SensePost Trainings - Web Application Ethical Hacking

Provided by

Enquire about this course

About the course

SensePost Trainings - Web Application Hacking

This course will teach you how to analyse web applications for vulnerabilities and exploit them.

SensePost has been conducting penetration tests against web applications for nearly two decades and has distilled their approach into this course. Providing a thorough and scientific approach, techniques to maximise coverage of an application will be taught.

Whether you're a developer looking to better understand how to defend your applications or a penetration tester looking to enhance your web application bug hunting, this course is for you.

This course is highly practical, with over 22 different practical exercises. You'll learn how to hand exploit numerous common web vulnerabilities, and understand the theory behind them. You will be better able to help developers prevent these classes of attacks in their applications. We aim to teach you the trade not just the tricks, and while tools are covered and help, you will be taught how to exploit many of these vulnerabilities by hand.

No equipment other than a web browser is needed. We make use of a fully cloud-based and individual virtual training lab, to which you can maintain access after the course. This means no interference from other students, a robust and safe practise environment, and time to experiment afterwards. The lab will be available to you after the course.


Key Takeaways:

- A general approach and methodology for hacking web applications
- A good understanding of the tools and techniques for examining web applications
- Practical and practiced skills (there are a lot of pracs in this course)


Some of the topics covered:

Introduction to web technologies

  • Understanding the protocols that power the web and getting comfortable with how they look on the wire as well as intercepting and modifying them.

Cookies and Session Management

  • Understanding how sessions work in applications, and how cookies can be manipulated.

Introduction to Web Vulnerabilities

  • Theory on what a vulnerability is and an introduction to the OWASP Top 10

Client and Server Side Attacks

  • Understanding web architectures, and the threat models associated with them as well as several client and server side vulnerabilities and related exploits.

Indirect Object References

  • Identifying and exploiting poor authorisations controls.
  • Brute forcing for restricted data.

Path traversal

  • Exploiting path traversal vulnerabilities and bypass restrictions.

Insecure file upload & file inclusion

  • Introductions to web shells and code execution attacks.

XSS/CSRF & DOM Injections & Cache Attacks

  • Manipulating the DOM with various attacks
  • The impact of CDNs and different browser headers

SQL & Command Injection attacks

  • Understanding data store and operating system setups and how to exploit and explore them

Java Deserialisation

  • Exploiting deserialisation vulnerabilities with ysoserial

APIs, Microservices & Widgets

  • Working with APIs, common formats, tools and vulnerabilities

WebAssembly Vulnerabilities

  • Understanding wasm
  • New attack surface exposed by wasm

Please note, refreshments and lunches included on both days.


Start date Location / delivery
06 Nov 2019 London

Related article

More cyber training courses in US local government are becoming compulsory, as one official found to his detriment. Demonstrating the importance of...