2-DAY TRAINING 4: Advanced Web Hacking


CAPACITY: 20 pax


PRICE: EUR1499 (early bird)

EUR1999 (normal)

Early bird registration rate ends on the 14th of February


Tired of alert(1)? You think there is more too life than Burp scanner? You went through PentesterLab’s exercises and thought “I WANT MORE!!”? This training is for you!

This 2-day training will get you to the next level. We will look into CORS, the exploitation of recent vulnerabilities (Struts RCE, Shellshock, Heartbleed). We will also get shells using serialisation
in multiple languages and find vulnerabilities that you may have missed in the past. Non public variants to known issues will also be detailed.

After a quick overview of what you need to know to attack web applications, we will directly jump to the interesting stuff: Hands-on training and real attacks. The class is a succession of 15 minute explanations on what you need to know, followed by hands-on examples to really understand and exploit vulnerabilities. After the training, you will go home with the course (slides based) and the systems (Linux ISO) to be able to play and refresh your memory!

Key Learning Objectives

 – Cross-origin resource sharing
– Struts RCE
– Multiple Serialisation attacks (PHP, Python, Java)
– Jboss web-console
– Padding Oracle
– Outbound XML entities attacks
– Heartbleed
– Tricky SQL injections

Who Should Attend

This training is aimed at penetration testers and security professionals who want to improve their Web skills.

The objective of this training is to provide attendees with exposure to complex web vulnerabilities and their exploitation. This includes unobvious bugs and issues related to cryptography.  All the vulnerabilities covered have been handpicked to ensure that they teach the attendees their root cause as well as another way to look at web security.

The following skills/knowledge are required:

– Exposure to information security technologies
– The ability to use a web proxy like Burp Suite, Paros.
– The ability to write basic scripts in Ruby, Python or Perl.


Day 1:

  • Review of HTTP essentials
  • Attacking JSON Web Token
  • Attack on Electronic CodeBook
  • Directory traversal and Tomcat Manager
  • Heartbleed
  • Outbound XML entities
  • Attacks on Cipher Block Chaining
  • Serialisation in Python
  • Serialisation in Java

Day 2:

  • Padding Oracle
  • Struts Dev Mode
  • Play Session Injection
  • Cross-Origin Resource Sharing attacks
  • Signature bypass using Bad Hash
  • Serialization attacks in PHP
  • Attacking JBoss console
  • XSS and SQL injection to gain command execution
  • Attacks against Gitlist

Hardware / Software Requirements

Laptop with at least 4Gb or RAM and 10Gb of disk with local administrator access.

A virtualisation software (VMware, Virtualbox,..)
A scripting interpreter installed
Burp Suite

Registering for this training will also give you free-access to PentesterLab Pro (https://pentesterlab.com/pro) for one year. This will allow you to get access to videos, new private exercises, and gain certificates of completion

Location: NH Krasnapolsky Date: May 24, 2016 Time: 9:00 am - 6:00 pm Fionnbharr Davies Luke Jahnke