Certified AppSec Practitioner (CAP) Exam: Certification Syllabus - Video Tutorials

Certified Appsec Practitioner (CAP)

Certified Appsec Practitioner (CAP) is an intermediate-level exam to test attendees’ knowledge on the core concepts of application security.

The SecOps Group is a globally recognized IT security company having vast experience of providing cyber security consultancy and education services.

Certification Syllabus - Video Tutorials

1. Input Validation Mechanism

• Input validation mechanisms are techniques or processes used to ensure that data entered or provided by users or external sources is correct, secure, and conforms to the expected format or criteria.
• The purpose of input validation is to prevent erroneous, malicious, or unexpected data from causing issues or vulnerabilities in a system.

Whitelist Filtering:

• This approach allows only specific types of input to be accepted, filtering out any input that does not match the predefined criteria.

Blacklist Filtering:

• In contrast to whitelist filtering, blacklist filtering blocks specific types of input that are known to be potentially harmful or malicious.

Input validation attack

• Input validation attacks are a method of cyberattack in which the attacker injects malicious input that can be interpreted and executed by a target system to exploit its vulnerabilities. 
• Input validation attacks can employ a variety of input types such as code, scripting, and commands. 
• The most common input validation attack types are buffer overflow attacks, canonicalization attacks, cross-site scripting (XSS) attacks, and SQL injection (SQLi) attacks.

2. Cross-Site Scripting

• Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application.
• Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.

There are three main types of XSS attacks. These are:

• Reflected XSS, where the malicious script comes from the current HTTP request.
• Stored XSS, where the malicious script comes from the website's database.
• DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.

Reflected cross-site scripting

Reflected XSS is the simplest variety of cross-site scripting. It arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Stored cross-site scripting

Stored XSS (also known as persistent or second-order XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

DOM-based cross-site scripting

DOM-based XSS (also known as DOM XSS) arises when an application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing the data back to the DOM.

3. SQL Injection

4. XML External Entity attack

5. Cross-Site Request Forgery

6. Encoding, Encryption and Hashing

7. Authentication related Vulnerabilities

• Brute force Attacks
• Password Storage and Password Policy

8. Understanding of OWASP Top 10 Vulnerabilities

9. Security Best Practices and Hardening Mechanisms.

• Same Origin Policy
• Security Headers.

10. TLS security

• TLS Certificate Misconfiguration
• Symmetric and Asymmetric Ciphers

11. Server-Side Request Forgery

12. Authorization and Session Management related flaws –

• Insecure Direct Object Reference (IDOR)
• Privilege Escalation
• Parameter Manipulation attacks
• Securing Cookies.

13. Insecure File Uploads

14. Code Injection Vulnerabilities

15. Business Logic Flaws

16. Directory Traversal Vulnerabilities

17. Security Misconfigurations.

18. Information Disclosure.

19. Vulnerable and Outdated Components.

20. Common Supply Chain Attacks and Prevention Methods.