Cybr Courses Courses Search All Courses7 AlphabeticalNewly Created All CategoriesApplication SecurityBeginnerCertificationsCloud SecurityCybersecurity FundamentalsEthical HackingIntermediateNetworking Security All InstructorsAldenChristopheJuan Free 9 Lessons Beginner’s Guide to sqlmap Christophe Learn to use one of the most popular tools to find SQL injection vulnerabilities: sqlmap. In this course, we start out by creating a simple, free, and quick home lab environment with Virtual Box, Kali Linux, and Docker. I'll walk you through step-by-step how to do that, so don't worry if it sounds intimidating! After that, we download and install the latest version of sqlmap. Then, we look at some of the most important and useful features and options for beginners to get started with. Finally, we launch SQL injection attacks against our lab environment in order to extract information from the vulnerable database. sqlmap can be used to extract information such as database schema, database names, table names, password hashes, and more. It even includes a built-in password cracker which we demonstrate by cracking all of the passwords stored in the users table of the database. This course is meant to be easy to follow so that you can quickly learn how to get started with sqlmap. So whether you are interested in becoming a web pentester, or whether you are interested in learning how to make web applications more secure, this course will help you understand what tools and techniques can be used to automate SQL injection attacks and complement manual exploration. Not Enrolled 42 Lessons Cross-Site Scripting (XSS): The Practical Guide Christophe Description: In this course, you will develop the skills you need to successfully perform and combat Cross-Site Scripting (XSS) attacks. XSS is one of the top 10 most dangerous and common web application attacks according to both OWASP and CWE. I've spent months creating and collecting the best resources on XSS to put them in this course so that you can learn Cross-Site Scripting in a fun, efficient, and practical manner. In order to truly understand how XSS works and how to defend against it, you have to learn hands-on by executing attacks against vulnerable applications and then looking at secure versions of the same code, and that's exactly what you'll do in this course. We start out by explaining the concepts of XSS and its 3 main types: Reflected, Stored (Persistent), and DOM-based. Then, we take a look at case studies of recent real-world XSS vulnerabilities in Facebook, Gmail, Twitter, Tesla, Airbnb, and TikTok. After that, we spin up a lab environment to perform all 3 types of attacks with both manual and automated approaches. We then set up, configure, and use a powerful browser exploitation framework called BeEF to deliver a payload that hooks unsuspecting browsers. From there, you can launch a number of different attacks using BeEF command modules (ie: scanning internal networks, defacing websites, compromising routers, and more). Next, we apply everything we've learned to pentest the OWASP Juice Shop starting with information gathering, and then exploiting all 3 types of XSS. Finally, we wrap up the course by discussing the most (and least) effective defensive controls, including rules, cheat sheets, and recommended code review techniques to properly defend your applications from this dangerous threat. If you're looking for a hands-on way to learn Cross-Site Scripting, this is your course! Testimonials: "I've got about 3 years in software security with about 23 years in information and DOD security. While I was familiar with XSS I always thought it was a unique and not so dangerous vulnerability. Your course showed me just how damaging XSS could be, and the various ways to assess and mitigate XSS vulnerabilities. I’ll be incorporating your tools and processes in the way I work with teams to evaluate their products." - Matthew H. "This course is great and I would recommend it to anyone trying to learn about web-pentesting or trying to pursue bug bounty as this course gives you a good basis on XSS with a lot of hands-on work." - Bludger Not Enrolled 32 Lessons DevSecOps Fundamentals Christophe Learn the fundamentals of DevSecOps in this upcoming course. It is in active development and will be available for Early Preview access mid-June. Free 25 Lessons Injection Attacks: The Free Guide Christophe In this course, we explore the biggest risk facing web applications: injections. While we will focus primarily on SQL injections, there are other types of injections such as OS command, LDAP, XPATH, XML, and SMTP header injections, which are all listed in the OWASP Top 10 risks. In order to truly understand how injections work, we have to learn hands-on by executing attacks against vulnerable applications, and that's exactly what we'll do in this course. We start out by setting up safe and legal environments, and then we go on the offense exploring each successful and unsuccessful attack to understand what's going on, and ultimately, how to protect our apps against such vulnerabilities. So if you're looking for hands-on learning, this is your course! Free 26 Lessons Introduction to Application Security (AppSec) Christophe Description: In this course, we provide a thorough yet high-level understanding of Application Security concepts as they relate to web, mobile, and cloud-based applications. It is intended to provide a foundational overview of core concepts so that you can dive deeper into those respective areas of interest. Free 10 Lessons Introduction to OS Command Injections Christophe OS Command Injections are part of the OWASP Top 10 Web Application Security Risks, and as you will see in this course, this threat can result in serious damages if left unchecked. We start out by creating a safe and legal environment for us to perform attacks in. Then, we cover the core concepts of command injections and learn about techniques that can be used to exploit vulnerable targets. After that, we go full-on offensive and perform manual injection attacks as well as automated attacks with a tool called Commix. Once we find vulnerabilities, we generate and plant persistent backdoors that can be exploited to create shells with MSFvenom and Weevely, giving us access to the target server any time we want. After successfully attacking and compromising our targets, we take a step back and discuss defensive controls at the application layer. We also look at actual vulnerable code and show ways of fixing that vulnerable code to prevent injections. Since OS Command injections can be used to exploit most systems running an operating system, such as: web servers, IoT devices, office devices (ie: printers), and more, this is an important threat to understand as an application developer or IT business leader. Not Enrolled 61 Lessons The Practical Guide to sqlmap for SQL Injection Christophe Description: Learn how to use sqlmap in-depth for professional engagements like pentests or bug bounties. sqlmap is the most powerful and widely used SQL injection tool, and for good reason. It packs an impressive array of features and options specifically crafted to fingerprint, enumerate, and takeover databases as well as underlying systems. In this course, we take a look at all of that. We start by looking at the sqlmap project, including how the source code repository is structured, where to find important files such as configuration and payload files, and how to set up a home lab environment to safely and legally practice what we're learning. Then, we explore every single option that sqlmap offers with examples and explanations of how and when to use the option(s). We learn tips & tricks to see what sqlmap is doing under the hood and to troubleshoot when we come across issues. Once we've covered sqlmap's options and features, we tie it all together by running through scenarios. This is when we get to see how those options can be used together or on their own to achieve our pentest or bug bounty objectives. The course also includes sections dedicated to specific topics such as bypassing WAFs and evading security controls, and how to run sqlmap as an API. Free 9 Lessons Beginner’s Guide to sqlmap Christophe Learn to use one of the most popular tools to find SQL injection vulnerabilities: sqlmap. In this course, we start out by creating a simple, free, and quick home lab environment with Virtual Box, Kali Linux, and Docker. I'll walk you through step-by-step how to do that, so don't worry if it sounds intimidating! After that, we download and install the latest version of sqlmap. Then, we look at some of the most important and useful features and options for beginners to get started with. Finally, we launch SQL injection attacks against our lab environment in order to extract information from the vulnerable database. sqlmap can be used to extract information such as database schema, database names, table names, password hashes, and more. It even includes a built-in password cracker which we demonstrate by cracking all of the passwords stored in the users table of the database. This course is meant to be easy to follow so that you can quickly learn how to get started with sqlmap. So whether you are interested in becoming a web pentester, or whether you are interested in learning how to make web applications more secure, this course will help you understand what tools and techniques can be used to automate SQL injection attacks and complement manual exploration. Not Enrolled 42 Lessons Cross-Site Scripting (XSS): The Practical Guide Christophe Description: In this course, you will develop the skills you need to successfully perform and combat Cross-Site Scripting (XSS) attacks. XSS is one of the top 10 most dangerous and common web application attacks according to both OWASP and CWE. I've spent months creating and collecting the best resources on XSS to put them in this course so that you can learn Cross-Site Scripting in a fun, efficient, and practical manner. In order to truly understand how XSS works and how to defend against it, you have to learn hands-on by executing attacks against vulnerable applications and then looking at secure versions of the same code, and that's exactly what you'll do in this course. We start out by explaining the concepts of XSS and its 3 main types: Reflected, Stored (Persistent), and DOM-based. Then, we take a look at case studies of recent real-world XSS vulnerabilities in Facebook, Gmail, Twitter, Tesla, Airbnb, and TikTok. After that, we spin up a lab environment to perform all 3 types of attacks with both manual and automated approaches. We then set up, configure, and use a powerful browser exploitation framework called BeEF to deliver a payload that hooks unsuspecting