Web App Pen Testing


Real-world experience for one of the fastest-growing careers in technology. Learn how to find evidence on computers, phones, and even cameras. See the dark side of computer crime, get a free forensics kit and leave certified

Web Application Penetration Testing Course Overview



InfoSec Institute's Award Winning 5-Day Web Application Penetration Testing Boot Camp focuses on preparing students for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as itpertains to web application pen testing through a high-energy seminar approach.

InfoSec Institute offers this award winning Web Application Penetration Testing program to train and prepare IT Security Professionals.

The highlights of this course include:

• Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
• Learn how to exploit and defend real-world web apps – not just silly sample code
• Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
• Understand how to find Vulnerabilities in Source Code
• Take home a fully featured Web App Pen Test Toolkit
• Learn how perform OWASP Top 10 Assessments – for PCI DSS compliance
• Leave Certified - IACRB CWAPT (Web Application Penetration Tester) Exam delivered On-Site

Intensive Hands-On Training:
The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps).

Typical lab exercises consist of a real-world app that demonstrates a vulnerability commonly found in a web app. You learn how to assess the app much as a black hat hacker would, exploit the app so that you can demonstrate the true risk of the vulnerability to the application owner. This can involve taking control of the application itself, downloading data the application stores, or potentially using the app as a launching pad to attack unsuspecting visitors with a malicious script. Finally, the lab will follow up with remediation steps so that the application owner can properly close down the security hole for good.

Up To Date, Current, Courseware
The threat landscape for Web Applications changes on a near continuous basis. Bad guys wishing to attack your applications know that they need to stay ahead of the curve in order to get in. For this reason, InfoSec Institute continuously updates our Web App Pen Testing courseware to cover the latest and greats threats, exploits and mitigation strategies.

Expert Instruction
InfoSec Institute instructors that teach the Web App Pen Testing course are highly seasoned and have years of in the field pen testing experience. Not only are they active in the field of pen testing, they are industry-recognized experts that present at conferences such as DEFCON, Black Hat Briefings, RSA Security. Many of our instructors have authored some of the top Penetration Testing books on the market today:

Nightly Capture The Flag (CTF) Exercises:
After learning important Web App Pen Testing concepts during the day in a structured learning environment led by an expert instructor, it is important in the knowledge transfer process to attempt to apply the concepts you learned during the day in an unscripted, controlled exercise.

The InfoSec Institute CTF exercises consist of a variety of web applications set up and designed to mimic the web presence ofa company, a bank, a credit union, and an internal web app. You are then challenged by the instructor to capture specific flags that require you to apply your knowledge gained during the day. The CTFs areinstructor-supervised, so if you get stuck, there is always a resource at hand to offer guidance.

At InfoSec Institute, we feel CTFs are a tremendous way to ensure you leave the course with the skills needed to perform Web App Pen Tests at work after the course is completed.




  • 93%+ Pass Rate
  • Web App Exam Certification included
  • On-site exam proctoring
  • Over $1500 in tools & software(details)
"Jeremy is a genius. I'm glad he is on our side. I would take another course with InfoSec in a heartbeat."

Jason P.


What You'll LEARN and DO

An assortment of topics you will learn to master during the Application Security Training (click here to get the fully detailed day-by-day syllabus):

  • Web Application (In)security
  • Core Defense Mechanisms – OWASP Top 10
  • Cross-Site Scripting (XSS)
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Insufficient Transport Layer Protection
  • Unvalidated Redirects and Forwards
  • Encoding Schemes, URL Encoding, Unicode Encoding
  • Bypassing Client-Side Controls
  • Transmitting Data via the Client
  • Hacking ASP.NET ViewState
  • Decompiling Java Bytecode
  • Coping with Bytecode Obfuscation
  • Reverse Engineering ActiveX
  • Manipulating Exported Functions
  • Attacking Authentication
  • Exploiting Verbose Failure Messages
  • Exploiting Vulnerable Transmission of Credentials
  • Attacking Password Change Functionality & Forgotten Password Functionality
  • Predictable Usernames & Initial Passwords
  • Prevent Misuse of the Account Recovery Function
  • Attacking Session Management
  • Attacking Access Controls
  • Common Vulnerabilities
  • Targeting Identifier-Based Functions
  • Securing Access Controls
  • Injecting into Interpreted Languages




