Skip to content
Pricing: IDR 14.000.000 / peserta (Private)
Advanced Web Application Penetration Testing and Infrastructure Security
A Comprehensive Zero-to-Hero Private for Professional Penetration Testers
Sesi 1: Fundamentals & Introduction
- Behind the Scenes: What Happens When You Open a Website?
- Web Application Workflow: Understanding Request, Response, and Core Components
- Cookies, Sessions, and Headers Fundamentals
- Introduction to Network Protocols & Infrastructure: HTTP, HTTPS, Proxy Server, DNS, Firewall, and API
- HTTP Methods: Deep Dive into GET and POST
- Introduction to Ethical Hacking Concepts
- HTTP Header Manipulation Techniques
Sesi 2: Information Gathering & Reconnaissance
- ProxyChains + Tor
- Subdomain Enumeration
- Directory & File Discovery
- Parameter Discovery
- OSINT & Credential Leaks Hunt
- Port Scanning & Infrastructure Services Detection
- Tech Stack Detection / Fingerprinting
- WAF & Reverse Proxy Detection
- Information Gathering: Cloudflare Bypass & Real IP Discovery Techniques
- WHOIS Lookup atau Domain Registration Data Reconnaissance
- Network Topology Mapping
- Defacement Footprinting
- Database Backup Leakage
Sesi 3: Attacking Infrastructure
- Attacking Infrastructure: From DoS Frameworks to Server Exploitation
- Denial of Service (DoS) Frameworks & Infrastructure Stress Testing
- Application-Layer DoS: Menganalisis mekanisme serangan DoS pada web server modern (Apache/Nginx)
- Network-Layer Flooding: Konsep dan dampak serangan UDP Flood terhadap ketahanan infrastruktur jaringan
- CMS Ecosystem Supply Chain Attacks
- Automated Web Server Vulnerability Scanning via Nikto
- Automated Web Vulnerability Scanning via Nessus
- Apache HTTP Server Case Study: From Path Traversal to Remote Shell
Sesi 4: Binary Exploitation & Memory Manipulation
- Web Server Binary Exploitation & Memory Manipulation
- Introduction to Exploit Development: Web Server Memory Corruption
- Custom Fuzzer Development
- HTTP Request & Response Header Analysis
- Target Parameter Isolation (Host, User-Agent, and Custom Headers Fuzzing)
- Environment Setup with Immunity Debugger & Mona Framework
- Analyzing Application Crashes
- Cyclic Pattern Generation & Offset Calculation
- Instruction Pointer Control
- Stack Trampoline Redirection
- Custom Payload Delivery for RCE
Sesi 5: OWASP Top 10: 2025 (Part 1)
- Introduction and Exploitation Demonstration – OWASP Top 10: 2025 (Part 1)
- A01:2025 – Broken Access Control
- A02:2025 – Security Misconfiguration
- A03:2025 – Software Supply Chain Failures
- A04:2025 – Cryptographic Failures
- A05:2025 – Injection
Sesi 6: OWASP Top 10: 2025 (Part 2)
- Introduction and Exploitation Demonstration – OWASP Top 10: 2025 (Part 2)
- A06:2025 – Insecure Design
- A07:2025 – Authentication Failures
- A08:2025 – Software or Data Integrity Failures
- A09:2025 – Security Logging and Alerting Failures
- A10:2025 – Mishandling of Exceptional Conditions
Sesi 7: Authentication, Access Control & Business Logic
- Broken Authentication & Session Management:
- Weak Password Policy
- Default / Weak Credentials
- Credential Stuffing
- Brute Force Login & Password Attack Methodologies
- Authentication Bypass (Contoh: SQL Injection pada form login)
- Two-Factor Authentication (2FA) Bypass
- Session Management Flaws:
- JWT Basics Vulnerabilities
- Session Hijacking (Contoh: Session Leakage)
- Access Control & Logic:
- IDOR (Insecure Direct Object Reference)
- Privilege Escalation (Vertical & Horizontal)
- Business Logic Flaws & Race Condition Exploitation
Sesi 8: Client-Side Vulnerabilities & Injection
- HTML Injection
- CSS Injection
- Cross-Site Scripting (XSS) – Reflected / Non-Persistent
- Cross-Site Scripting (XSS) – Stored / Persistent
- Cross-Site Scripting (XSS) – DOM-Based
- Session Hijacking Integration: XSS Cookie Theft
- WSTG-Based XSS Testing Methodologies (Manual Code & Input Analysis)
- Semi-Automated XSS Identification (Targeted Parameter Scanning)
- Automated XSS Scanning in Graybox Testing (Session Cookie Integration)
- Advanced XSS: WAF Bypass Techniques
