Burp Suite Practitioner Web App Penetration Testing Course

Master professional of Web Application Penetration Testing and prepare for the Burp Suite Certified Practitioner (BSCP)

What you'll learn

advanced web application vulnerabilities

get to a professional level in web application penetration testing

get to a professional level in web application bug bounty

get prepared for the Burp Suite Certified Practitioner (BSCP) certification

145+ ethical hacking & security videos

Burp practitioner labs solved and explained step by step

SQL injection

Cross-site scripting (XSS)

Cross-site request forgery (CSRF)

Clickjacking

DOM-based vulnerabilities

Cross-origin resource sharing (CORS)

XML external entity (XXE) injection

Server-side request forgery (SSRF)

HTTP request smuggling

OS command injection

Server-side template injection

Directory traversal

Access control vulnerabilities

Authentication

WebSockets

Web cache poisoning

Insecure deserialization

Information disclosure

Business logic vulnerabilities

HTTP Host header attacks

OAuth authentication

File upload vulnerabilities

JWT

Essential skills

Prototype pollution

Requirements

Burp Suite Apprentice Web App Penetration Testing Course

Computer with a minimum of 4GB ram/memory

Operating System: Windows / Apple Mac OS / Linux

Reliable internet connection

Burp Suite Pro

Firefox Web Browser

Description

Burp Suite Professional Labs – Web Application Penetration Testing & Bug Bounty HuntingWelcome to the Burp Suite Professional – Web Application Penetration Testing & Bug Bounty Hunting training course.Your instructor is Martin Voelk. He is a Cyber Security veteran with 25 years of experience. Martin holds some of the highest certification incl. CISSP, OSCP, OSWP, Portswigger BSCP, CCIE, PCI ISA and PCIP. He works as a consultant for a big tech company and engages in Bug Bounty programs where he found thousands of critical and high vulnerabilities.This course features all current 145+ Practitioner labs. Martin is solving them all and giving useful insight on how to find and exploit these vulnerabilities. He is not just inserting the payload but explains each step on finding the vulnerability and why it can be exploited in a certain way. The videos are easy to follow along and replicate. Martin is also dropping a lot of tips and tricks for those who wish to get the Burp Suite Certified Practitioner certification (BSCP). This training is highly recommended for anyone who wants to become a professional in Web Application Penetration Testing, Web Application Bug Bounty Hunting or take the Burp Suite Certified Practitioner certification (BSCP) certification.It will feature all apprentice labs in the following sections:· SQL injection· Cross-site scripting· Cross-site request forgery (CSRF)· Clickjacking· DOM-based vulnerabilities· Cross-origin resource sharing (CORS)· XML external entity (XXE) injection· Server-side request forgery (SSRF)· HTTP request smuggling· OS command injection· Server-side template injection· Directory traversal· Access control vulnerabilities· Authentication· WebSockets· Web cache poisoning· Insecure deserialization· Information disclosure· Business logic vulnerabilities· HTTP Host header attacks· OAuth authentication· File upload vulnerabilities· JWT· Essential skills· Prototype pollutionNotes & DisclaimerPortswigger labs are a public and a free service from Portswigger for anyone to use to sharpen their skills. All you need is to sign up for a free account. I will update this course with new labs as they are published. I will to respond to questions in a reasonable time frame. Learning Web Application Pen Testing / Bug Bounty Hunting is a lengthy process, so please don’t feel frustrated if you don’t find a bug right away. Try to use Google, read Hacker One reports and research each feature in-depth. This course is for educational purposes only. This information is not to be used for malicious exploitation and must only be used on targets you have permission to attack.

Overview

Section 1: Introduction

Lecture 1 Introduction

Section 2: SQL injection

Lecture 2 SQL injection UNION attack, determining the number of columns returned by the qu

Lecture 3 SQL injection UNION attack, finding a column containing text

Lecture 4 SQL injection UNION attack, retrieving data from other tables

Lecture 5 SQL injection UNION attack, retrieving multiple values in a single column

Lecture 6 SQL injection attack, querying the database type and version on Oracle

Lecture 7 SQL injection attack, querying the database type and version on MySQL and MS

Lecture 8 SQL injection attack, listing the database contents on non-Oracle databases

Lecture 9 SQL injection attack, listing the database contents on Oracle

Lecture 10 Blind SQL injection with conditional responses

Lecture 11 Blind SQL injection with conditional errors

Lecture 12 Blind SQL injection with time delays

Lecture 13 Blind SQL injection with time delays and information retrieval

Lecture 14 Blind SQL injection with out-of-band interaction

Lecture 15 Blind SQL injection with out-of-band data exfiltration

Lecture 16 SQL injection with filter bypass via XML encoding

Section 3: Cross-site scripting (XSS)

Lecture 17 DOM XSS in document.write sink using source location.search inside a select elem

Lecture 18 DOM XSS in AngularJS expression with angle brackets and double quotes HTML-enc.

