SEC542: Web App Penetration Testing and Ethical Hacking

Course Overview

SEC542 enables students to assess a web application's security posture and convincingly demonstrate the business impact should attackers exploit the discovered vulnerabilities. Students will come to understand common web application flaws, as well as how to identify and exploit them with the intent of demonstrating the potential business impact. Along the way, students follow a field-tested and repeatable process to consistently find flaws. Information security professionals often struggle with helping organizations understand risk in terms relatable to business. Executing awesome hacks is of little value if an organization does not take the risk seriously and employ appropriate countermeasures. The goal of SEC542 is to better secure organizations through penetration testing, and not just show off hacking skills. The course will help students demonstrate the true impact of web application flaws not only through exploitation but also through proper documenting and reporting.


  • SEC542.1: Introduction and Information Gathering
  • SEC542.2: Configuration, Identity, and Authorization Testing
  • SEC542.3: Injection
  • SEC542.4: XXE and XSS
  • SEC542.5: CSRF, Logic Flaws and Advanced Tools
  • SEC542.6: Capture the Flag


In Person (6 days) / Online - Access Period: 4 months

Course Authors

  • Timothy McKenzie, Certified Instructor
  • Bojan Zdrnja, Certified Instructor
  • Eric Conrad, Fellow
  • Seth Misenar, Fellow

What You Will Learn

  • To apply a repeatable methodology to deliver high-value penetration tests.
  • How to discover and exploit key web application flaws.
  • How to explain the potential impact of web application vulnerabilities.
  • The importance of web application security to an overall security posture.
  • How to wield key web application attack tools more efficiently.
  • How to write web application penetration test reports.