  • Exploiting ODBC Error Messages (MS-SQL Only)
  • Enumerating Table and Column Names
  • Extracting Arbitrary Data
  • Parameterized Queries
  • Finding Dynamic Execution Vulnerabilities
  • File Inclusion Vulnerabilities
  • Preventing SOAP Injection
  • SMTP Command Injection
  • Injecting into LDAP
  • Storing XSS in Uploaded Files
  • Real-World XSS Attacks
  • Chaining XSS and Other Attacks
  • HTTP Response Splitting
  • Exploiting XSRF Flaws
  • Exploiting Information Disclosure Vulnerabilities
  • Exploiting Error Messages
  • Buffer Overflow Vulnerabilities
  • Heap Overflows
  • "Off-by-One" Vulnerabilities
  • Attacking & Assessing Application Architectures
  • Attacking Tiered Architectures
  • Exploiting Trust Relationships between Tiers
  • Subverting Other Tiers
  • Attacking Other Tiers
  • Source Code Auditing

Dates & Locations

The best in the world come train with us

See what our students are saying

  • David S.

    Senior Consultant

    "knowledgable and passionate instructor"

    "I was impressed. The instructor was very knowledgeable about all the material and the industry. He is obviously passionate about forensics and security which helps students to get excited about the material as well."

    Find out more
  • Mari  T.

    Loehrs and Associates

    "real-world knowledge was just as valuable"

    "The forensics training was excellent. The material was excellent and the instructor's real-world knowledge was just as valuable as the course material. He was very personable and engaged the students."

    Find out more
  • Sam C.


    "Over and above what was expected"

    "Over and above what was expected. I am sure his goal was that everyone in the class passed the written portion of the test, and he gave everyone the best advice to pass the exam. And I passed!"

    Find out more
  • Jason P.



    "Jeremy is a genius. I'm glad he is on our side. I would take another course with InfoSec in a heartbeat."

    Find out more
Web Application Penetration Testing Boot Camp Review By Jason Park, Principal Operating Systems Analyst at County of Los Angeles
Rating: 5 out of 5.
The instructor was very knowledgable on the subject and did a great job covering the subject matter.

Certifications & Compliance

IACRB Certified Web App Penetration Tester

  • All certifications offered by the IACRB are composed of a traditional multiple choice exam, as well as a hands-on practical exam.

  • The goal of this two step WAPT process is to determine if the web app pen testing certification candidate possesses the required knowledge of theories and concepts described above. Additionally, the second step is designed to rigorously test the ability of the candidate to perform job relevant, hands-on technical skills related to information assurance.

>> Pricing for Web App Pen Testing - including certification
  • iacrb


Call (866)-471-0059 or fill out this short form for current pricing


5 Days of Web Application Penetration Testing training from a senior instructor
with real-world application assessment and remediation experience.



  • InfoSec's fully featured Web App Pen Test Toolkit, includes every program covered in the course for at home study.
  • Small class sizes (less than 10-20 Students), you get an intimate learning setting notoffered at any of our competitors.
  • Breakfast, lunch, snacks and refreshments included.
  • IACRB - Certified Web Application Penetration Tester exam fees. Testing on-site.
  • Lecture, Lab Exercise and Text book

Other Related Tools & Resources For Our Students

We believe in a commitment to your education. Our latest offering to the IT community has tutorials, videos, articles, white papers, and other resources and training materials that InfoSec Institute makes available for free. Below are some examples that relate to this class. By reading these you should get a good idea of the types of skills you'll be learning in our courses.

  • Attacking Web Services Pt 1 – SOAP
  • 07/15/2011

    Background: I often receive testing related questions from AppSec folks new to web services about the techniques used to discover and attack them. Often, web services are seen as difficult to enumerate, interpret, and exploit as well as an arena with only a small arsenal of tools available. We’d like to bridge that gap a […]

    The post Attacking Web Services Pt 1 – SOAP appeared first on InfoSec Resources.

  • Web Application Testing with Arachni
  • 05/25/2011

    What is Arachni? In very simple terms, Arachni is a tool that allows you to assess the security of web applications. In less simple terms, Arachni is a high-performance, modular, Open Source Web Application Security Scanner Framework. It is a system which started out as an educational exercise and as a way to perform specific […]

    The post Web Application Testing with Arachni appeared first on InfoSec Resources.

  • OWASP Top 10 Tools and Tactics
  • 03/21/2011

    Description: A tool for each of the OWASP Top 10 to aid in discovering and remediating each of the Top Ten Introduction If you’ve spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, you have likely utilized or referenced the OWASP Top 10. […]

    The post OWASP Top 10 Tools and Tactics appeared first on InfoSec Resources.

InfoSec Institute has an excellent instructor and this is the best IT security class I have ever taken. His knowledge and method of teaching are unsurpassed.