Mobile and Web Application Penetration Testing

Our Mobile and Web Application Penetration Testing boot camp focuses on preparing students for real-world applications of mobile and web application penetration testing through lab exercises and lectures led by an expert instructor.

Award-Winning Training

For 20 years InfoSec has been one of the most awarded and trusted information security training vendors — 40+ industry awards!

Exam Pass Guarantee

We offer peace of mind with our Exam Pass Guarantee for Flex Pro students.

Comprehensive Hands on Labs

Practice each evening on "Live Cases," investigating data from real forensics cases and preparing reports on findings.

Course Description

Infosec is proud to offer the Mobile and Web Application Penetration Testing class for IT security professionals. In this intensely practical hands-on course, you will learn skills, tools and techniques required for conducting comprehensive security tests of mobile devices and Web applications. The highlights of this course include:

  • Learn the secrets of Mobile and Web App Penetration Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend Web and mobile apps
  • Perform static and dynamic analysis of iOS and Android apps using popular tools
  • Understand how to find Vulnerabilities in source code
  • Learn how to find and exploit weaknesses in mobile security controls implementation
  • Learn how to do OWASP Top 10 Assessments – for PCI DSS compliance and others
  • Certfied IACRB CMWAPT (Mobile and Web Application Penetration Tester) Exam delivered On-Site

Web Application Penetration Testing Boot Camp

Rated 4.8/5 based on 27 customer reviews

Award-winning training that you can trust.

Outstanding Partnership Award

Gold Winner

Best Cybersecurity Education Provider

Publisher's Choice

Security Training for Infosec Professionals

Top 20 Company

IT Training

Watch List Company

Top Online Learning Library

The Most Flexible Training — Guaranteed

Exam Pass Guarantee — If you don’t pass your exam on the first attempt, get a second attempt for free; includes the ability to re-sit the course for free for up to one year

100% Satisfaction Guarantee — If you’re not 100% satisfied with your training at the end of the first day, you may enroll in a different Flex Pro or Flex Classroom course

Knowledge Transfer Guarantee — If an employee leaves within three months of obtaining certification, Infosec will train a different employee at the same organization tuition-free for up to one year

Other Information

Intensive Hands-On Training

The  Certified Mobile and Web  Application  Penetration  Testing  Boot Camp  from  InfoSec  Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Mobile and Web Application Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed  up  by  a  comprehensive lab exercise  (we  also  set  up  and  provide lab workstations so you don’t waste valuable class time installing tools and apps). Typical lab exercises consist of an app that demonstrates a vulnerability commonly found in a Web or mobile app. You learn how to assess the app much as a black hat hacker would, exploit the app so that you can demonstrate the true risk of the vulnerability to the application owner. This can involve taking control of the application itself, downloading data the application stores, or potentially using the app as a launching pad to attack unsuspecting visitors with a malicious script. Finally, the lab will follow up with remediation steps so that the application owner can properly close down the security hole for good.

Constantly Updated Training

The threat landscape for Mobile and Web Applications changes on a near continuous basis. Bad guys wishing to attack your applications know that they need to stay ahead of the curve in order to get in. For this reason, Infosec continuously updates our Mobile and Web Application Penetration Testing courseware to cover the latest and greatest threats, exploits and mitigation strategies.

Learn From Experts

InfoSec  Institute  instructors  that  teach  the  Mobile and Web  Application  Penetration Testing course are highly seasoned and have years of in the field pen testing experience. Not only are they active in the field of pen testing, they are industry recognized experts that present at conferences such as DEFCON, Black Hat Briefings, RSA Security.

View Pricing

We will never share any of your information, spam you or annoy you with pushy sales pitches.

