Course Code: advdpentest1
Duration: 35 hours
Overview:

___ is ___.

This instructor-led, live training (online or onsite) is aimed at beginner-level / intermediate-level / advanced-level ___ who wish to use ___ to ___.

By the end of this training, participants will be able to:

  • Install and configure ___.
  • ___. 
  • ___. 
  • ___. 

Format of the Course

  • Interactive lecture and discussion.
  • Lots of exercises and practice.
  • Hands-on implementation in a live-lab environment.

Course Customization Options

  • To request a customized training for this course, please contact us to arrange.
Course Outline:

Day 1: Advanced Web Application Penetration Testing - Part 1

  • Introduction to Advanced Pentesting
    • Review of penetration testing lifecycle.
    • Differences between traditional and cloud-hosted applications.
  • Reconnaissance and Target Enumeration
    • Passive and active information gathering.
    • Tools: Amass, Sublist3r, Shodan, Censys.
    • Identifying cloud-hosted applications and services.
  • Advanced Vulnerability Discovery
    • Manual vs. automated testing.
    • Identifying logic flaws, IDOR, and other advanced vulnerabilities.
    • Tools: Burp Suite Pro, OWASP ZAP.
  • Lab Exercise
    • Recon and vulnerability discovery on a cloud-hosted web application.

Day 2: Advanced Web Application Penetration Testing - Part 2

  • Exploitation of Web Application Vulnerabilities
    • Exploiting SQL, NoSQL, and command injections.
    • Advanced Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF).
    • Exploiting Server-Side Request Forgery (SSRF).
  • Introduction to API Pentesting
    • Testing RESTful and GraphQL APIs.
    • Exploiting insecure API endpoints.
  • Post-Exploitation Techniques
    • Gaining access to sensitive data.
    • Privilege escalation in web applications.
  • Lab Exercise
    • Exploiting complex web vulnerabilities, including SSRF and API flaws.

Day 3: Transitioning to Cloud Penetration Testing

  • Cloud Security Fundamentals
    • Shared Responsibility Model.
    • Cloud architecture overview (AWS, Azure, GCP).
    • Cloud-specific attack vectors.
  • Reconnaissance in Cloud Environments
    • Identifying cloud-hosted assets and configurations.
    • Enumerating cloud metadata services.
  • Cloud IAM Misconfigurations
    • Understanding IAM policies, roles, and permissions.
    • Privilege escalation in cloud environments.
  • Lab Exercise
    • Reconnaissance and exploitation of cloud misconfigurations.

Day 4: Advanced Cloud Penetration Testing

  • Cloud-Specific Vulnerabilities
    • Exploiting public storage (S3, Blob, GCS).
    • Abusing cloud APIs and serverless functions.
    • Advanced SSRF in cloud environments.
  • Network Exploitation in the Cloud
    • Testing VPCs, security groups, and firewalls.
    • Pivoting and lateral movement within cloud environments.
  • Post-Exploitation in Cloud Environments
    • Data exfiltration techniques.
    • Establishing persistence in cloud services.
  • Lab Exercise
    • Exploiting vulnerabilities in a simulated multi-cloud environment.

Day 5: Full Pentesting Workflow and Reporting

  • End-to-End Pentest Simulation
    • Full workflow: Reconnaissance, exploitation, post-exploitation, and data exfiltration in a hybrid web and cloud environment.
  • Report Writing
    • Crafting professional penetration testing reports.
    • Risk assessment and prioritization.
    • Recommendations for remediation.
  • Best Practices and Defense Strategies
    • Hardening web applications and cloud environments.
    • Continuous monitoring and threat detection.
  • Capstone Lab
    • Conduct a full pentest and present findings in a simulated hybrid environment.