the left. Take the second right after the service area (signposted for Melbourn). Continue for approximately two miles (this will take you into the village). At the traffic lights, turn left. Continue through the village, and take the left past The Dolphin Pub into Back Lane. PA Consulting Group is on the right.


From the A10

Turn right off the A10 (if travelling north), or left (if travelling south) north of Royston, signposted for ‘Melbourn Village and Industrial Area’. Take the first right into Back Lane and the Industrial Area. PA is on the right.


From Cambridge

Take the A10 southbound, signposted for Trumpington. Once through the village of Harston, follow the third sign directed towards Melbourn, which will also read ‘Industrial Area’. Take the first right into Back Lane. PA Consulting Group is on the right.


Directions by Public Transport


From Royston Station

There are two trains leaving every hour for Royston Station from London King’s Cross Station. The taxi journey from the station takes 10 minutes.



Ample parking is available at the front of the building. Two car parks are located on either side of the main driveway into the PA site. Turn into the park on the left, and proceed straight ahead. Visitor car parking is located at the bottom of the steps which lead to reception.


Delegates who successfully complete the exam included at the end will be awarded the CSTP qualification. Completion of CSTP satisfies the prerequisites for CAST course (advanced web application security) and is an excellent foundation towards the CREST Registered Tester qualification, along with CSTA

Our Customers Include