Lecture 19 Reflected DOM XSS

Lecture 20 Stored DOM XSS

Lecture 21 Exploiting cross-site scripting to steal cookies

Lecture 22 Exploiting cross-site scripting to capture passwords

Lecture 23 Exploiting XSS to perform CSRF

Lecture 24 Reflected XSS into HTML context with most tags and attributes blocked

Lecture 25 Reflected XSS into HTML context with all tags blocked except custom ones

Lecture 26 Reflected XSS with some SVG markup allowed

Lecture 27 Reflected XSS in canonical link tag

Lecture 28 Reflected XSS into a JavaScript string with single quote and backslash escaped

Lecture 29 Reflected XSS into a JavaScript string with angle brackets and double quotes esc

Lecture 30 Stored XSS into onclick event with angle brackets and double quotes HTML-encoded

Lecture 31 Reflected XSS into a template literal with angle brackets, single, double quotes

Section 4: Cross-site request forgery (CSRF)

Lecture 32 CSRF where token validation depends on request method

Lecture 33 CSRF where token validation depends on token being present

Lecture 34 CSRF where token is not tied to user session

Lecture 35 CSRF where token is tied to non-session cookie

Lecture 36 CSRF where token is duplicated in cookie

Lecture 37 SameSite Lax bypass via method override

Lecture 38 SameSite Strict bypass via client-side redirect

Lecture 39 SameSite Strict bypass via sibling domain

Lecture 40 SameSite Lax bypass via cookie refresh

Lecture 41 CSRF where Referer validation depends on header being present

Lecture 42 CSRF with broken Referer validation

Section 5: Clickjacking

Lecture 43 Exploiting clickjacking vulnerability to trigger DOM-based XSS

Lecture 44 Multistep clickjacking

Section 6: DOM-based vulnerabilities

Lecture 45 DOM XSS using web messages

Lecture 46 DOM XSS using web messages and a JavaScript URL

Lecture 47 DOM XSS using web messages and JSON.parse

Lecture 48 DOM-based open redirection

Lecture 49 DOM-based cookie manipulation

Section 7: Cross-origin resource sharing (CORS)

Lecture 50 CORS vulnerability with trusted insecure protocols

Section 8: XML external entity (XXE) injection

Lecture 51 Blind XXE with out-of-band interaction

Lecture 52 Blind XXE with out-of-band interaction via XML parameter entities

Lecture 53 Exploiting blind XXE to exfiltrate data using a malicious external DTD

Lecture 54 Exploiting blind XXE to retrieve data via error messages

Lecture 55 Exploiting XInclude to retrieve files

Lecture 56 Exploiting XXE via image file upload

Section 9: Server-side request forgery (SSRF)

Lecture 57 SSRF with blacklist-based input filter

Lecture 58 SSRF with filter bypass via open redirection vulnerability

Lecture 59 Blind SSRF with out-of-band detection

Section 10: HTTP request smuggling

Lecture 60 HTTP request smuggling, basic CL.TE vulnerability

Lecture 61 HTTP request smuggling, basic TE.CL vulnerability

Lecture 62 HTTP request smuggling, obfuscating the TE header

Lecture 63 HTTP request smuggling, confirming a CL.TE vulnerability via differential resp.

Lecture 64 HTTP request smuggling, confirming a TE.CL vulnerability via differential respon

Lecture 65 Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE

Lecture 66 Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL

Lecture 67 Exploiting HTTP request smuggling to reveal front-end request rewriting

Lecture 68 Exploiting HTTP request smuggling to capture other users' requests

Lecture 69 Exploiting HTTP request smuggling to deliver reflected XSS

Lecture 70 Response queue poisoning via H2.TE request smuggling

Section 11: OS command injection

Lecture 71 Blind OS command injection with time delays

Lecture 72 Blind OS command injection with output redirection

Lecture 73 Blind OS command injection with out-of-band interaction

Lecture 74 Blind OS command injection with out-of-band data exfiltration

Section 12: Server-side template injection

Lecture 75 Basic server-side template injection

Lecture 76 Basic server-side template injection (code context)

Lecture 77 Server-side template injection using documentation

Lecture 78 Server-side template injection in an unknown language with a documented exploit

Lecture 79 Server-side template injection with information disclosure via user-supplied obj

Section 13: Directory traversal

Lecture 80 File path traversal, traversal sequences blocked with absolute path bypass

Lecture 81 File path traversal, traversal sequences stripped non-recursively

Lecture 82 File path traversal, traversal sequences stripped with superfluous URL-decode

Lecture 83 File path traversal, validation of start of path

Lecture 84 File path traversal, validation of file extension with null byte bypass

Section 14: Access control vulnerabilities

Lecture 85 URL-based access control can be circumvented

Lecture 86 Method-based access control can be circumvented

Lecture 87 Multi-step process with no access control on one step

Lecture 88 Referer-based access control

Section 15: Authentication

Lecture 89 Username enumeration via subtly different responses

Lecture 90 Username enumeration via response timing

Lecture 91 Broken brute-force protection, IP block

Lecture 92 Username enumeration via account lock

Lecture 93 2FA broken logic

Lecture 94 Brute-forcing a stay-logged-in cookie

Lecture 95 Offline password cracking

Lecture 96 Password reset poisoning via middleware

Lecture 97 Password brute-force via password change

Section 16: WebSockets

Lecture 98 Manipulating the WebSocket handshake to exploit vulnerabilities

Lecture 99 Cross-site WebSocket hijacking

Section 17: Web cache poisoning

Lecture 100 Web cache poisoning with an unkeyed header

Lecture 101 Web cache poisoning with an unkeyed cookie

Lecture 102 Web cache poisoning with multiple headers

Lecture 103 Targeted web cache poisoning using an unknown header

Lecture 104 Web cache poisoning via an unkeyed query string

Lecture 105 Web cache poisoning via an unkeyed query parameter

Lecture 106 Parameter cloaking

Lecture 107 Web cache poisoning via a fat GET request

Lecture 108 URL normalization

Section 18: Insecure deserialization

Lecture 109 Modifying serialized data types

Lecture 110 Using application functionality to exploit insecure deserialization

Lecture 111 Arbitrary object injection in PHP

Lecture 112 Exploiting Java deserialization with Apache Commons

Lecture 113 Exploiting PHP deserialization with a pre-built gadget chain

Lecture 114 Exploiting Ruby deserialization using a documented gadget chain

Section 19: Information disclosure

Lecture 115 Information disclosure in version control history

Section 20: Business logic vulnerabilities

Lecture 116 Low-level logic flaw

Lecture 117 Inconsistent handling of exceptional input

Lecture 118 Weak isolation on dual-use endpoint

Lecture 119 Insufficient workflow validation

Lecture 120 Authentication bypass via flawed state machine

Lecture 121 Infinite money logic flaw

Lecture 122 Authentication bypass via encryption oracle

Section 21: HTTP Host header attacks

Lecture 123 Web cache poisoning via ambiguous requests

Lecture 124 Routing-based SSRF

Lecture 125 SSRF via flawed request parsing

Lecture 126 Host validation bypass via connection state attack

Section 22: OAuth authentication

Lecture 127 Forced OAuth profile linking

Lecture 128 OAuth account hijacking via redirect_uri

Lecture 129 Stealing OAuth access tokens via an open redirect

Lecture 130 SSRF via OpenID dynamic client registration

Section 23: File upload vulnerabilities

Lecture 131 Web shell upload via path traversal

Lecture 132 Web shell upload via extension blacklist bypass

Lecture 133 Web shell upload via obfuscated file extension

Lecture 134 Remote code execution via polyglot web shell upload

Section 24: JWT

Lecture 135 JWT authentication bypass via weak signing key

Lecture 136 JWT authentication bypass via jwk header injection

Lecture 137 JWT authentication bypass via jku header injection

Lecture 138 JWT authentication bypass via kid header path traversal

Section 25: Essential skills

Lecture 139 Discovering vulnerabilities quickly with targeted scanning

Section 26: Prototype pollution

Lecture 140 DOM XSS via client-side prototype pollution

Lecture 141 DOM XSS via an alternative prototype pollution vector

Lecture 142 Client-side prototype pollution via flawed sanitization

Lecture 143 Client-side prototype pollution in third-party libraries

Lecture 144 Client-side prototype pollution via browser APIs

Lecture 145 Privilege escalation via server-side prototype pollution

Lecture 146 Detecting server-side prototype pollution without polluted property reflection

Lecture 147 Bypassing flawed input filters for server-side prototype pollution

Lecture 148 Remote code execution via server-side prototype pollution

Anybody preparing for the Burp Suite Certified Practitioner (BSCP),Anybody interested in becoming professional in ethical web application hacking / penetration testing,Anybody interested in becoming professional in ethical web application bug bounty hunting,Anybody interested in learning how hackers hack web applications,Developers looking to expand on their knowledge of vulnerabilities that may impact them,Anyone interested in application security,Anyone interested in Red teaming,Anyone interested in offensive security