CYBERSECURITY TRAINING

1. CYBERSECURITY FUNDAMENTALS

2. ETHICAL HACKING ESSENTIALS

3. APPLICATION SECURITY & OWASP

4. API SECURITY & PENTESTING

   Module 1: Cybersecurity Fundamentals (10 Hours)

   Session 1: Introduction to Cybersecurity - CIA Triad, threats, security domains - Cybersecurity roles & job paths

Session 2: Networking Basics for Security - OSI model, TCP/IP stack - Packet analysis using Wireshark

Session 3: Protocols & Traffic Analysis - HTTP/S, DNS, FTP, ICMP - Inspecting protocol behavior with Wireshark

Session 4: Linux Basics for Security - User management, file permissions - Bash commands & log files

Session 5: Windows Security Essentials - Event Viewer, PowerShell basics - File ACLs, services

Session 6: Virtualization & Lab Setup - Setup Kali Linux, Metasploitable - Create isolated test environment

Session 7: Malware & Threats Overview - Viruses, trojans, ransomware - Use VirusTotal, Hybrid Analysis

Session 8: Firewalls, IDS/IPS – Understand FWs, IDS/IPS

Session 9: Security Policies & Compliance - ISO 27001, NIST, GDPR basics - Real-world compliance examples

Session 10: Incident Response & SOC Tools - SOC workflow & SIEM

Module 2: Ethical Hacking Essentials (10 Hours)

Objective: Understand hacker methodologies, common vulnerabilities, and exploit techniques using Kali Linux and real tools.

Session 11: Ethical Hacking Methodology - Stages: Recon to Reporting - Setup hacking tools in Kali

Session 12: Footprinting & Reconnaissance - whois, nslookup, Shodan, Google Dorking - Maltego and online recon

Session 13: Scanning Networks - Nmap scans (TCP, UDP, service detection) - OS and version detection

Session 14: Enumeration - NetBIOS, SMB, SNMP

Session 15: Vulnerability Scanning - OpenVAS, Nessus walkthrough - Manual vulnerability triage

Session 16: Exploitation with Metasploit - MS08-067 exploit demo - Using Meterpreter sessions

Session 17: Maintaining Access & Privilege Escalation - Basic persistence and privilege tools

Session 18: Web App Footprinting - Burp Suite intercept & crawl - Analyze headers, cookies, JS files

Session 19: Password Attacks - Hydra, Hashcat, rockyou wordlists - Crack Linux shadow file or FTP creds

Session 20: Report Writing & Risk Rating - CVSS basics - Create penetration test report (template provided)

Module 3: Application Security & OWASP Top 10 (15 Hours)

Objective: Perform hands-on testing of common web application vulnerabilities using DVWA, Juice Shop, portswigger labs and Burp Suite.

Session 21: Web Application Architecture - Client-server, cookies, sessions - State management and security impact

Session 22: Identification & Auth Failures - Broken login logic, predictable tokens - Brute force login using Burp Intruder

Session 23: Broken Access Control - IDOR, Role escalation - Lab: DVWA / JuiceShop access bypass/ portswigger labs

Session 24: Cryptographic Failures - Insecure transport (HTTP), weak encryption - Analyze JWT tokens, TLS inspection

Session 25,26 & 27: Injection (SQL, OS) - SQLMap automation + manual SQLi - Command injection in web forms

Session 28 & 29: XSS – XSS types, attack scenarios. Lab challenges solving

Session 30: Security Misconfiguration - Directory listing, default creds - HTTP methods and headers test

Session 31: Vulnerable Components - Identify outdated libraries with retire.js, Snyk - Exploit known CVEs

Session 32: Software & Data Integrity, Insecure Design - Tampered software updates

Session 33 & 34: SSRF & Logging Issues - SSRF via file/image fields - Log injection, insufficient logging

Session 35: DevSecOps Intro – SAST/SCA

Module 4: API Security & Pentesting (10 Hours)

Objective: Hands-on, job-ready API pentesting module using OWASP crAPI mapped to OWASP API Top 10, including real-world attacks and professional reporting.

Session 36 & 37: API Security Basics & OWASP API Top 10 - REST, SOAP, GraphQL - Test APIs with Postman/ZAP (demo apis)

Session 38: crAPI Setup & Architecture - OWASP Mapping: N/A - Lab Tasks: - Setup crAPI using Docker - Explore frontend, backend, API gateway - Review Swagger documentation and API endpoints

Session 39: Reconnaissance & Endpoint Discovery - OWASP Mapping: API1 - Broken Object Level Authorization - Lab Tasks: - Discover endpoints via Swagger & Burp Suite - IDOR: Access unauthorized bookings /api/v1/workshop/booking/{id}

Session 40: Broken Authentication - OWASP Mapping: API2 - Broken Authentication - Lab Tasks: - Password reset without ownership - OTP Bypass / JWT abuse using insecure token

Session 41: Excessive Data Exposure - OWASP Mapping: API3 - Excessive Data Exposure - Lab Tasks: - Dump verbose JSON - Extract email, address from other users

Mass Assignment - OWASP Mapping: API6 - Mass Assignment - Lab Tasks: - POST /api/v1/me/update-details to change roles - Add unauthorized fields in payload

Session 42: Security Misconfiguration - OWASP Mapping: API7 - Security Misconfiguration - Lab Tasks: - Abuse Swagger endpoints - CORS misconfig / Unused HTTP methods

Session 43: Rate Limiting & Brute Force - OWASP Mapping: API4 - Lack of Resources & Rate Limiting - Lab Tasks: - Brute force OTP/passwords - Enumerate usernames

Session 44: Broken Function Level Authorization - OWASP Mapping: API5 - BFLA - Lab Tasks: - Delete another user’s booking - Access admin functions without elevated role

Session 45: SSRF (Server-Side Request Forgery) - OWASP Mapping: API8 - SSRF - Lab Tasks: - SSRF via profile image upload or feedback module

Full Pentest Challenge & Report Writing - OWASP Mapping: Consolidated - Lab Tasks: - Capture all crAPI challenge flags - Document vulnerabilities with: - CVSS score - Exploit steps - Screenshots - Remediation

Tools Used: - Docker Desktop (to host crAPI) - Postman - Burp Suite (Community or Pro) - Swagger UI - JWT.io - Dirsearch / Ffuf (optional)

Deliverables: - crAPI Lab Manual (step-by-step + screenshots) - API Pentest Report Template - OWASP API Top 10 to crAPI Mapping Sheet - Burp/Postman Cheat Sheet - Trainer Slides (PDF/PPT format)