• Online, Self-Paced
Course Description

Sensitive data exposure can lead to very severe consequences (user impersonation, account takeover, disclosure of credentials _ to name a few). In this course, Web App Hacking: Sensitive Data Exposure, you'll learn about various types of sensitive data exposure in modern web applications. First, you'll see how the attacker can learn the credentials to the database as a result of insecure error handling. Next, you'll learn how the attacker can read the content of sensitive files, when the files are insecurely processed. You'll also learn how to extract the metadata from publicly available files and how sensitive information can be found in metadata. After that, you'll see how easily the attacker can go from the disclosure of software version to remote code execution on the production server. Then, you'll learn about insecure communication channel between the browser and the web application. Finally, you'll learn about the disclosure of cookie with sensitive data and you'll see how the URL with sensitive information can leak to external domain via Referrer header. By the end of the course, you'll know how to test web applications for different types of sensitive data exposure and how to provide countermeasures for these problems.

Learning Objectives

 

  • Insecure Error Handling
  • Disclosure of Sensitive Files
  • Information Disclosure via Metadata
  • Underestimated Risk: Disclosure of Software Version
  • Insecure Communication Channel
  • Leakage of Cookie with Sensitive Data
  • Leakage of Sensitive Data via Referrer Header

     

    Framework Connections

    The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):

    Specialty Areas

    • Exploitation Analysis
    • Vulnerability Assessment and Management

    Specialty Areas have been removed from the NICE Framework. With the recent release of the new NICE Framework data, updates to courses are underway. Until this course can be updated, this historical information is provided to give better context as to how it can help you with your cybersecurity goals.