- CSRF (Cross-Site Request Forgery)
- CORS Misconfiguration
- Clickjacking (UI Redressing)
- Open Redirect
Sesi 9: Server-Side Injection & Attacks
- Database Injections:
- SQL Injection GET Method – UNION-Based
- SQL Injection POST Method – UNION-Based
- SQL Injection GET Method – Blind (Boolean-Based)
- SQL Injection POST Method – Blind (Boolean-Based)
- SQL Injection GET Method – Time-Based
- SQL Injection POST Method – Time-Based
- WSTG-Based SQL Injection Testing (Manual Input & Error Analysis)
- Semi-Automated SQL Injection Identification (Targeted Parameter Scanning via Sqlmap)
- Advanced SQL Injection: WAF Bypass Techniques
Sesi 10: File Inclusions & Server Takeover
- Path Traversal / Directory Traversal Fundamentals
- Local File Inclusion (LFI) – Basic
- WSTG-Based LFI Testing (Manual Path Traversal Analysis)
- Semi-Automated LFI Identification (Targeted Parameter Scanning)
- Automated LFI Exploitation via Cookie Injection (Graybox Testing)
- Advanced Local File Inclusion (LFI) Exploitation Techniques
- Chained Exploit: Sensitive File Disclosure via LFI to phpMyAdmin Full Database Access
- Advanced LFI: Log Injection & RCE to Get Shell
- Remote File Inclusion (RFI)
- SSRF (Server-Side Request Forgery)
Sesi 11: API Security & Modern Tech Stack
- Introduction to RESTful API Structure
- Monolithic PHP vs. PHP-Based APIs
- SQL Injection in PHP APIs
- Exploiting SQL Injection in PHP APIs
- Local File Inclusion (LFI) in PHP APIs
- Exploiting Local File Inclusion (LFI) in PHP APIs
- Command Injection in PHP APIs
- Exploiting Command Injection in PHP APIs
- Information Disclosure in PHP APIs
- Introduction to Node.js
- Exploiting SQL Injection in Node.js Applications
- Exploiting Local File Inclusion (LFI) in Node.js Applications
- Exploiting Command Injection in Node.js Applications
Sesi 12: Red Team: Post-Exploitation & Persistence Mechanisms
- Post-Exploitation Frameworks & Methodologies
- Network Shell Concepts: Bind Shell vs. Reverse Shell
- Linux Privilege Escalation Techniques
- Kernel & Application-Level Rootkits
- Persistent Backdoors: Automated Reverse Shells
- Web-Based Persistence: PHP Web Shell Deployment
- Exploiting File Upload Vulnerabilities for Persistence
- Linux Password Cracking & Hash Analysis
- Next-Level Post-Exploitation: Pivoting & Lateral Movement
Sesi 13: Blue Team: Server Monitoring, Detection & SIEM Integration
- Blue Team Perspective: Incident Response & Threat Hunting
- Server Log Analysis & Event Monitoring
- Centralized Security Monitoring via Wazuh SIEM
- Advanced Linux Auditing: Auditctl vs. Process Accounting (ACCT)
- Monitoring System Events & User Activities via ACCT
- Kernel-Level Event Logging & Auditing via Auditctl
- System Hardening: Network & Application Defense
- Network Defense: Host-Based Firewall Configuration
- Port Scanning Detection & Prevention via PortSentry
- Web Application Firewall (WAF) Deployment & Tuning
- Web Server Hardening: Disabling Directory Listing
- PHP Security Hardening: Utilizing Disable_Functions & Open_Basedir
- Access Control Management & Principle of Least Privilege
- Perimeter Security: Router-Level Firewall Hardening
Sesi 14: Aspek Bisnis, Legalitas & Komunikasi Klien
- Pentest Reporting & Best Practices
- Aspek Bisnis, Legalitas & Komunikasi Klien
- Pre-Engagement Client Consultation & Scope Definition
- Drafting Professional Penetration Testing Proposals
- Legal Frameworks: Non-Disclosure Agreement (NDA) Drafting
- Contractual Agreements: Perjanjian Kerja Sama (PKS) Framework
- Time-Efficient Pentesting Methodologies & Workflow Optimization
- Strategic Shortcuts & Automation Integration
- Evasion & Stealth Testing Maneuvers
- Architecture of a Professional Security Report
- Crafting Actionable Vulnerability Descriptions
- Vulnerability Scoring & Severity Categorization
- Crucial Blunders in Technical Documentation
- AI-Driven Report Generation & Refinement
- STAR interview method, careers in pentesting, red/blue team, GRC, portfolio building, and soft skills for translating tech to business
