{"id":5300,"date":"2026-06-04T23:01:09","date_gmt":"2026-06-04T23:01:09","guid":{"rendered":"https:\/\/xcode.or.id\/blog\/?p=5300"},"modified":"2026-06-04T23:40:02","modified_gmt":"2026-06-04T23:40:02","slug":"advanced-web-application-penetration-testing-and-infrastructure-securitya-comprehensive-zero-to-hero-prvate-for-professional-penetration-testers","status":"publish","type":"post","link":"https:\/\/xcode.or.id\/blog\/index.php\/2026\/06\/04\/advanced-web-application-penetration-testing-and-infrastructure-securitya-comprehensive-zero-to-hero-prvate-for-professional-penetration-testers\/","title":{"rendered":"Advanced Web Application Penetration Testing and Infrastructure Security A Comprehensive Zero-to-Hero Private for Professional Penetration Testers."},"content":{"rendered":"\n
\"\"\/
Pricing<\/strong>: IDR 14.000.000 \/ peserta (Private)<\/figcaption><\/figure>\n\n\n\n

Advanced Web Application Penetration Testing and Infrastructure Security<\/h2>\n

A Comprehensive Zero-to-Hero Private for Professional Penetration Testers<\/h3>\n
\n

Sesi 1: Fundamentals & Introduction<\/h3>\n
    \n
  • Behind the Scenes:<\/strong> What Happens When You Open a Website?<\/li>\n
  • Web Application Workflow:<\/strong> Understanding Request, Response, and Core Components<\/li>\n
  • Cookies, Sessions, and Headers Fundamentals<\/strong><\/li>\n
  • Introduction to Network Protocols & Infrastructure:<\/strong> HTTP, HTTPS, Proxy Server, DNS, Firewall, and API<\/li>\n
  • HTTP Methods:<\/strong> Deep Dive into GET and POST<\/li>\n
  • Introduction to Ethical Hacking Concepts<\/strong><\/li>\n
  • HTTP Header Manipulation Techniques<\/strong><\/li>\n<\/ul>\n
    \n

    Sesi 2: Information Gathering & Reconnaissance<\/h3>\n
      \n
    • ProxyChains + Tor<\/strong><\/li>\n
    • Subdomain Enumeration<\/strong><\/li>\n
    • Directory & File Discovery<\/strong><\/li>\n
    • Parameter Discovery<\/strong><\/li>\n
    • OSINT & Credential Leaks Hunt<\/strong><\/li>\n
    • Port Scanning & Infrastructure Services Detection<\/strong><\/li>\n
    • Tech Stack Detection \/ Fingerprinting<\/strong><\/li>\n
    • WAF & Reverse Proxy Detection<\/strong><\/li>\n
    • Information Gathering:<\/strong> Cloudflare Bypass & Real IP Discovery Techniques<\/li>\n
    • WHOIS Lookup<\/strong> atau Domain Registration Data Reconnaissance<\/li>\n
    • Network Topology Mapping<\/strong><\/li>\n
    • Defacement Footprinting<\/li>\n
    • Database Backup Leakage<\/strong><\/li>\n<\/ul>\n
      \n

      Sesi 3: Attacking Infrastructure<\/h3>\n
        \n
      • Attacking Infrastructure:<\/strong> From DoS Frameworks to Server Exploitation<\/li>\n
      • Denial of Service (DoS) Frameworks<\/strong> & Infrastructure Stress Testing<\/li>\n
      • Application-Layer DoS:<\/strong> Menganalisis mekanisme serangan DoS pada web server modern (Apache\/Nginx)<\/li>\n
      • Network-Layer Flooding:<\/strong> Konsep dan dampak serangan UDP Flood terhadap ketahanan infrastruktur jaringan<\/li>\n
      • CMS Ecosystem Supply Chain Attacks<\/strong><\/li>\n
      • Automated Web Server Vulnerability Scanning<\/strong> via Nikto<\/li>\n
      • Automated Web Vulnerability Scanning<\/strong> via Nessus<\/li>\n
      • Apache HTTP Server Case Study:<\/strong> From Path Traversal to Remote Shell<\/li>\n<\/ul>\n
        \n