Our Major Clients

Book your course

    Course Outline

    Part 1 – Web Application Pentesting

    • Module 1
      • Web Application (In)security
      • Setting up a web application pentesting platform
      • Installing vulnerable apps
      • Burpsuite basics
      • Analyzing traffic over HTTP
      • Analyzing traffic over HTTPs
    • Module 2
      • Understanding the HTTP protocol
      • HTTP Headers
      • Attacking HTTP Basic & Digest authentication
      • Conducting a brute force attack
    • Module 3
      • Analyzing the attack surface
      • Information gathering
      • Finding hidden URLs with dirbuster
      • Identifying weak SSL certificates
    • Module 4
      • Cross-Site Scripting (XSS) – Reflected, Stored and DOM based
      • HTML Injection
      • Broken Authentication and Session Management
      • Insecure Direct Object References Cross-Site Request Forgery (CSRF)
      • Insufficient Transport Layer Protection
      • Unvalidated Redirects and Forwards
      • Cross Origin resource sharing
      • Command Injection vulnerabilities
      • Local file inclusion vulnerability
      • Remote file inclusion vulnerability
      • Insecure Direct object reference
      • HTTP Response splitting
      • SQL injection
      • Attaching session management
      • HTTP Response header injection
      • Improper exception handling
      • Server side code disclosure
      • Chaining XSS with other attacks
      • Targeting Reset password functionality
      • Business logic flaws
    • Module 5
      • Securing Web apps
      • Applying input validation
      • IP Whitelisting
      • Implementing access controls
      • Removing HTTP headers
      • Preventing CSRF with tokens
      • Setting login limits
      • Removing server configuration errors
      • Identifying & fixing business logic issues

    Part 2 – iOS Exploitation

    • Module 1
      • iOS security model
      • App Signing, Sandboxing and Provisioning
      • Setting up XCode 9
      • Changes in iOS 11
      • Primer to iOS 10 security
      • Exploring the iOS filesystem
      • Intro to Objective-C and Swift
      • What’s new in Swift 4?
      • Setting up the pentesting environment
      • Jailbreaking your device
      • Cydia, Mobile Substrate
      • Getting started with Damn Vulnerable iOS app
      • Binary analysis
      • Finding shared libraries
      • Checking for PIE, ARC
      • Decrypting IPA files
      • Self signing IPA files
    • Module 2
      • Static Analysis of iOS applications
      • Dumping class information
      • Insecure local data storage
      • Dumping Keychain
      • Finding URL schemes
      • Dynamic Analysis of iOS applications
      • Cycript basics
      • Advanced Runtime Manipulation using Cycript
      • Method Swizzling
      • GDB basic usage
      • Modifying ARM registers
    • Module 3
      • Exploiting iOS applications
      • Broken Cryptography
      • Side channel data leakage
      • Sensitive information disclosure
      • Exploiting URL schemes
      • Client side injection
      • Bypassing jailbreak, piracy checks
      • Inspecting Network traffic
      • Traffic interception over HTTP, HTTPs
      • Manipulating network traffic
      • Bypassing SSL pinning
    • Module 4
      • Introduction to Hopper
      • Disassembling methods
      • Modifying assembly instructions
      • Patching App Binary
      • Logify
    • Module 5
      • Securing iOS applications
      • Where to look for vulnerabilities in code?
      • Code obfuscation techniques
      • Piracy/Jailbreak checks
      • iMAS, Encrypted Core Data

    Part 3 – Android Exploitation

    • Module 1
      • Why Android
      • Intro to Android
      • Android Security Architecture
      • Android application structure
      • Signing Android applications
      • ADB – Non Root
      • Rooting Android devices
      • ADB – Rooted
      • Understanding Android file system
      • Permission Model Flaws
    • Module 2
      • Understanding Android Components
      • Introducing Android Emulator
      • Introducing Android AVD
    • Module 3
      • Proxying Android Traffic
      • Reverse Engineering for Android Apps
      • Smali Labs for Android
      • Dex Analysis and Obfuscation
      • Android App Hooking
    • Module 4
      • Attack Surfaces for Android applications
      • Exploiting Local Storage
      • Exploiting Weak Cryptography
      • Exploiting Side Channel Data Leakage
      • Root Detection and Bypass
      • Exploiting Weak Authorization mechanism
      • Identifying and Exploiting flawed Broadcast Receivers
      • Identifying and Exploiting flawed Intents
      • Identifying and Exploiting Vulnerable Activity Components
      • Exploiting Backup and Debuggable apps
      • Dynamic Analysis for Android Apps
      • Analysing Proguard, DexGuard and other Obfuscation Techniques
    • Module 5
      • Exploitation using Drozer
      • Automated source code analysis
      • Exploiting Android embedded applications

    Frequently Asked Questions

    Why is getting certified an important part of a career in penetration testing?

    Earning a Penetration Testing certification can be a great way to bump your status, job title, and even pay grade! It makes you a marketable employee and you will gain a specialized skillset through the certification process that other professionals lack. Infosec’s pen-testing Boot Camp offers hands-on training about hacking and penetration testing, which will give you the expertise necessary to differentiate yourself and impress potential employers.

    What career opportunities are available to Penetration Testing Boot Camp graduates?

