UC Information Security Symposium 2015

Material from the University of California Information Security Symposium class

Material for After the Scan: Manual Security Assessment and Pen Testing of Your Web Application



Presented by Mike Landeck & Hanson Nottingham

Thank you all for attending!

Please download the Kali VM and the OWASP practice VM and then walk through the test plan. Feel free to contact me with any questions. If you’re not ready for Kali yet you can download the Windows version of OWASP ZAP here.



Local Test Site

URL: <IP>/WackoPicko/


Test Credentials:

Priv Username Password
Standard scanner1 scanner1
Standard scanner2 scanner2
Standard bryce bryce
Admin ******** ********
Admin adamd adamd


Coupon: SUPERYOU21


Practice Pages:

The primary test sites will be your local VM’s. However, there are a few CyberSecOlogy pages that will be used for demonstration and testing.


Dynamic Application Security Testing (DAST) Scans of Test Sites:


Scan Report Audit Challenge: Scan reports with known and intentional false positive findings: