Module 3: Intrusion on Web applications

This module is aimed at people with technical knowledge who wish to perfect their knowledge of modern severe vulnerabilities. The aim of the module is to present, with the help of a number of case studies, the various considerations and observations that can guide the expert in the discovery of vulnerabilities.

• Introduction (how an intrusion occurs, methodology and general concepts, procedures and resources)
• BurpSuite (use of BurpSuite as part of a black-box intrusion, BurpSuite's possibilities and limitations, shortcuts and automation mechanisms, Extensions)
• Reconnaissance (attack surface, tooling)
• Methodologies and approach (iterative nature of the process, logical vulnerabilities, management of common mechanisms: authentication, access control, user input, identification of client-side and server-side technologies)
• Study and exploit advanced vulnerabilities (Overview of application vulnerabilities: XXE, SSRF, injections, SSTI, Prototype, pollution, cryptographic attacks, attacks on authentication mechanisms, GraphQL, cloud-specific vulnerabilities).
• Investigation and exploitation of specific vulnerabilities (Java, PHP, Python/Django, Perl)

This module is part of the Activity A2 skills block: Technical security auditing

Task 1 (A2T1): Carry out technical security audits, including penetration tests, to assess the security of Web applications, operating systems (Linux, Windows) and network protocols.

- A2T1C1: Identify, analyze and document vulnerabilities in applications, systems and networks using specific tools.

- A2T1C2 : Perform penetration tests in a variety of environments (Web, Linux, Windows), in compliance with current standards and regulations.

- A2T1C3: Summarize the results of audits and penetration tests in a clear, detailed report, including recommendations for improving cybersecurity.

Task 2 (A2T2): Participate in the implementation and follow-up of corrective measures identified during technical safety audits.

- A2T2C1: Prioritize vulnerabilities and propose appropriate solutions in collaboration with technical teams.

- A2T2C2: Supervise the deployment of patches and ensure that systems comply with security standards.

- A2T2C3: Validate the effectiveness of corrective measures implemented and communicate results to stakeholders.

Task 3 (A2T3): Design and test simulated attack scenarios to assess system resilience under realistic conditions.

- A2T3C1: Develop realistic simulation scenarios based on attackers' tactics, techniques and procedures (TTPs).

- A2T3C2: Simulate attacks in a variety of environments and assess the defense capability of the digital infrastructure.

- A2T3C3: Document simulation results and provide strategic recommendations to improve system resilience.

Task 4 (A2T4): Develop and run cybersecurity training programs

- A2T4C1: Design teaching aids adapted to different audiences (end-users, technical teams, managers).

- A2T4C2: Run awareness-raising sessions and train employees.

- A2T4C3: Update training content by monitoring emerging threats.