Cybersecurity (VAPT) Syllabus
- 1.
Module 1: Introduction
- 2.
Module 2: Vulnerability Assessment and Penetration Testing
- 3.
Module 3: Secure Code Review
- 4.
Module 4: Web Application Security
- 5.
Module 5: API Security
- 6.
Module 6: Web Service Security
- 7.
Module 7: Windows Application Security
- 8.
Module 8: Mobile Application Security
- 9.
Module 9: Network Security
- 10.
Module 10: Tools
- 11.
Module 11: Lab Setups (Hands-on)
Cybersecurity (VAPT) Course Syllabus
Module 1: Introduction
- What is Cyber Security?
- Importance of Security Testing
- Types of Cyber Attacks:
- Man in the Middle Attack
- Zero-day Exploit
- DNS Tunneling
- Cryptojacking
- XSS Attacks
- Social Engineering
- DOS and DDOS Attack
- SQL Injection
- Phishing
- Malware
- Ransomware
- Software Testing & Types of Software Testing
- Security Testing & Types of Security Testing
Module 2: Vulnerability Assessment and Penetration Testing
- What is Vulnerability Assessment and Why it’s Required
- What is Penetration Testing
- What is SAST & DAST
- Application Security Assessment:
- Secure Code Review
- Web Application Security
- Web Service Security
- API Security
- Windows Application Security
- Mobile Application Security
- Network Security
- OWASP Top 10 Overview
- OWASP Security Testing Methodology
- Report Preparation
Module 3: Secure Code Review
- What is Secure Code Review and Why is it Required?
- Scan Code using Bandit Tool
- Scan Code using Snyk Tool
- Steps to Scan Code using Fortify, Mend, CodeQL
- SCA (Software Composition Analysis)
- Analysis of Reports Generated by Tools
Module 4: Web Application Security
- What is a Web Application? How to Work with Web Applications?
- What is Authentication & Authorization
- What is Cookie, Session, Session ID
- Overview of OWASP Top 10 Web Vulnerabilities
- 1. Broken Access Control
- Improper Access Control / URL Manipulation / Authentication Bypass
- Privilege Escalation / Session Replay / Broken Authorization
- Insecure Direct Object Reference (IDOR)
- Inadequate Session Management / Session Fixation
- 2. Cryptographic Failures
- Encoding, Decoding, Hashing, Weak Ciphers, Weak Encryption
- Expired SSL Certificates, Clear Text Transmission
- 3. Injection
- HTML, SQL, XSS, CSRF, XXE (XML Injection)
- 4. Insecure Design
- Unprotected Storage of Credentials, Insecure Communication, No Rate Limiting
- 5. Security Misconfigurations
- Default Credentials, Unencrypted Files, Directory Listing, Outdated Software
- 6. Vulnerable and Outdated Components
- Use of Vulnerable JS or Bootstrap Libraries
- 7. Identification and Authentication Failures
- Weak Passwords, Lack of MFA, Brute Force, Session Flaws
- 8. Software and Data Integrity Failures
- Insufficient Verification, Missing Integrity Checks, Untrusted Paths
- 9. Security Logging and Monitoring
- Insecure Logging, Lack of Monitoring, Short Log Retention
- 10. Server-Side Request Forgery (SSRF)
Module 5: API Security
- What is API and Why it’s Used
- What is an Endpoint
- HTTP Methods in API
- Check Requests and Responses using Postman
- API Status Codes
- Authentication & Authorization (JWT, OAuth, SAML, Basic Auth, Bearer Token)
- Cookie and Security Header Checks
- Cross-Origin Resource Sharing (CORS)
- Intercept Postman with Burp Suite
- Information Disclosure via Banner Grabbing / Server Fingerprinting
- OWASP API Top 10:
- Broken Object Level Authorization
- Broken Authentication
- Unrestricted Resource Consumption
- Server-Side Request Forgery
- Security Misconfiguration
- Improper Inventory Management
- Unsafe Consumption of APIs
Module 6: Web Service Security
- What is a Web Service and SOAP Protocol
- Request and Response using XML
- Important Security Headers
- Scanning Applications using WebInspect
- WSDL Enumeration
- XML External Entity (XXE) Injection
- XPath Injection
- Sensitive Data Exposure
- Missing Function Level Access Control
- Unvalidated Redirects and Forwards
Module 7: Windows Application Security
- What is a Thick Client Application
- Types of Thick Client Applications
- Network Traffic Analysis using Wireshark
- Data Storage and Privacy
- Network Communication
- Code Quality
- Backend API
- Injection, Authentication, and Authorization Issues
- Session Management
- Business Logic Flaws and Data Tampering
Module 8: Mobile Application Security
- Improper Credential Usage
- Inadequate Supply Chain Security
- Insecure Authentication/Authorization
- Insufficient Input/Output Validation
- Insecure Communication
- Inadequate Privacy Control
- Insecure Data Storage
- Insufficient Cryptography
- Security Misconfiguration
Module 9: Network Security
- Outdated or Unpatched Software
- Misconfigured Firewalls and Systems
- Unsecured Network Access Points
- Weak Passwords & Authentication Protocols
- Phishing and Social Engineering Attacks
- Man-in-the-Middle Attacks
- Absence of Data Backups
- Removable Media Threats
- Lack of Network Segmentation
- Insufficient Access Controls & Privilege Management
Module 10: Tools
- Secure Code Review Tools: Fortify, Mend, CodeQL, Bandit, Snyk
- Web Application Security Tools: WebInspect, Burp Suite, Zap, Boomerang, Wappalyzer, SQLMap
- API & Web Service Security Tools: Postman, SoapUI, SwaggerUI, Fiddler
- Windows Application Security Tools: Echo Mirage, Wireshark, CFF, DnSpy, ILSpy
- Mobile Application Security Tools: APKTool, Jadx-GUI, Android Studio, Frida, MobSF, Mobexler
- Network Security Tools: Nessus, Nmap
Module 11: Lab Setups (Hands-on)
- Web Application Security Labs
- API Security Labs
- Mobile Application Security Labs
- Real-World Vulnerability Exploitation and Reporting