browsers. From there, you can launch a number of different attacks using BeEF command modules (ie: scanning internal networks, defacing websites, compromising routers, and more). Next, we apply everything we've learned to pentest the OWASP Juice Shop starting with information gathering, and then exploiting all 3 types of XSS. Finally, we wrap up the course by discussing the most (and least) effective defensive controls, including rules, cheat sheets, and recommended code review techniques to properly defend your applications from this dangerous threat. If you're looking for a hands-on way to learn Cross-Site Scripting, this is your course! Testimonials: "I've got about 3 years in software security with about 23 years in information and DOD security. While I was familiar with XSS I always thought it was a unique and not so dangerous vulnerability. Your course showed me just how damaging XSS could be, and the various ways to assess and mitigate XSS vulnerabilities. I’ll be incorporating your tools and processes in the way I work with teams to evaluate their products." - Matthew H. "This course is great and I would recommend it to anyone trying to learn about web-pentesting or trying to pursue bug bounty as this course gives you a good basis on XSS with a lot of hands-on work." - Bludger Not Enrolled 32 Lessons DevSecOps Fundamentals Christophe Learn the fundamentals of DevSecOps in this upcoming course. It is in active development and will be available for Early Preview access mid-June. Free 25 Lessons Injection Attacks: The Free Guide Christophe In this course, we explore the biggest risk facing web applications: injections. While we will focus primarily on SQL injections, there are other types of injections such as OS command, LDAP, XPATH, XML, and SMTP header injections, which are all listed in the OWASP Top 10 risks. In order to truly understand how injections work, we have to learn hands-on by executing attacks against vulnerable applications, and that's exactly what we'll do in this course. We start out by setting up safe and legal environments, and then we go on the offense exploring each successful and unsuccessful attack to understand what's going on, and ultimately, how to protect our apps against such vulnerabilities. So if you're looking for hands-on learning, this is your course! Free 26 Lessons Introduction to Application Security (AppSec) Christophe Description: In this course, we provide a thorough yet high-level understanding of Application Security concepts as they relate to web, mobile, and cloud-based applications. It is intended to provide a foundational overview of core concepts so that you can dive deeper into those respective areas of interest. Free 10 Lessons Introduction to OS Command Injections Christophe OS Command Injections are part of the OWASP Top 10 Web Application Security Risks, and as you will see in this course, this threat can result in serious damages if left unchecked. We start out by creating a safe and legal environment for us to perform attacks in. Then, we cover the core concepts of command injections and learn about techniques that can be used to exploit vulnerable targets. After that, we go full-on offensive and perform manual injection attacks as well as automated attacks with a tool called Commix. Once we find vulnerabilities, we generate and plant persistent backdoors that can be exploited to create shells with MSFvenom and Weevely, giving us access to the target server any time we want. After successfully attacking and compromising our targets, we take a step back and discuss defensive controls at the application layer. We also look at actual vulnerable code and show ways of fixing that vulnerable code to prevent injections. Since OS Command injections can be used to exploit most systems running an operating system, such as: web servers, IoT devices, office devices (ie: printers), and more, this is an important threat to understand as an application developer or IT business leader. Not Enrolled 61 Lessons The Practical Guide to sqlmap for SQL Injection Christophe Description: Learn how to use sqlmap in-depth for professional engagements like pentests or bug bounties. sqlmap is the most powerful and widely used SQL injection tool, and for good reason. It packs an impressive array of features and options specifically crafted to fingerprint, enumerate, and takeover databases as well as underlying systems. In this course, we take a look at all of that. We start by looking at the sqlmap project, including how the source code repository is structured, where to find important files such as configuration and payload files, and how to set up a home lab environment to safely and legally practice what we're learning. Then, we explore every single option that sqlmap offers with examples and explanations of how and when to use the option(s). We learn tips & tricks to see what sqlmap is doing under the hood and to troubleshoot when we come across issues. Once we've covered sqlmap's options and features, we tie it all together by running through scenarios. This is when we get to see how those options can be used together or on their own to achieve our pentest or bug bounty objectives. The course also includes sections dedicated to specific topics such as bypassing WAFs and evading security controls, and how to run sqlmap as an API. Get notified when we publish new courses