Become a Partner
Add OffSec to your list of training providers
Partner with usBlog
May 31, 2023
In this blog, learn about how OffSec’s web application security course helps team members become better developers, attackers, and defenders.
6 min read
WEB-200: Foundational Web Application Assessments with Kali Linux is a black box style web application security course designed to teach the Learner how to assess web applications from an external perspective. A black box penetration test or web application assessment occurs when the tester doesn’t receive access to the application’s source code. This means that they need to behave like a regular user of the application, in order to enumerate, discover, and exploit different kinds of vulnerabilities.
In this blog post, we will identify how our web app security course can help your team members improve their security skills, whether they’re web application developers, blue teamers, or penetration testers. Plus, we’ll provide a suggestion for those looking to get into the field in the first place!
WEB-200 represents an excellent opportunity for developers to get into the mindset of an attacker. You will learn different methodologies, processes, and behaviors of potential malicious actors. In doing so, you will come to understand how your code can be abused to achieve outcomes that you may not have intended.
Let’s take Cross-Site Scripting (XSS) as an example. Cross-Site Scripting can occur whenever a user is permitted to submit text that later gets rendered by a browser as HTML (ex: a blog post’s comments). Watch our OffSec Live recorded walkthrough if you’re interested in an in-depth demonstration. WEB-200 contains an excellent “sandbox” application that demonstrates to the Learner both what the attacker would see on their browser, as well as what the victim would see on theirs.
Another benefit to development teams is that you can build up the capacity to audit code within the team by applying the skills and techniques learned in this web application security course. For example, you might try to abuse Server-Side Template Injection (SSTI) to obtain Remote Code Execution (RCE) on an application you are building that enlists templates.
The main reason to explore WEB-200 as a blue teamer is to understand the kinds of footprints attackers leave when attempting these kinds of attacks. WEB-200 is not a red teaming course and does not emphasize stealth. Therefore, it is a perfect tool for defenders to get acclimated with the kind of strings attackers can leave behind in logs while performing black box style attacks.
For example, the SQL Injection Modules allow the Learner to select among various databases to execute their queries (and attacks) on. Since the course explores many different kinds of relational database systems, defenders can get acclimated with the different types of syntax and strings that are likely to be left behind in web server logs.
Defenders will also get a boost to their mental models of the impact and ramifications of different kinds of attacks. WEB-200 focuses on two broad types of attacks: authentication bypasses and remote code execution. Both of these can have a tremendous impact on an organization, but it can be difficult to internalize exactly what that might mean without first-hand experience. The WEB-200 Challenge Labs provide Learners with the opportunity to viscerally experience that impact themselves, over and over again.
Seasoned network penetration testers benefit from our web app security course because HTTP(S) still remains one of the most widespread technologies exposed to external networks. While PEN-200 covers Web Application Attacks, it does so neither at the level of depth nor breadth enjoyed by WEB-200.
Penetration testers that are not performing regular assumed-breach type scenarios will inevitably encounter web applications as their primary entry point. It follows that having more varied, rich, and explored attack vectors in one’s pocket will help tremendously on both internal and external engagements.
One way that WEB-200 allows Learners to fully explore web application attacker methodology is via the Assembling the Pieces Module. It covers a custom web application, how OffSec would handle assessing it, and then walks through every step of exploiting both authentication bypass and remote code execution. Then the machine is made available to the Learner to replicate the attacks or try their own. This general formula of auth bypass + elevated attack is then repeated in both the Challenge Labs and in the OffSec Web Assessor (OSWA) web application security certification exam itself, providing even more practice opportunities for attackers.
Many Learners looking to get into penetration testing begin with Penetration Testing with Kali Linux (PEN-200). While that is a reasonable path for many Learners, we’d like to argue that Learners would benefit from exploring WEB-200 first. There are a few reasons for this:
Learners who complete the course and pass the exam will earn the OffSec Web Assessor (OSWA) web app security certification, demonstrating their ability to leverage web exploitation techniques on modern applications.
Learners will:
This blog post has covered many of the different ways in which WEB-200: Foundational Web Application Assessments with Kali Linux can help you and your team improve your security skillset and understanding regardless of your current role. See if WEB-200 is right for your technical team by checking out the detailed syllabus here or by contacting our Sales team.
OffSec News
Visit OffSec at our booth at Black Hat USA and sign up for the free Versus Tournament to test your mettle and win awesome prizes!
Jul 17, 2024
3 min read
Insights
Learn all about how to start a career in cybersecurity: this is a step-by-step guide to ensure a successful career.
Jul 16, 2024
13 min read
Enterprise Security
Explore major government breaches, common cyber threats, and how advanced cybersecurity training enhances resilience, mitigates damage, and protects critical services.
Jul 16, 2024
6 min read