Web Application Penetration Testing: Insecure Error Handling

Focused View

Dawid Czagan

48:48

12 View

1-Course Overview

01-Course Overview.mp4

02:06

2-Triggering Web Server Errors

02-Disclosure of Web Server Version via Error Message - Overview.mp4

03:15

03-Disclosure of Web Server Version via Error Message - Demo.mp4

03:33

04-Cross-site Scripting via Error Message Overview.mp4

02:14

05-Cross-site Scripting via Error Message Demo.mp4

04:14

06-Summary.mp4

01:42

3-Identifying Login Functionality Errors

07-User Enumeration via Error Messages - Overview.mp4

04:53

08-User Enumeration via Error Messages - Demo.mp4

05:28

09-Insecure Handling of Many Unsuccessful Login Attempts - Overview.mp4

02:28

10-Insecure Handling of Many Unsuccessful Login Attempts - Demo.mp4

03:27

11-Summary.mp4

01:22

4-Finding Unhandled Exceptions and File Inclusion Errors

12-Unhandled Exceptions - Overview.mp4

02:51

13-Unhandled Exceptions - Demo.mp4

03:17

14-File Inclusion Errors - Overview.mp4

03:12

15-File Inclusion Errors - Demo.mp4

03:23

16-Summary.mp4

01:23

Description

In this course, you'll learn how severe consequences can happen as a result of insecure error handling in modern web applications. You'll see how to test web applications for insecure error handling and how to prevent these problems from happening.

What You'll Learn?

Insecure error handling can lead to very severe consequences and that’s the reason why this subject is interesting for penetration testers. In this course, Web Application Penetration Testing: Insecure Error Handling, you will learn how to test for insecure error handling in modern web applications. First, you will discover different types of insecure web server errors. You will see what dangers can happen when the web server version is disclosed in an error message. You will also see how the attacker can steal sensitive data as a result of a cross-site scripting attack via an error message. Next, you will learn about insecure error handling in the context of login functionality, which is one of most sensitive functionalities in web applications. You will see how to test for user enumeration via error messages and how to test for insecure handling of many unsuccessful login attempts. Finally, you will explore some of the most dangerous errors in modern web applications (unhandled exceptions and file inclusion errors). You will see how the attacker can learn sensitive data as a result of triggering an unhandled exception. You will also see how the attacker can proceed from file inclusion errors to reading the content of sensitive files. By the end of this course, you will know how to test for insecure error handling in modern web applications and how to prevent these problems from happening.

More details

User Reviews

Rating

average 0

Total votes0

Focused display

Web App Development

Penetration Testing

Dawid Czagan

Instructor's Courses

Dawid Czagan is listed among the Top 10 Hackers by HackerOne. He has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, and other companies. Due to the severity of these bugs, he has received numerous awards for his findings. He has delivered security training courses at key industry conferences, such as Hack In The Box, CanSecWest, 44CON, Hack In Paris, DeepSec, BruCON, and for many corporate clients. His students include security specialists from Oracle, Adobe, Red Hat, Trend Micro, Philips, ESET, ING, and the government sector. Dawid Czagan is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services.

Pluralsight

View courses Pluralsight

Pluralsight, LLC is an American privately held online education company that offers a variety of video training courses for software developers, IT administrators, and creative professionals through its website. Founded in 2004 by Aaron Skonnard, Keith Brown, Fritz Onion, and Bill Williams, the company has its headquarters in Farmington, Utah. As of July 2018, it uses more than 1,400 subject-matter experts as authors, and offers more than 7,000 courses in its catalog. Since first moving its courses online in 2007, the company has expanded, developing a full enterprise platform, and adding skills assessment modules.