• Can use spidering tools and understands their relevance in a web application test for discovering linked content.
• Understands and can demonstrate forced browsing techniques to discover default or unlinked content.
• Can identify functionality within client-side code.

• Understands all HTTP methods and response codes.
• Understands HTTP Header fields relating to security features.
• Understands and can demonstrate the use of web protocols, including:

• HTTP • HTTPS • Web Sockets.

• Understands and can demonstrate HTTP Request Smuggling.

• Understands common web mark-up and programming languages, including:

  • .NET • ASP Classic • Perl • PHP • JSP • Python • JavaScript

• Understands and can demonstrate how the insecure implementationof software developed using these languages can be exploited(candidate may select two languages).

• Can gather information from a web site and application mark-up or programming language, including:

  • hidden form fields • database connection strings • user account credentials • developer comments

  • external and/or authenticated-only URLs.

• Can gather information about a web site and application from the error messages it generates.

• Understands common authentication vulnerabilities, including:

  • Transport of credentials over an unencrypted channel

  • Testing for username enumeration • Brute-force testing • Authentication bypass

  • Session hijacking • Insecure password reset features • Insufficient logout timeout/functionality

  • Vulnerable CAPTCHA controls • Race Conditions • Lack of MFA

• Understands common pitfalls associated with the design and implementation of application authorisation mechanisms.

• Understands fuzzing and its use in web application testing.
• Understands the generation of fuzzing strings and their potential effects, including the dangers they may introduce.

• Understands cross-site-scripting (XSS) and can demonstratethe launching of a successful XSS attack.
• Understands the difference between persistent (stored) and reflected XSS.

• Can demonstrate the ability to identify, explain and prove the existence of the following types of network infrastructure vulnerabilities and exposures:• XXE • XML Injection • LDAP Injection

  • ORM injection • SSI injection

  • XPath injection • IMAP/SMTP injection

  • Code injection • OS Commanding

• Identifying SQL injection.
• Exploiting UNION based injection.
• Exploiting auth bypass (' or 'a'='a).
• Exploiting SQL injection to execute operating system commands or read files.

• Identifying JWTs.
• Exploiting "none" signature or lack of signature checking in JWTs.
• Understanding the difference between HMAC and public key JWTs.
• Can identify the session control mechanism used within a web application.
• Understands and can exploit session fixation vulnerabilities.
• Understands the security implications of session IDs exposed in URLs.
• Understands the role of sessions in CSRF attacks.
• Identifying low entropy in sessions.
• Brute-forcing weak HMAC keys in JWTs.

• Understands how cryptography can be used to protect data in transit and data at rest, both on the server and client side.
• Understands the concepts of TLS and can determine whether a TLS-enabled web server has been configured in compliance with best practice (i.e. it supports recommended ciphers and key lengths).
• Identification and exploitation of encoded values (e.g. Base64).
• Identification and exploitation of cryptographic values (e.g. MD5 hashes).

• Understands parameter manipulation techniques, particularly the use of client-side proxies.

• Understands and can identify directory traversal vulnerabilities within applications.

• Can generate malicious payloads in a variety of common file formats.

• Can assess and exploit vulnerabilities within the functional logic, function access control and business logic of an application.