VULNERABILITY ASSESSMENT AND PENETRATION TESTING

Academic Year 2024/2025 - Teacher: SERGIO ESPOSITO

Expected Learning Outcomes

  1. Knowledge and understanding. Students will get to grips with the vulnerability assessment and penetration testing activity.
  2. Applying knowledge and understanding. Students will complete their fundamental security knowledge with the practical applications of the tools for vulnerability assessment and penetration testing. 
  3. Making judgements. Students will become experts in evaluating the robustness of a given target system by means of the application of relevant tools and of the exploitation of known vulnerabilities.
  4. Communication skills. Students will familiarise with the concepts of vulnerability assessment and penetration testing, also building up their skills to communicate the outcomes of such activity both orally and in writing.
  5. Learning skills. Students will get the critical attitude and competences to define and execute sessions of vulnerability assessment and penetration testing.

Course Structure

During each lesson, slides will be projected to support upfront teaching. The course is designed to be highly interactive between students and the lecturer, due to the extremely practical nature of the covered topics.

Slides projected during the lessons are available on the Teams channel dedicated to the course. Teams Code: r1lzo7s

Required Prerequisites

The course "Programmazione II e Laboratorio" is a mandatory prerequisite for this course.

Moreover, for an adequate understanding of the course, the following prerequisites are recommended:

  • Basics of computer networks;
  • Fundamentals of databases;
  • Basics of computer architectures;
  • Basic knowledge of the main web programming languages, both front-end and back-end.

Attendance of Lessons

Attending the course is mandatory.

Detailed Course Content

The Vulnerability Assessment and Penetration Testing (VAPT) course provides an in-depth understanding of the techniques and methodologies required to identify and exploit vulnerabilities in computer systems, with a particular focus on legal and practical aspects.

The course begins with an introduction to VAPT, explaining the differences between Vulnerability Assessment (VA), which focuses primarily on identifying vulnerabilities using automated tools, and Penetration Testing (PT), which is more centered on the exploitation, chaining, and manual discovery of these vulnerabilities to assess a system's security. Legal requirements related to such security activities and bug bounty programs, which offer rewards for identifying and reporting vulnerabilities, are also covered.

Next, the main methodologies for conducting VAPT activities are introduced, as well as best practices for performing effective security tests. The course then describes the different phases of VAPT, from defining the initial requirements to post-exploitation activities and subsequent reporting by the tester.

In more detail, the course covers techniques such as Information Gathering and OSINT (Open Source Intelligence), which are essential for collecting information on potential targets before executing an attack. In parallel, the concept of Threat Modeling is introduced, which involves analyzing the potential threats and vulnerabilities of a system, even theoretical ones, based on the adversaries' knowledge and capabilities.

A practical aspect of the course focuses on the ability to modify existing exploits to adapt them to specific contexts, making attacks more effective. The course also includes a module on Social Engineering, explaining how human behavior can be exploited to obtain information or access to systems.

During the Post-Exploitation phase, the course explores advanced techniques such as lateral movement, where the attacker navigates within a compromised network, privilege escalation to gain access to administrative functions, log deletion to avoid detection, data exfiltration, password cracking, and evasion of Antivirus (AV), Firewall, and Endpoint Detection and Response (EDR) systems, among others.

Finally, the course concludes with the critical phase of reporting, where students learn to document the results of their VAPT activities clearly and accurately, providing the VAPT client with a comprehensive assessment of the discovered vulnerabilities and potential solutions. The course also explores the use of offensive security-oriented operating systems, such as Kali Linux, which, although not essential, provide specific tools for these activities.

Textbook Information

  • David Basin, Patrick Schaller, Michael Schläpfer "Applied Information Security", 2011, Springer

  • Peter Kim “The Hacker Playbook 3, Practical Guide to Penetration Testing”, 2018, Secure Planet LLC

Course Planning

 SubjectsText References
1Introduction to VAPTEducational material given by the lecturer, online resources and aforementioned textbooks
2VAPT phasesEducational material given by the lecturer, online resources and aforementioned textbooks
3Offensive security activitiesEducational material given by the lecturer, online resources and aforementioned textbooks
4VAPT methodologiesEducational material given by the lecturer, online resources and aforementioned textbooks
5Offensive Security oriented Operating SystemsEducational material given by the lecturer, online resources and aforementioned textbooks
6Information Gathering and OSINTEducational material given by the lecturer, online resources and aforementioned textbooks
7Threat ModelingEducational material given by the lecturer, online resources and aforementioned textbooks
8Vulnerability AssessmentEducational material given by the lecturer, online resources and aforementioned textbooks
9Common vulnerabilities and their exploitationEducational material given by the lecturer, online resources and aforementioned textbooks
10Tailoring of existing exploitsEducational material given by the lecturer, online resources and aforementioned textbooks
11Social EngineeringEducational material given by the lecturer, online resources and aforementioned textbooks
12Post-exploitation actionsEducational material given by the lecturer, online resources and aforementioned textbooks
13ReportingEducational material given by the lecturer, online resources and aforementioned textbooks

Learning Assessment

Learning Assessment Procedures

  1. Implementation project.
  2. Oral examination.

Examinations may take place remotely, if required by the circumstances.

Students with disabilities and/or learning disorders (DSA) must contact the lecturer and the CInAP representative at DMI well in advance of the exam date to inform them of their intention to take the exam with the appropriate compensatory measures.


For the assignment of grades for individual assessments, the following criteria are typically followed:

  • Fail: The student has not acquired the basic concepts and is unable to answer questions or complete the exercises.
  • 18-23: The student demonstrates a minimal mastery of the fundamental concepts; their ability to present and connect content is modest, and they can solve simple exercises.
  • 24-27: The student shows a good grasp of the course content; their ability to present and connect the content is good, and they solve exercises with few errors.
  • 28-30 with honors: The student has acquired all course content and can present them comprehensively with a critical perspective; they solve exercises completely and without errors.

Examples of frequently asked questions and / or exercises

  • Implementation project: simulate a VAPT activity on a testing environment and write a formal report on said activity.
  • Oral examination: explain why escaping all special characters from a user input might not protect a service from SQL Injection.