Can assess and exploit vulnerabilities within the functional logic, function access control and business logic of an application

Can generate malicious payloads in a variety of common file formats

Can generate malicious payloads in a variety of common file formats

–

Understands the role of MIME types in relation to file upload features

–

Understands and can identify common vulnerabilities with file upload capabilities within applications

Understands and can identify directory traversal vulnerabilities within applications

Identification and exploitation of Encoded values (e.g. Base64)

–

Understands the concepts of TLS and can determine whether a TLS-enabled web server has been configured in compliance with best practice (i.e. it supports recommended ciphers and key lengths)

–

Understands how cryptography can be used to protect data in transit and data at rest, both on the server and client side

Understands the security implications of session IDs exposed in URLs

–

Understands the role of sessions in CSRF attacks

–

Understands and can exploit session fixation vulnerabilities

–

Can identify the session control mechanism used within a web application

–

Understanding the difference between HMAC and public key JWTs

–

Exploiting “none” signature or lack of signature checking in JWTs

–

Identifying JWTs

Can exploit a blind SQL injection vulnerability

–

Can determine the existence of a blind SQL injection condition in a web application

Exploiting SQL injection to execute operating system commands or read files

–

Exploiting auth bypass (‘ or ‘a’=’a)

–

Exploiting UNION based injection

–

Identifying SQL injection

Understands the difference between persistent (stored) and reflected XSS

–

Understands cross-site-scripting (XSS) and can demonstrate the launching of a successful XSS attack

Understands fuzzing and its use in web application testing

Understands the need for server-side validation and the flaws associated with client-side validation

–

Understands the importance of input validation and how it can be implemented, e.g. allow-lists, deny-lists and regular expressions

Understands common authentication vulnerabilities, including:
• Transport of credentials over an unencrypted channel
• Testing for username enumeration
• Brute-force testing
• Authentication bypass
• Session hijacking
• Insecure password reset features
• Insufficient logout timeout/functionality
• Vulnerable CAPTCHA controls
• Race Conditions
• Lack of MFA

Can gather information about a web site and application from the error messages it generates

–

Can gather information from a web site and application mark-up or programming language, including:
• Hidden form fields
• Database connection strings
• User account credentials
• Developer comments
• External and/or authenticated-only URLs

Understands how to interpret definition files, e.g. WSDL and Swagger

–

Understands different common payload formats such as XML and JSON

–

Understands and can demonstrate how the insecure implementation of web-based APIs can be exploited

–

Can demonstrate the use of relevant tools to test APIs, e.g. SoapUI and Postman

–

Understands common authentication techniques used in web APIs, e.g. API keys

–

Understands and can demonstrate the use of web-based APIs to remotely access remote services

–

Understands the use of tools and techniques to identify new OS and software vulnerabilities

Understands and can demonstrate how the insecure implementation of software developed using these languages can be exploited (candidate may select two languages)

–

Understands common web mark-up and programming languages, including: • .NET • ASP Classic • Perl • PHP • JSP • Python • JavaScript

Understands and can demonstrate the use of web protocols, including: • HTTP • HTTPS • Web Sockets

–

Understands HTTP Header Fields relating to security features

–

Understands all HTTP methods and response codes

Understands the concepts of virtual hosting and web proxies

–

Understands and can demonstrate the remote exploitation of web servers

–

Understands the purpose, operation, limitation and security attributes of web proxy servers

–

Can identify web servers on a target network and can remotely determine their type and version

Understands and can identify the different types of domain trusts, including:
• One-way and two-way trusts
• Explicit and transitive trusts

–

Can identify and analyse Service Principal Names

–

Can identify and analyse internal browse lists

–

Can enumerate accessible Windows shares

–

Can identify forests, domains, domain controllers, domain members and work groups

–

Can identify Windows hosts on a target network