Select Search Category

Web Application Hacking

This course is a mix of theory and practical, with approximately 25 hands-on labs, hosted in a cloud environment where each student gets their own lab. The labs have a mix of guided exercises for beginners and more advanced practicals for experienced participants. Theory sections focus on understanding why the vulnerability exists and the fundamental technologies that underpin it, encouraging a "learn the trade not the trick" approach. Additionally, trainees will be introduced to OWASP Top 10 to get a better understanding of the biggest cybersecurity concerns for web application security today.

Some of the topics
covered include:
Orange Cyberdefense
  • Introduction to web technologies.
  • Understanding the protocols that power the web.
  • Cookies and Session Management.
  • Understanding how sessions work in applications, and how cookies can be manipulated.
  • Introduction to Web Vulnerabilities.
  • Theory on what a vulnerability is and an introduction to the OWASP Top 10.
  • Client and Server Side Attacks.
  • Understanding web architectures and the threat models associated with them.
  • Indirect Object References.
  • Identifying and exploiting poor authorisations controls.
  • Brute forcing for restricted data.
  • Insecure file upload and file inclusion.
  • Introductions to web shells and code execution attacks.
  • XSS/CSRF, DOM Injections and Cache Attacks.
  • And many more...
Session FAQ
  • Defenders, developers or administrators looking to learn how to test web applications for vulnerabilities.
  • Penetration testers with limited web application experience looking to expand their skill set in this area.

A minimum of 1 - 3 years in security.

Hacking experience isn't a requirement for this course. However, a technical understanding of how web applications work is required. Development experience isn't a requirement but can help. The course is aimed at individuals with beginner to intermediate knowledge of web applications and hacking.

While not a strict requirement, students will benefit from having an understanding of the following topics before attending the course:

  • Fundamentals of programming
  • Programming in the following languages:
  • HTML
  • JavaScript
  • SQL
  • NoSQL

A familiarity of these topics can be obtained from the following links or other resources:

The course makes use of a cloud based Kali instance that is preloaded with all the applications you will require.To access the Kali instance, you will only require a working modern browser to access a VNC client.

As the bare minimum, you will need to bring along a laptop that is able to run the latest version of Firefox. The course cannot be conducted on tablets or other such devices.

Some students prefer conducting the practicals from their own systems due to familiarity. While this is supported, the primary method of doing the course will be via the cloud based Kali instances. Should you wish to conduct the practicals from your own system, you will need to install the following:

  • A working SSH client such as Putty or better.
  • Burp Suite Community Edition v1.7.36
  • The latest version of Mozilla Firefox

If you do not wish to make use of the browser based VNC client, please install an alternative VNC client such as tigervnc.

  • Access to our web class portal containing slides, practicals, walkthroughs and tools and prerequisites.This is accessible after the training.
  • Access to your own individual lab with numerous targets and capabilities, used for the practicals.

Subject matter experts from SensePost/Orange Cyberdefense