Red Teaming Bundle (All-in-One)
About Course
We provide all our cybersecurity courses in the Red Teaming Bundle. Here’s what you’ll get:
Web Application Penetration Testing
Description
This course introduces students to the WAPT concepts associated with Web application pentesting. We encourage you to take this course if you are a complete beginner in API bug bounty world. This course uses a custom-developed vulnerable web application pentesting to demonstrate how, web vulnerabilities can be identified and exploited. This course teaches you how to identify a variety of web vulnerabilities lies in the Server-side, Client-side.
Course Content
- Roadmap & Report Writing
- Burp suit Advance Techniques
- Practical Recon Techniques
- Practical Recon techniques (Manual + Automation)
- Subdomain Finding.
- Rate Limit Bypass.
- Authentication bypass
- CSRF
- Third party password token Leakage
- File Upload Bugs
- Parameter Tampering
- Sensitive Token in URL
- OS (Command) Injection
- DMARC and SPF
- Clickjacking
- Broken Authentication
- CORS
- WordPress pentesting
- Key Exploits
- Jira Misconfiguration
- Email, Password or delete Account Validation
- Information Disclosure
- Long password Dos attack
- Web Cache Deception Attack
- URL Redirection
- Host header Attacks
- LFI & RFI
- IDOR
- SSRF
- XSS (Blind, Stored, Reflected)
- HTML Injection
- Subdomain Takeover
- CVES +Types of exploits
- 2Fa Bypass
- Exif Metadata
- Business Logic Errors
- Google Dorks
API Penetration Testing
Requirements
Description
This course introduces students to the security concepts associated with APIs pentesting. In this courses we encourage you to take this course if you are a beginner in API pentesting security world. This course uses a custom developed vulnerable APIs pentesting to demonstrate how , API vulnerabilities can be identified and exploited. This course teaches you how to identify a variety of API vulnerabilities such as SQL Injection, XXE, Sensitive data in GET, Leaky APIs etc.
OWASP API PENTESTING
- Bola (broken object level authentication)
- Injection attack
- Improper assets management
- Security misconfiguration
- Mass assignment
- Broken function level authorization
- Excessive data exposure
- Broken user authentication
- API rate limiting
API-PENTESTING using postman tool
- Introduction $ installation
- Postman authentication
- Postman navigation
- OAUTH 2.0 authentication in postman
API PROJECT TESTING
- Access admin api/ access admin panel
- Brute-force apis to find new endpoints
- Make an account / loging to account
- Restore / delete everything
- Edit someone’s grade
- Transport layer security
- Blind xss in the admin control panel
- User enumeration
- Information exposure via server headers
- Authentication bypass
- Input validation attacks
- Sql injection
- Error handling
- Encryption
- Ssrf
- Bola
- Command injection
Android Pentesting TRAINING
Requirements:
-
The course starts from basics, however, it is good to have basic knowledge of web applications & API pen-testing.
Topics:
- Introduction to Android Architecture
- Concept of Android Terminologies
- Android Signing Process
- Android Pentesting Setup
- Static Analysis
- Dynamic Analysis
- SSL Pinning Bypass
- OWASP Mobile TOP 10
Android Pentesting Setup
Introduction to Android Pentesting:
- Pentesting Process / Stages
- How android Pentesting works
Introduction to Android Architecture
- Android Security Architecture
- Role of Services, Activities, Permissions, etc…
- Application Security and Signing Process
Android Pentesting Setup
We will see How you can set up an Android Pentesting Lab with so many tools and their alternatives
Android Static Analysis
- Pull APK From Play Store
- How to find Hardcoded Strings
- How to find sensitive information (API-Keys, Credentials etc..)
- How to enumerate Firebase Databases
- Android Backup Exploit
- Task Hijacking
- How to Exploit Activities, Services, Providers & Broadcast Receivers.
- Insecure Platform Usage
- Insecure Data Storage
- Improper Transport Usage (Logcat)
- Automated Static Analysis MobSF
Android Dynamic Analysis
- What is SSL Pinning
- How to Bypass SSL Pinning Through various ways
- Dynamic Analysis using MobSF
- Introduction to Burp Suite / Installation
- Introduction about Frida / Objection
- Vulnerability Testing
Android Bug Bounty Hunting
- Live Android App Hunting
ADVANCED BUG BOUNTY HUNTING V1.0
Description
This course introduces students to the Advance Bug bounty concepts associated with Web application pentesting. We encourage you to take this course if you are a complete beginner in Advance Web bug bounty world. This course uses a custom-developed vulnerable web application pentesting to demonstrate how, web vulnerabilities can be identified and exploited. This course teaches you how to identify a variety of Advance web vulnerabilities lies in the Server-side, Client-side.
Course Content
- Testing Chrome extensions (Manual and automatic approach)
Static Testing
Dynamic Testing - Deep Down with JWT(Json Web Tokens)
- Testing Oauth Misconfigurations (Account Takeovers and more…)
- CORS bypasses
- CSRF bypasses
- Stored/Reflected Cross Site Scripting (Account Takeovers and other impacts)
Generic
Bypasses
Sandbox
Link Embed - Indirect Object References (Generic approach)
- Sensitive Data exposure
- Source code (Js analysis)
Shodan
GitHub
Other third parties resources - Webhooks/apis
- LocalStorage
- Enhancing Power of recon
- Some Client Side bypasses
- Advanced Business logic
- Different type of Race Conditions
- File uploads
- Some high CVEs vulnerability(Grafana(LFI),WordPress(XSS))
- Chaining vulnerabilities
- IDOR and cross site scripting
- Cross site scripting (with very low impact ) and oauth misconfiguration to account takeover
- Low Impact HTML injection to increasing more impact
- Cross Site Scripting with HTTP only cookie set to true(Methods to find bypasses)
- Cross Site Scripting in sandbox environment
- Link embed to Stored Cross Site Scripting stealing user user sessions
- Cross Site Scripting to Account Takeover with LocalStorage
- Shodan backup found api key and then full org takeover
- Some interesting findings with wayback URLs (CVE bases cross site scripting, IDOR chaining to massive user enumeration, support/client/third parties leaks)
- Master OTP to Massive Account Takeovers
Note: Mostly all the mentioned content will be taught live and with poc findings recording.
Course Content
WAPT (Web Application Penetration Testing)
-
Access Resources
00:00 -
Join WAPT Community
00:00