Web Application Pentesting


Assistant Trainers

  • Aarti Bala
  • Ashwini Varadkar
  • Rupika Luhanch

The Application Security Training is a “1 Day Hands-On Training”. This Training is intended for students/professionals interested in making a career in the Information Security domain. This training involves real world scenarios that every Security Professional must be well versed with. It involves decompiling, real-time analyzing and testing of the applications from security standpoint.

This training covers understanding the internals of web and mobile applications, Real-time testing of web applications and android applications and a strategic approach to analyze applications for OWASP Top 10 vulnerabilities (Web) security issues such as Injections, Cross Site Scripting (XSS), CSRF Attacks, Insecure API’s, Insecure logging, Insecure communication, Insufficient cryptography, Insecure authentication and Poor code quality and many more.


  • Students interested in Application Security
  • Security Analysts/Researchers
  • IT Professionals working in Web Application Development domain
  • IT professionals working in Information Technology-Security domain


  • Training Slides
  • Custom Docker images


  • Laptop/System with minimum 10 GB Hard Disk Space & 4GB RAM with administrative privileges
  • make sure you have actually run a Virtual image before
  • 2 Functional USB Ports

Topics will be covered

  • Opening
    1. about the class
    2. about OWASP
  • Introduction
    1. Security Awareness/hacker mindset
    2. Introduction to the training environment and tools
  • Reconnaissance
    1. Web application Reconnaissance
    2. HTTP / HTTPS basics
    3. Web application and Web server fingerprinting
  • Most common vulnerabilities, detection, and exploitation 3 hours
    1. XSS (HTML, Attribute, DOM)
    2. SQLi (SQL Injection)
    3. Command Injection
    4. SSRF (Server Side Request Forgery)
    5. File Upload Vulnerabilities
    6. Insecure Deserialization
    7. IDOR Vulnerabilities
    8. XXE (XML External Entity Attack)
    9. Insecure API
  • Where to go from here
    1. Introduction cloud security (AWS, Azure, GCP and others)
    2. SCADA
    3. Embedded
  • Recap

What you will get from this session :

  • Understanding of manual & automated tools and techniques and when to apply them
  • Clear understanding of the Web Application Penetration Testing
  • Ability to analyze a Web Application from a Security Standpoint
  • Gain confidence in customizing your Application Security Testing Approach to suit the application specific pentesting needs, by gaining clarity on the powerful features of Burp Suite Tool
  • Build a clear scope to prioritize your security testing

About Trainer :

Vandana is a seasoned security professional with over a decade worth of experience ranging from application security to infrastructure and now dealing with DevSecOps. She is currently working as a Security Architect with IBM India Software Labs.

Vandana is a global speaker and Women in Cyber Security Advocate. She received Global cybersecurity influencer among IFSEC Global’s “Top Influencers in Security and Fire” Category for 2019. She recently received Cybersecurity Women of the year award by Women Cyberjutsu Society in the Category “Secure Coder”. She has also been listed as one of the top women leaders in this field of technology and cybersecurity in India by Instasafe.