Identification and exploitation of Cryptographic values (e.g. MD5 hashes)
Industry Roles:
Assessment Methods:
Identification and exploitation of Encoded values (e.g. Base64)
Industry Roles:
Assessment Methods:
Understands the concepts of TLS and can determine whether a TLS-enabled web server has been configured in compliance with best practice (i.e. it supports recommended ciphers and key lengths)
Industry Roles:
Assessment Methods:
Understands how cryptography can be used to protect data in transit and data at rest, both on the server and client side
Can gather information about a web site and application from the error messages it generates
Industry Roles:
Assessment Methods:
Can gather information from a web site and application mark-up or programming language, including: • Hidden form fields • Database connection strings • User account credentials • Developer comments • External and/or authenticated-only URLs.
Understands and can demonstrate how the insecure implementation of software developed using these languages can be exploited(candidate may select two languages)
Industry Roles:
Assessment Methods:
Understands common web mark-up and programming languages, including: • .NET • ASP Classic • Perl • PHP • JSP • Python • JavaScript
Understands the concepts of virtual hosting and web proxies
Industry Roles:
Assessment Methods:
Understands and can demonstrate the remote exploitation of web servers
Industry Roles:
Assessment Methods:
Understands the purpose, operation, limitation and security attributes of web proxy servers
Industry Roles:
Assessment Methods:
Has knowledge of vulnerabilities in the following commonapplication frameworks, servers and technologies: • .NET • J2EE • Coldfusion • Ruby on Rails • NodeJS
Industry Roles:
Assessment Methods:
Can identify web servers on a target network and can remotely determine their type and versionCan identify web servers on a target network and can remotely determine their type and version