• Goa 2020
  • Training
  • Beyond the Web Application Hacker's Handbook - Advanced Web Hacking

Beyond the Web Application Hacker's Handbook - Advanced Web Hacking

Marcus Pinto

Sold Out

Trainer Name: Marcus Pinto
Title: Beyond the Web Application Hacker's Handbook - Advanced Web Hacking
Duration: 3 Days
Dates: 3rd - 5th March 2020


This training course is geared towards the more seasoned appsec professionals who have around 1-2 years of application testing experience under their belt and have already got knowledge of the following:

  • Knowledge of Burp basics (proxy, intruder, repeater, defining scope etc)
  • Basic coding ability (e.g. scripting such as JavaScript, some languages such as Python)
  • Pre-existing knowledge exploiting bugs such as SQL Injection, XSS, XSRF, Traversal

This course takes the above concepts as a foundation and builds on them to help professionals develop their expertise further in the field, covering:

  • writing burp macros and writing Burp extensions
  • finding and exploiting subtle but common logic and access control flaws
  • techniques for getting more out of Burp Suite
  • avoiding common penetration testing pitfalls
  • beating input validation and other application defences
  • fuzzing techniques and methodologies for interacting with new technologies

Delegates also get FREE 1-month online access to the supporting lab environment for Day 1 after the course.


Delegates will participate in collaborative discussions as we cover the theory of web application security, the hacker's mindset, and how to apply critical hacker-oriented thinking to a situation. 

  • Introduction to Web Application Security
  • Threat Modelling and the Hacker Mindset
  • Rules were made to be Abused
  • High-Profile Hacks
  • Using a Web Proxy
  • Applying Burp Suite to exploit common web application flaws
  • Basics of Passive and Active Scanning
  • Automation approaches
  • The Web Application Hacker's Handbook - lightning summary with lab examples!
    • Bypassing Client-Side Controls
    • Exploiting SQL Injection
    • Exploiting Backend Components: Traversal, Command Injection, File Inclusion
    • Finding and Exploiting XSS
    • Other attacks against Users

DAY 2 - DESIGN FLAWS (workshop/practical)

  • Setting up - Mapping an application, identifying and locating known and unknown application assets
  • Tooling up - A deeper dive into automation techniques covering customising automation processes
  • Authentication, Sessions, Tokens and Encryption
  • Leveling up - Understanding and Exploiting Access Controls

DAY 3 - CODING FLAWS (workshop/practical)

  • Understanding and Exploiting Common Server-Side Bugs: deserialisation, xxe
  • Understanding and Exploiting Uncommon Server-Side Bugs
  • Attacking and invalidating input validation

Trainer Bio:

Marcus Pinto is the author of the well-known Web Application Hacker's Handbook series, and has been working within Application Security for over 15 years, going back to its origin as a subject. After 5 years in technical security consulting, the past 10 years in application security training have also included everything from longer-term SDLC engagements to technical security assessment. Marcus is Director at MDSec, a company specialising in education and technical security assessment for finance, software, retail and government clients.

Copyright © 2023 | Nullcon India | International Security Conference | All Rights Reserved