Web Application Penetration Testing: Insecure Error Handling

In this course, you'll learn how severe consequences can happen as a result of insecure error handling in modern web applications. You'll see how to test web applications for insecure error handling and how to prevent these problems from happening.
Course info
Level
Intermediate
Updated
Feb 11, 2020
Duration
48m
Table of contents
Description
Course info
Level
Intermediate
Updated
Feb 11, 2020
Duration
48m
Description

Insecure error handling can lead to very severe consequences and that’s the reason why this subject is interesting for penetration testers. In this course, Web Application Penetration Testing: Insecure Error Handling, you will learn how to test for insecure error handling in modern web applications. First, you will discover different types of insecure web server errors. You will see what dangers can happen when the web server version is disclosed in an error message. You will also see how the attacker can steal sensitive data as a result of a cross-site scripting attack via an error message. Next, you will learn about insecure error handling in the context of login functionality, which is one of most sensitive functionalities in web applications. You will see how to test for user enumeration via error messages and how to test for insecure handling of many unsuccessful login attempts. Finally, you will explore some of the most dangerous errors in modern web applications (unhandled exceptions and file inclusion errors). You will see how the attacker can learn sensitive data as a result of triggering an unhandled exception. You will also see how the attacker can proceed from file inclusion errors to reading the content of sensitive files. By the end of this course, you will know how to test for insecure error handling in modern web applications and how to prevent these problems from happening.

About the author
About the author

Dawid Czagan is listed among the Top 10 Hackers by HackerOne. He has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, and other companies. Due to the severity of these bugs, he has received numerous awards for his findings.

More from the author
Credential Access with Hashcat
Intermediate
28m
May 4, 2020
More courses by Dawid Czagan
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
[Autogenerated] everyone. My name is David. Welcome to my course web application, ___________, testing, insecure error handling. I'm a security instructor, researcher and back hunter. In this course, I will show you how to test for insecure error handling in modern web applications. Insecure error handling can lead to very severe consequences. And that's the reason why this subject is interesting for ___________. Test is first, you will learn about different types of insecure web server errors. I will present what dangerous can happen when the Web server version is disclosed in an error message. And I will also demonstrate how the attacker can still sensitive data as a result, off a cross site scripting attack via an error message. Next, you will learn about insecure error handling in the context of logging functionality, which is one of the most sensitive functionalities in web applications. Our present. How to test for user and admiration via error messages and how to test for insecure handling off many unsuccessful logging attempts. And finally, you will explore some of the most dangerous errors in modern web publications on handled, exceptions and file inclusion errors. I will show you how that occur, can learn sensitive data as a result of triggering and UN handled exception. And I will also demonstrate how that occur can proceed from filing inclusion errors to reading the content off sensitive files. By the end of the course, you will know how to test for insecure error handling in modern web applications and how to prevent these problems from happening. I hope you will join me on this journey to learn about insecure error handling with the web application ___________, testing insecure error handling course at Pluralsight.