Course package
Certified Web Application Security Professional («CWASP»)
Course facts
- Understanding that you are bound to secrecy, confidentiality, and non-disclosure to your employer and customers
- Analyzing and developing new attack methods and attack simulations
- Considering the needs of the customer (internal and external)
- Ensuring the client's cyber resilience
- Explaining complex web application attacks and performing proof-of-concept attacks to actively exploit vulnerabilities and security gaps
- Understanding how offensive techniques are used to find complex vulnerabilities and security gaps in the systems, applications, or infrastructure of organizations in various industries
- Creating and reviewing specific policies, standards, baselines, guidelines, and operational documentation derived from industry and market standards (BSI, NIST, ISO, others)
- Performing complex security analyses (web application penetration tests) and documenting the results in the form of a report with findings and recommendations for action, as well as integrating the findings from the analyses into practice
- Using your knowledge to support internal and external auditors in conducting security audits, and independently performing subtasks as part of audits
- Knowledge of the content of the «Burp Suite Certified Practitioner (BSCP)» exam and how to prepare for it
- Expanding the required knowledge independently and self-motivated
- Preparing independently for the «Burp Suite Certified Practitioner» exam
1 Onboarding (2 hours)
- Getting to know each other
- Expectations
- Impulse lecture
- Exam preparation process
2 Web Application Security - Foundation (2 days)
- Based on the OWASP Top 10, you will get to know the current attack methods on (web) applications and learn how to take effective protective measures:
- A01:2021-Broken Access Control
- A02:2021-Cryptographic Failures
- A03:2021-Injection
- A04:2021-Insecure Design
- A05:2021-Security Misconfiguration
- A06:2021-Vulnerable and Outdated Components
- A07:2021-Identification and Authentication Failures
- A08:2021-Software and Data Integrity Failures
- A09:2021-Security Logging and Monitoring Failures
- A10:2021-Server-Side Request Forgery
3 Coaching (2 hours)
- Exchange of experiences
- Supporting impulses
- Next steps
4 Web Application Security - Advanced (1 day)
- Summary of OWASP Top 10
- Advanced web application attacks
- Bypassing 2FA using a practical example
- XSS and clickjacking
- Attacks on OAuth 2.0
- Parameter Pollution
- Web cache poisoning
- Template injection
- Attacks on JWT
- Request smuggling
- Server Side Prototype Pollution
- DOM-based vulnerabilities
- Secure APIs
- Introduction to OWASP API Top 10:2019
- Guideline for targeted preparation for the BSCP exam
5 Coaching (1 hour)
- Q&A
- Certification Tips
The goal is to achieve the «Burp Suite Certified Practitioner (BSCP)» certification. In class, you will have the opportunity to complete approx. 20-25% of the exercises from the extensive PortSwigger Academy lab. The classes are delivered in a blended learning format. During the training sessions, the learning content is delivered in a mix of impulse lectures and exercises. The time between training sessions is used to work on labs or exercises.
During the coaching sessions there is an exchange between the participants. There will be questions asked and problems solved. The trainer gives specific impulses.
Exam preparation and exam
You prepare for the BSCP exam independently. Once you have completed the mock exam and feel ready to take the exam, you may take the exam. For further information, please see «Certification».
This course package is aimed at IT security officers, software developers and testers, webmasters and developers as well as system engineers/administrators and prospective penetration testers.
Basic knowledge of web application development, knowledge of web servers, knowledge of basic web technologies such as HTML and Javascript are required.
After attending this training and coaching course, you will have an in-depth understanding of web application security. With some additional self-study, you will be ready to tackle the «Burp Suite Certified Practitioner» certification.
The 4-hour exam costs USD 99 and can be taken online at any time. The exam is in English and has several levels:
- Level 1: Gain access to any user account
- Level 2: Gain access to administrative users (privilege escalation)
- Level 3: Exploit the administrative interface to read a local file
More information can be found here.