Company: Pluralsight Author: Clark Voss Full Title: Web Application Penetration Testing: Session Management Testing Year: 2018 Language: English Genre: Educational: Web Development Skill Level: Intermediate Price: - - Files: MP4 Time: 02:00:45 Video: AVC, 1280 x 720 (1.778) at 30.000 fps, 450 kbps Audio: AAC at 63 Kbps, 2 channels, 44.1 KHz Learn what to look for while penetration testing session management using OWASP principles including brute-forcing, taking advantage of poorly implemented session fixation, and POST and GET requests implemented incorrectly to find weak spots. Poorly implemented session management can allow an attacker to exploit poor controls and gain access to sensitive information. In Web Application Penetration Testing: Session Management Testing, you’ll learn how to find those vulnerabilities before the bad guys do. First, you'll explore cookies, what to look for during a pen-test, and how you can brute force your way passed the login prompt. Next, you'll learn how easy it can be to hijack someone else's session with session fixation. Finally, you’ll discover what session puzzling is and how to leverage it as an attacker. When you’re finished with this course, you'll have a solid understanding of what to look for while penetration testing session management. Lessons: 1. Course Overview 01. Course Overview 2. Course Introduction 02. About This Course 03. Course Introduction 3. Testing for Bypassing Session Management Schema 04. Introduction 05. Cookie Collection 06. Cookie Reverse Engineering 07. Session ID Predictability 08. Session Analysis 09. Brute-force Attacks 4. Testing for Cookie Attributes 10. Introduction 11. Secure Attribute 12. HttpOnly Attribute 13. Domain Attribute 14. Path Attribute 15. Expires Attribute 5. Testing for Session Fixation 16. Introduction 17. Session Fixation 6. Testing for Exposed Session Variables 18. Introduction 19. HTTP to HTTPS 20. Session And Local Storage 21. Different Tokens 22. Hidden Fields 23. POST to GET 7. Testing for Cross-site Request Forgery 24. Introduction 25. Cross-site Request Forgery 8. Testing for Logout Functionality 26. Introduction 27. Logout User Interface 28. Server-side Session Termination 29. Session Timeout 9. Testing Session Timeout 30. Introduction 31. Destroying Session Tokens 32. Proper Session Checks 33. Timeout 10. Testing Session Puzzling 34. Introduction 35. Authentication Bypass 36. Impersonation 37. Redirection Prevention Bypass 38. Bypassing Restrictions in Multiphase Processes 11. Course Wrap-up 39. Summary 40. Materials and References Our members see more. Join us! ------------- Our members see more. Join us!