Check Point HackingPoint™ Advanced Web Hacking PenTesting Expert (CCPM)

Vendor: Check Point
Course Code: WGAC-CKP-HP-AWH
Course Outline

This fastpaced class gives attendees an insight into advanced AppSec topics. The class curriculum is split into two: 3 days of Server Side Flaws. 2 days of Client Side Flaws

Prerequisites & Audience

Check Point HackingPoint™ Web Hacking

Some knowledge of HTML and JavaScript is required, but rookies and experts will be equally satisfied with the class. HTML is a living standard, and so is this class.

Course Objectives

HackingPoint is a new Global Education program for security experts (customers, partners, or network admins) to help master all types of Pen Testing techniques and Cyber Security practices

The goal of this program is to give security experts in-depth understanding of how to better protect the corporate network and resources
World-class trainers and Pen-testing experts in the field (BlackHat & Check Point RnD trainers) provide students deep knowledge in cutting-edge Cyber Security threats
Course Topics

Server Side Flaws (3 days)

These vulnerabilities affect well-known software/websites and span across multiple
technologies, such as .NET framework to Node.js applications. We selected vulnerabilities that
typically go undetected by modern scanners, or have less-known exploitation techniques

SQL Injection

  • 2nd order injection
  • NoSQL injection
  • Out-of-Band exploitation
  • WAF bypass techniques

XXE Injection

  • Blind XXE injection
  • Case Study of recent XXE bugs
  • XXE to Code Execution

Serialization Flaws

  • PHP object injection
  • Java serialization flaws
  • Case study of recent serialization flaws

HTTP Parameter Pollution (HPP)

  • Detecting HPP in application
  • Case study of recent HPP bugs

Business Logic Flaws

  • WAF bypass techniques
  • Mass assignment bugs
  • OS code injection
  • Crypto attacks

Client Side Flaws (2 days)

These classes focus on offensive attacks and dangerous parts of HTML, JavaScript, and related technologies, the nasty and
undocumented stuff. There are dozens of new attack techniques straight from the laboratory of horrors of those
maintaining the HTML5 Security Cheat Sheet. We will learn how to attack any Web application— either with unknown
legacy features or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES6 mailing lists.
Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps, we have
that covered.

  • Client Side flaws (basics)
  • HTTP / Encoding
  • Character sets
  • CSRF and detail
  • Cross Site-Scripting
  • DOM clobbering SOP Bypasses
  • Drag&Drop / Copy&Paste
  • DOMXSS
  • HTML5 Attacks & Vectors
  • SVG
  • XML
  • Mutation XSS / mXSS
  • Scriptless Attacks
  • Filter Bypasses
  • Optimizing your payload
  • Legacy Features
Top of page

On Demand Training

This course is available as an onsite, closed course and can be delivered at your premises. This may be a cost effective option where you have a group of delegates who require the same training. Additionally, it has the benefit that course content can be tailored to the needs of your organisation.

Register or Log in to submit your enquiry.