Program Structure
Book Now

Course Overview:

This course introduces the discipline of web application penetration testing and shows a hands-on perspective of how a penetration tester applies methodology with practice to test web application with security flaws. This course quickly introduces the most common security vulnerabilities faced by web applications today. Each vulnerability is examined through a process of describing the threat and attack mechanisms, the associated vulnerabilities, and, finally, designing, implementing, and testing effective defenses. In many cases, there are demonstrations that reinforce these concepts with real vulnerabilities, attacks, and defenses.

Intended Audience:

  • All web app developers, testers, designers who wish to improve their security skills.
  • Developers and System Architects wishing to improve their security skills and awareness.
  • Team Leaders and Project Managers.
  • Security practitioners and managers.
  • Auditors
  • Anyone interested in techniques for securing Web applications.
  • QA analysts who want to learn the mechanics of Web applications for better testing.


This course is intended for developers interested in learning secure web application development practices and techniques and assumes viewers have a good understanding of programming. This path is language-agnostic and suited for any web application developer regardless of your language of choice.

Course Content

  • Introduction & Case Studies

    • Introduction to Web Applications.
    • Understanding Web Application Architecture.
    • HTTP Protocol Basics.
    • HTTP Attack Vectors
    • HTTPS vs HTTP.
    • Introduction to VAPT.
    • Introduction to Application Security.
    • Application Security Risks.
    • Case Studies.

    OWASP Top 10 2017 RC2

    • Global Standards/Frameworks
    • SANS Top 25 Software Errors
      • WASC
      • NIST
      • OWASP
    • What is OWASP
    • Significant OWASP Projects
    • OWASP Top 10
    • The ‘OWASP Top 10’ for WebAppSec
      • A1-Injection
      • A2-Broken Authentication
      • A3-Sensitive Data Exposure
      • A4-XML External Entities (XXE)
      • A5-Broken Access Control
      • A6-Security Misconfiguration
      • A7-Cross-Site Scripting (XSS)
      • A8-Insecure Deserialization
      • A9-Using Components with Known Vulnerabilities
      • A10- Insufficient Logging & Monitoring
    • Countermeasures of OWASP Top 10 2017 RC2


    Beyond OWASP

    • CSRF
      • Understanding the vulnerability
      • Discovering the vulnerability
      • Attacking the Issue
      • Impact & Countermeasure
    • SSRF
      • Understanding the vulnerability
      • Discovering the vulnerability
      • Attacking the Issue
      • Impact & Countermeasure
    • Clickjacking
      • Understanding the vulnerability
      • Discovering the vulnerability
      • Attacking the Issue
      • Impact & Countermeasure


    Scanners & Interpreting Scan Reports

    • Web Application Scanners
      • Netsparker
      • Nessus
      • Acunetix
      • AppScan
      • WebInspect
      • NeXpose
    • Profiling the Scans
    • Interpreting Scanner Reports
    • Open source Tools and Testing Methodologies
      • Vega
      • OWASP OWTF


    API Insecurity

    • API Insecurity
      • Introduction to API & API Security
      • SOAP vs REST
      • Case Studies
      • Common API Vulnerabilities
    • Core Toolset for API Testing
    • Attacks on API
    • API Assessment Approach
    • Bot Defense for API
    • How to stop API Attacks?


    Practical Tips for Defending Web Application & API

    • Common Mistakes in Development
    • Security Best Practices for Web Application & API Security
    • Secure SDLC
      • Threat Modelling
      • Source Code Review
      • VAPT
    • DevSecOps
      • What is DevSecOps
      • DevSecOps vs Secure SDLC
      • DevSecOps for API Security

Q: When are the courses held?
A: The courses are scheduled monthly throughout the year.

Q: What do I take away from the course?
A: As well as the skills to use the product, you also receive a comprehensive workbook and a certificate of attendance.

Q: Do I get a course manual to keep?
A: Yes, you receive a comprehensive workbook.

Q: Where are the classroom training courses held?
A: The courses are all held in Parramatta, Sydney.

Q: Is the training practical or theory based?
A: Both. All of our course combine practical demonstrations and theory. You will have a sole use of a laptop throughout the course and can practice what you have learnt at the end of each chapter.

Q: Do I need to bring a laptop?
A: Yes, it is required to help you start from scratch on your own machine.

Q: Is there an exam?
A: You do not sit an exam at the end of the course.

Q: What qualification will I get?
A: You will receive a certificate of attendance.

Q: Do I need any previous practical experience?
A: This depends on the course you choose to take. All of our Introductory and Complete courses require no prior knowledge. If you are considering attending an Advanced course, but have not sat the basic course, then you will be expected to have relevant practical experience in the tool.

Q: Do you offer on-site training?
A: Yes, all of our courses can be delivered as on-site courses. We provide all laptops, projector, workbooks and certificates. We can also deliver on-line training just for your company with a schedule to suit you.

Q: Do you offer post course support?
A: Yes, in two ways; firstly, all our trainers can help with initial queries you may have when using the tools post-course via email. Secondly we also provide short-term on-site internship.