The Web Application Hacker’s Handbook, Live Edition (Beginner Course)

Beginner Course

MDSec works at the forefront of application security. Our latest edition of the Web Application Hacker’s Handbook [Wiley, 2011] spans 870 pages, and we run numerous global training courses on web application security for development teams, and professional testers alike. The course follows the chapters of the second edition of The Web Application Hacker’s Handbook, with strong focus on practical attacks (there are only 140 slides in either of the two or three-day courses).

Our WAHH Live Course has been delivered at Black Hat, Hack in the Box, SyScan, Countermeasure and 44CON, and over one thousand classroom and online students over the years.

The course is highly practical. There are only 140 slides in the course, which relies primarily on 400+ vulnerable examples from all of the chapters of the book, and a Capture the Flag (CTF) exercise. We have made one of the main servers we use available online; if you want to see inside the labs you can view the demo.

Burp Suite training, for new entrants to application security assessment.

Our course features Burp Suite at its heart. Whilst many experienced web application testers may be currently using Burp, there are often many options and extended capabilities that users do not have time to investigate on time-limited assessments.

If requested, MDSec’s training can be adapted and extended to help you learn more about Burp Suite, including:

  • Understanding how to push the Burp Intruder capabilities to meet non-standard application behaviour;
  • Using Burp Extensions to extend Burp Suite’s capabilities;
  • Using macros to enable automated testing against modern frameworks that enforce CSRF tokens or auto-logout.

Meanwhile, if the above is unfamiliar territory, you can be reassured that if you want a full “zero to hero” approach, we can take you through from the basics of the HTTP protocol, setting up the tool for optimal use, the capabilities and use of each of the key components of Burp Suite, and get you performing both automated and manual web application tests. QA Teams love it!

Course Syllabus

After a short introduction to the subject we delve into common insecurities in logical order:

  • Introduction to web application security assessment (Chapters 1-3);
  • Automating bespoke attacks: practical hands-on experience with Burp Suite (Chapter 13);
  • Application mapping and bypassing client-side controls (Chapters 4-5);
  • Failures in core defence mechanisms: authentication, session management, access control, input validation (Chapters 6-8);
  • Injection and API flaws: (Chapters 9-10);
  • User-to-User attacks (Chapters 12-13).

Attendees will gain theoretical and practical experience of:

  • How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications;
  • How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI;
  • Real-world, 2020 techniques in SQL Injection against Oracle, MySQL and MSSQL;
  • The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise;
  • Harnessing new technologies such as HTML5, NoSQL, and Ajax;
  • New attack types and techniques: bit flipping, padding oracle, automated access control checking
  • How to immediately recognise and exploit logic flaws

For more detailed information about the course’s practical structure, please see the Web Application Hacker’s Methodology chapter from the original version of the book.

written by

MDSec Research

Ready to engage
with MDSec?

Copyright 2021 MDSec