Material for After the Scan: Manual Security Assessment and Pen Testing of Your Web Application
Presented by Mike Landeck & Hanson Nottingham
Thank you all for attending!
Please download the Kali VM and the OWASP practice VM and then walk through the test plan. Feel free to contact me with any questions. If you’re not ready for Kali yet you can download the Windows version of OWASP ZAP here.
Handouts:
- Fiddler Sample File (Required)
- Sample Test Plan (Required)
- Sample Notification Email
- CyberSecology Reporting Template
- Test Site Credentials and Coupons
- CWE Cheat Sheet
Local Test Site
URL: <IP>/WackoPicko/
Test Credentials:
| Priv | Username | Password |
| Standard | scanner1 | scanner1 |
| Standard | scanner2 | scanner2 |
| Standard | bryce | bryce |
| Admin | ******** | ******** |
| Admin | adamd | adamd |
Coupon: SUPERYOU21
Practice Pages:
The primary test sites will be your local VM’s. However, there are a few CyberSecOlogy pages that will be used for demonstration and testing.
- Cross-site Request Forgery Test Site (CSRF)
- Cross-site Scripting Test Site (XSS)
- SQL Injection Test Site (SQLi)
- Backup File Example (.bak, .tmp, .old, etc)
Dynamic Application Security Testing (DAST) Scans of Test Sites:
Scan Report Audit Challenge: Scan reports with known and intentional false positive findings: