CSTL Web Technologies

Please click on the following tabs to reveal the knowledge depth required for a successful pass of the CSTL exam.

You will be given a random selection of questions. Please note exam content is subject to change due to circumstances beyond our control – use this as a guide and email us if you have any queries.

  • Can identify web servers on a target network and can remotely determine their type and version.
  • Has knowledge of vulnerabilities in the following commonapplication frameworks, servers and technologies:
    • .NET • J2EE • Coldfusion • Ruby on Rails • NodeJS
  • Understands the purpose, operation, limitationand security attributes of web proxy servers.
  • Understands and can demonstrate the remote exploitation of web servers.
  • Understands the concepts of virtual hosting and web proxies.

Can use spidering tools and understands their relevancein a web application test for discovering linked content.
Understands and can demonstrate forced browsing techniques to discover default or unlinked content.
Can identify functionality within client-side code.

  • Understands all HTTP methods and response codes.
  • Understands HTTP Header Fields relating to security features.
  • Understands and can demonstrate the use of web protocols, including:
    • HTTP • HTTPS • Web Sockets.
  • Understands and can demonstrateHTTP Request Smuggling
  • Understands common web mark-up and programming languages, including:
    • .NET • ASP Classic • Perl • PHP • JSP • Python • JavaScript
  • Understands and can demonstrate how the insecure implementationof software developed using these languages can be exploited(candidate may select two languages).

  • Understands and can demonstrate the use of web-based APIs to remotely access remote services.
  • Understands the use of tools and techniques to identify new OS and software vulnerabilities.
  • Understands common authentication techniques used in web APIs, e.g. API keys.
  • Can demonstrate the use of relevant tools to test APIs,e.g. SoapUI and Postman.
  • Understands and can demonstrate how the insecure implementationof web-based APIs can be exploited.
  • Understands different common payload formats such as XML and JSON.
  • Understands how to interpret definition files, e.g. WSDL and Swagger.
  • Can gather information from a web site and application mark-up or programming language, including:
    • hidden form fields • database connection strings • user account credentials • developer comments
    • external and/or authenticated-only URLs.
  • Can gather information about a web site and application from the error messages it generates.
  • Understands common authentication vulnerabilities, including:
    • Transport of credentials over an unencrypted channel
    • Testing for username enumeration • Brute-force testing • Authentication bypass
    • Session hijacking • Insecure password reset features • Insufficient logout timeout/functionality
    • Vulnerable CAPTCHA controls • Race Conditions • Lack of MFA
  • Understands common pitfalls associated with the designand implementation of application authorisation mechanisms.

  • Understands the importance of input validation and how itcan be implemented, e.g. allow-lists, deny-lists and regular expressions.
  • Understands the need for server-side validation and the flawsassociated with client-side validation.
  • Understands fuzzing and its use in web application testing.
  • Understands the generation of fuzzingstrings and their potential effects, includingthe dangers they may introduce.
  • Understands cross-site-scripting (XSS) and can demonstratethe launching of a successful XSS attack.
  • Understands the difference between persistent (stored) and reflected XSS.
  • Can demonstrate the ability to identify, explain and prove the existence of the following typesof network infrastructure vulnerabilities and exposures:
    • XXE • XML Injection • LDAP Injection
    • ORM injection • SSI injection
    XPath injection • IMAP/SMTP injection
    • Code injection • OS Commanding

Identifying SQL injection.
Exploiting UNION based injection.
Exploiting auth bypass (' or 'a'='a).
Exploiting SQL injection to execute operating system commands or read files.


  • Can determine the existence of a blind SQL injectioncondition in a web application.
  • Can exploit a blind SQL injection vulnerability.

Identifying JWTs.
Exploiting "none" signature or lack of signature checking in JWTs.
Understanding the difference between HMAC and public key JWTs.
Can identify the session control mechanism used within a web application.
Understands and can exploit session fixation vulnerabilities.
Understands the security implications of session IDs exposed in URLs.
Understands the role of sessions in CSRF attacks.
Identifying low entropy in sessions.
Brute-forcing weak HMAC keys in JWTs.

  • Understands how cryptography can be used to protect datain transit and data at rest, both on the server and client side.
  • Understands the concepts of TLS and can determine whethera TLS-enabled web server has been configured in compliancewith best practice (i.e. it supports recommended ciphers and key lengths).
  • Identification and exploitation of Encoded values (e.g. Base64).
  • Identification and exploitation of Cryptographic values (e.g. MD5 hashes).
  • Understands parameter manipulation techniques, particularly the use of client-side proxies.
  • Understands and can identify directory traversalvulnerabilities within applications.

  • Understands and can identify common vulnerabilities with file upload capabilities within applications.
  • Understands the role of MIME types in relation to file upload features.
  • Can generate malicious payloads in a variety of common file formats.
  • Can generate malicious payloads in a variety of common file formats.
  • Can assess and exploit vulnerabilities within the functional logic, function access control and business logic of an application.