The CSX Web Application Security Engineer Pathway provides students with an extensive knowledge of web application protection. This pathway includes our OWASP Top 10 course as well as diverse labs outlining the importance of securing web apps.

Continuing Professional Education (CPE) Credit Count: 42

Lesson objectives:

• Understand how systems are vulnerable to injection attacks
• Know the different types of injection attacks
• Understand how to protect from injection attacks

Instructional Lab: Injection

• Identify an injection vulnerability present on a simulated organization’s system of responsibility.

Lesson objectives:

• Understand what constitutes a broken authentication
• Know how to identify if an application is vulnerable to broken authentication
• Understand how to mitigate and prevent broken authentications

Instructional Lab: Broken Authentication

• Identify a broken authentication capability within an organizational application. Once identified, take action to exploit the vulnerability.

Lesson objectives:

• Know how to identify sensitive data
• Determine if the information should be exposed or protected
• Understand how to appropriately protect sensitive data

Instructional Lab: Sensitive Data Exposure

• Enter an environment wherein key organizational data is incorrectly protected. Identify the exposed sensitive data and take steps to protect it from potential misuse

Lesson objectives:

• Understand how threat agents exploit vulnerable XML processors
• Know how to identify if an application is vulnerable to XXE
• Understand how to prevent potential XXE exploitations

Instructional Lab: XML External Entities

• Identify a potential XXE exploitation on a network of responsibility and test the exploit on the vulnerable XML processors.

Lesson objectives:

• Understand the elements which make broken access control exploitable
• Know how to identify potential access control bypasses
• Understand how to harden access control mechanisms for an organization

Instructional Lab: Broken Access Control

• Identify potential broken access mechanisms within the environment, leveraging them to gain access to a system, and then harden the system from additional implementation of the access control.

Lesson objectives:

• Understand the dangers presented with misconfigured systems and networks
• Understand examples of misconfigurations which can make a system vulnerable to exploitation
• Know how to reconfigure certain system applications to increase security

Instructional Lab: Security Misconfiguration

• Identify specific misconfigured applications within a live environment which, when exploited, will give attackers greater influence over a network.

Lesson objectives:

• Understand the different forms of XSS
• Understand how XSS can exploit a user system
• Know how to prevent XSS

Instructional Lab: Cross-Site Scripting (XSS)

• Identify a poorly configured site which performs XSS attacks against user browsers, then implement mechanisms to prevent XSS on an application under their purview.

Lesson objectives:

• Understand the two primary types of deserialization attacks
• Understand which types of applications leverage serialization
• Learn how to prevent deserialization attacks

Instructional Lab: Insecure Deserialization

• Identify applications with potential insecure deserialization vulnerabilities. Take action to test the vulnerability to see if the environment is susceptible.

Lesson objectives:

• Understand characteristics which indication potentially vulnerable applications
• Know the importance of testing for vulnerabilities
• Understand how to prevent potential compromise through implementing proven applications

Instructional Lab: Insecure Deserialization

• Identify applications which are potentially vulnerable to exploitation, take action to address the vulnerabilities and harden the system.

Lesson objectives:

• Understand the importance of log monitoring
• Understand how inattentive administrators miss attacks
• Know how to prevent poor logging mechanisms within an infrastructure

Instructional Lab: Insecure Deserialization

• Identify a misconfigured event logger and identify key events which required should have been escalated. Reconfigure the logger to ensure appropriate notification and logging occurs.

Challenge Lab:

• As a web app penetration tester, it will be your responsibility to apply learned skills and techniques in order to complete an injection-based web app security challenge.

Challenge Lab

• Using knowledge from the Broken Authentication (#2) and Security Misconfigurations (#6) labs, complete this final challenge lab!

• Discuss Phishing attacks
• Conduct Phishing examples

Phishing attacks are the lynchpin of many organizational breaches and exploitations. Cyber security professionals that understand this also understand that many of these attacks are successful due to lack of understanding by end users. This course will teach cyber security professionals how to perform a phishing attack and illustrate the importance of cyber security awareness when browsing the internet.

Lesson objectives:

• Discuss cross site script attacks
• Implement a cross site script attack

Instructional Lab: Testing Web Application

Part of a comprehensive defense-in-depth implementation includes testing new capabilities and applications before implementing them into an organizations production network. This course illustrates how students can conduct testing against newly developed web applications to ensure they do not pose a risk to organizational assets.

SQL Injection is a common technique used by hackers and red teams to infiltrate database systems via the Web UI. In this lab, we will give student hands-on experience with this type of attack.

Lesson objectives:

• Understand how to start services with XAMPP in order to run DVWA, a web application.
• Understand how to capture packets with Wireshark to expose data leakage within DVWA.

Instructional Lab: Data Leakage

Students will learn the importance of data integrity through comparative analysis of hash algorithm output. Leveraging hashing tools, students will learn how to ensure that data is not compromised post-incident.

Lesson objectives:

• Configure FireFox to us BurpSuite as a proxy
• Use BurpSuite to intercept client-server requests
• Manipulate a cookies session ID to bypass login

Instructional Lab: Session Hijacking

Students will identify web application cookies, interact with Burp, and a MITM attack.

Lesson objectives:

• Observe and identify a DDoS SYN-Flood attack on a webserver.
• Utilize firewall tools to mitigate future attacks of this type.

Instructional Lab: DDoS Detection

Students will experience the different components of a distributed denial of service attack.

Lesson objectives:

• Utilize Wireshark to isolate client data
• Establish Baseline Data Flows
• Conduct Packet Analysis
• Discover possible nefarious data flow

Instructional Lab: Chrome Extension Testing

In early 2018, security researchers discovered several nefarious Chrome extensions that were making unwanted calls to ad servers. This resulted in the removal of these Chrome extensions from the Google Extension Store and a heightened awareness to the possible effects of Chrome extensions on business networks.

Lesson objectives:

• Learn the fundamentals of DNS harvesting and how it applies to the blue team side of cybersecurity
• Grasp the basics of search modifiers
• Use Kali Linux and its command line tools in order to conduct DNS harvesting techniques
• Use Ubuntu Linux and Google Chrome in order to pinpoint web results using search engine directives

Instructional Lab: Harvesting DNS and Focusing Web Searches

Kali Linux has a multitude of command line tools that can be used to harvest DNS information from public servers.  As a technical cybersecurity professional, it will be your responsibility to put these tools to use.  Also, you will need to use Ubuntu Linux in order to focus your web queries within Google's search engine.  In this case, you will be using the Nexus to tie these skills together in order to get familiar with real-world information gathering situations.

Lesson objectives:

• Learn HTTP, Wireshark and Netcat in order to apply an understanding of HTTP request methods
• Use Kali Linux and Ubuntu Linux in order to properly setup a multi-system LAN
• Use Wireshark in order to analyze the HTTP GET and POST request methods that were previouisly generated
• Use Netcat in order to further analyze how these methods can be used in a CLI

Instructional Lab: Harvesting DNS and Focusing Web Searches

Understanding how website applications are developed is an important skill to have when securing your personal or company website.  The back and forth communication between a client and a server can be the difference between a secure web app and a vulnerable one.  In this lab, as a website application developer, it is your responsibility to understand how HTTP request methods are used and how it ties in to developing a secure website.