        Sesi 4: Binary Exploitation & Memory Manipulation<\/h3>\n
          \n
        • Web Server Binary Exploitation<\/strong> & Memory Manipulation<\/li>\n
        • Introduction to Exploit Development:<\/strong> Web Server Memory Corruption<\/li>\n
        • Custom Fuzzer Development<\/strong><\/li>\n
        • HTTP Request & Response Header Analysis<\/strong><\/li>\n
        • Target Parameter Isolation<\/strong> (Host, User-Agent, and Custom Headers Fuzzing)<\/li>\n
        • Environment Setup<\/strong> with Immunity Debugger & Mona Framework<\/li>\n
        • Analyzing Application Crashes<\/strong><\/li>\n
        • Cyclic Pattern Generation<\/strong> & Offset Calculation<\/li>\n
        • Instruction Pointer Control<\/strong><\/li>\n
        • Stack Trampoline Redirection<\/strong><\/li>\n
        • Custom Payload Delivery<\/strong> for RCE<\/li>\n<\/ul>\n
          \n

          Sesi 5: OWASP Top 10: 2025 (Part 1)<\/h3>\n
            \n
          • Introduction and Exploitation Demonstration<\/strong> \u2013 OWASP Top 10: 2025 (Part 1)<\/li>\n
          • A01:2025<\/strong> \u2013 Broken Access Control<\/li>\n
          • A02:2025<\/strong> \u2013 Security Misconfiguration<\/li>\n
          • A03:2025<\/strong> \u2013 Software Supply Chain Failures<\/li>\n
          • A04:2025<\/strong> \u2013 Cryptographic Failures<\/li>\n
          • A05:2025<\/strong> \u2013 Injection<\/li>\n<\/ul>\n
            \n

            Sesi 6: OWASP Top 10: 2025 (Part 2)<\/h3>\n
              \n
            • Introduction and Exploitation Demonstration<\/strong> \u2013 OWASP Top 10: 2025 (Part 2)<\/li>\n
            • A06:2025<\/strong> \u2013 Insecure Design<\/li>\n
            • A07:2025<\/strong> \u2013 Authentication Failures<\/li>\n
            • A08:2025<\/strong> \u2013 Software or Data Integrity Failures<\/li>\n
            • A09:2025<\/strong> \u2013 Security Logging and Alerting Failures<\/li>\n
            • A10:2025<\/strong> \u2013 Mishandling of Exceptional Conditions<\/li>\n<\/ul>\n
              \n

              Sesi 7: Authentication, Access Control & Business Logic<\/h3>\n
                \n
              • Broken Authentication & Session Management:<\/strong>\n
                  \n
                • Weak Password Policy<\/li>\n
                • Default \/ Weak Credentials<\/li>\n
                • Credential Stuffing<\/li>\n
                • Brute Force Login & Password Attack Methodologies<\/li>\n
                • Authentication Bypass (Contoh: SQL Injection pada form login)<\/li>\n
                • Two-Factor Authentication (2FA) Bypass<\/li>\n<\/ul>\n<\/li>\n
                • Session Management Flaws:<\/strong>\n
                    \n
                  • JWT Basics Vulnerabilities<\/li>\n
                  • Session Hijacking (Contoh: Session Leakage)<\/li>\n<\/ul>\n<\/li>\n
                  • Access Control & Logic:<\/strong>\n
                      \n
                    • IDOR (Insecure Direct Object Reference)<\/li>\n
                    • Privilege Escalation (Vertical & Horizontal)<\/li>\n
                    • Business Logic Flaws & Race Condition Exploitation<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
                      \n

                      Sesi 8: Client-Side Vulnerabilities & Injection<\/h3>\n
                        \n
                      • HTML Injection<\/strong><\/li>\n
                      • CSS Injection<\/strong><\/li>\n
                      • Cross-Site Scripting (XSS)<\/strong> \u2013 Reflected \/ Non-Persistent<\/li>\n
                      • Cross-Site Scripting (XSS)<\/strong> \u2013 Stored \/ Persistent<\/li>\n
                      • Cross-Site Scripting (XSS)<\/strong> \u2013 DOM-Based<\/li>\n
                      • Session Hijacking Integration:<\/strong> XSS Cookie Theft<\/li>\n
                      • WSTG-Based XSS Testing Methodologies<\/strong> (Manual Code & Input Analysis)<\/li>\n
                      • Semi-Automated XSS Identification<\/strong> (Targeted Parameter Scanning)<\/li>\n
                      • Automated XSS Scanning in Graybox Testing<\/strong> (Session Cookie Integration)<\/li>\n
                      • Advanced XSS:<\/strong> WAF Bypass Techniques<\/li>\n
                      • CSRF<\/strong> (Cross-Site Request Forgery)<\/li>\n
                      • CORS Misconfiguration<\/strong><\/li>\n
                      • Clickjacking<\/strong> (UI Redressing)<\/li>\n
                      • Open Redirect<\/strong><\/li>\n<\/ul>\n
                        \n

                        Sesi 9: Server-Side Injection & Attacks<\/h3>\n