    While career opportunities are defined by education, certification, years of experience, and location—opportunity and the need for Ethical Hackers and Penetration Testers is rising at a significant rate. As cybersecurity threats continue to increase, the need for educated professionals in the field to identify weaknesses and prevent data breaches will grow alongside it. Click here for more information on career paths for pen-testers and related salary info.

    How is Penetration Testing different from Ethical hacking?

    While the terms “Ethical Hacking” and “Penetration Testing” are often used interchangeably, there are a few details that differentiate the two. “Penetration testing” is a procedure to discover vulnerabilities about an information system—mimicking the methods of black hat hackers that would attempt to compromise secure information. “Ethical hacking” is more of an umbrella term that encompasses all hacking methods, including pen-testing. Click here for more information about the differences between these terms.

    How does the CMWAPT examination process work?

    The CMWAPT exam can be taken at training partner locations, proctored on-site for groups of at least 10, or taken over the internet. As a training partner, Infosec is verified to administer the exam on the 5th day of our Training session for both Flex Pro and Flex Classroom formats. The certification exam itself is a 50-question, multiple-choice test that must be completed in two hours. Any score above 70% is considered passing.

    What are the renewal requirements for the CMWAPT?

    After four years, the CMWAPT certification expires, and a renewal exam must be completed at no expense to the cert holder. Candidates up for recertification will be required to take the current version of the exam issued by the IACRB.

    What does this penetration testing training course provide that other offerings do not?

    Infosec’s pass rate for Pen Testing Boot Camp participants sits at 93% – the highest in the industry! In a constantly-changing field, our experts work to keep their training up-to-date so that you can rest assured you’re receiving the highest quality training available—covering all the latest technologies.

    What are the CMWAPT domains?

    The eight CMWAPT domains are as follows: Mobile and Web Application Pentesting Process and Methodology, Web Application Vulnerabilities, Web Application Attacks, Android Application Components, Android Application Attacks, iOS Application Components, iOS Application Attacks, and Secure Coding Principles.

    How much programming experience is typically required to take this course?

    The CMWAPT certification does not require students to have formal work-experience related to penetration testing. However, it is a rigorous exam, and will test your ability to apply knowledge and skills in practice. We recommend you familiarize yourself with the content of each of the exam’s domains, as well as the associated tools and technology.

    What are the pre-requirements to enroll in the Mobile & Web App Penetration Testing training?

    There are no pre-requirements to enroll in this Training Boot Camp, however, we do recommend that students have a good working knowledge of networking, TCP/IP protocols, and the Linux Operating System before signing up.

    What hardware and software is needed to complete the Mobile & Web App Pen Testing Boot Camp?

    None! All the necessary hardware and software will be provided during training.

    How has the penetration testing industry grown in recent years? Has the need for penetration testing skills changed in the last 5 or 10 years?

    The biggest change in the pen-testing industry has been the rapid increase of mobile and web application usage and development. Accomplished penetration testers today are required to know the ins-and-outs of both the Android and iOS platforms in order to identify vulnerabilities and threats. As technology continues to advance, the tools and techniques penetration testers utilize will continue to evolve as well.

    Are exam vouchers included with the purchase of this course?

    Yes, exam vouchers are included with the training, and the exam is proctored on-site during the final day of the course

    What job titles are most common for penetration testers and people who hold the IACRB CMWAPT?

    Common job titles include: Penetration Tester, Security Engineer, Information Security Analyst, and many more.

    What are some tips for passing the CMWAPT and other penetration testing certs?

    We recommend enrolling in a training course like the one Infosec offers here. With a 93% certification exam pass rate, you can rest assured that we offer the best training in the industry! While studying, we recommend you budget your time accordingly so that you are familiar with each of the exam’s eight domains and can identify which topics are your weakest. Focus on the tools and technology you’ll use in real world scenarios as a penetration tester.

    What Our Students Are Saying

    Without any question, InfoSec has the most gifted individual instructors. Our instructor for this class was both an excellent educator and a premier/world class security expert. He was able to clearly explain and impart to the students, the most complicated security techniques I have ever heard of or imagined. I simply can not find the words to recommend him and Infosec security training more highly.

    John Hollan GE

    Advanced Ethical Hacking Training Boot Camp

    Career Tracks

    • Hacker Track

      The InfoSec Hacker Track will take you from 0 to 60 in your security career. By the time you successfully complete this track you will be highly credential-ed and in the top 5-10% of hackers in the world.
    Ready to get started? Get instant pricing for this award-winning boot camp. View course pricing
    View instant course pricing