Advanced Web Hacking Training icon

Advanced Web Hacking Training

Our four-day Advanced Web Hacking course

Contact

This dynamic Web Hacking course gives participants an insight into advanced web hacking. The team has set up a state-of-the-art hack lab and recreated security vulnerabilities based on real penetration tests and actual bug bounties from the private sector.

The course is now available as live online training and can be held for you individually or for your company. Contact us below with your requirements.

The AWH course has been excellent with 100% positive feedback. We’ve appreciated ourselves how much work must have gone into the labs, they are very strong and reflect the real world, so we’ve been thrilled. The trainers are great, very knowledgeable and engaging.

Delegate, Black Hat USA

Really liked the training. Advanced stuff covered a lot of not so easy to find scenarios. Hats off on the efforts in building the practice labs

Delegate, Black Hat USA

Is this course right for you?

Have you ever asked yourself the following questions:

  • Is there a way to effectively exfiltrate data using out-of-band techniques for specific vulnerabilities?
  • Is there a way to test encrypted parameters to find vulnerabilities?
  • Are there ways to bypass SSO functionalities?
  • Are there ways to find SQL injection vulnerabilities that are not detected by automated tools?
  • Are there ways to crack weak encryptions?
  • Is there an effective way to bypass the password reset functions?
  • What can I do with SSRF vulnerabilities?
  • How can I exploit deserialisation vulnerabilities?

If so, then our Advanced Web Hacking course is right for you!

Course participants receive:

  • Access to our online hack lab, which is intentionally peppered with lots of vulnerabilities,
  • Demonstrations and practical exercises on the vulnerabilities to better understand and manage problems,
  • Numerous scripts and tools for advanced attacks,
  • A PDF copy of all course materials used during the course, including the instructor’s slides, the cheat sheets for the tools, and instructions on how to finalise the course,
  • Access to Claranet Cyber Security’s Advanced Web Hacking Lab for 30 days after the end of the course.

For security and IT decision-makers

What impact does a training course by Claranet Cyber Security really have on your team?

Secure your environment, reduce the risk of compromise and make your company a less attractive target for attackers by building a team which identifies and tests web-based vulnerabilities and guides developers in securing them. At the end of the course, participants will be able to:

  • Conduct security tests to identify and safely exploit complex web vulnerabilities which scanners and other automated tools miss – this can help you identify vulnerabilities and recommend appropriate patches,
  • Design tests to protect you from the threats your company is facing,
  • Customise attack tools to generate individually designed (rather than out-of-the-box) workloads to perform more advanced testing,
  • Recommend measures to bypass systems that could lead to the occurrence of vulnerabilities,
  • Understand the commercial impact of web vulnerabilities and present this to key stakeholders,
  • Take on more responsibility in the team,
  • Become an advocate for security throughout the company.
  • Overview
  • Details
  • Requirements and participant profile
  • Download the brochure

The Advanced Web Hacking course covers a wealth of hacking techniques for compromising web applications, APIs and associated endpoints. The course focuses on specific areas of application security and advanced techniques for identifying and exploiting vulnerabilities (especially server-related vulnerabilities). It is a practical course which covers new and quirky hacks that affect real products and have been mentioned in real bug bounty programmes. It selects vulnerabilities that typically go undetected by modern scanners or whose exploitation techniques are not as well known.

Learning objectives:

  • Modern JWT, SAML and Oauth vulnerabilities
  • Business logic and crypto errors
  • RCE via Java serialisation, object, OGNL and template injection
  • Exploitation via DNS channels
  • Advanced SSRF, HPP, XXE and SQLi topics
  • Attack chains and real-life practical examples

Authentication Bypass

Token Hijacking attacks Logical Bypass / Boundary Conditions

SAML / OAUTH 2.0 / AUTH-0 / JWT attacks

JWT Token Brute-Force attacks SAML Authentication and Authorization Bypass XXE through SAML Advanced XXE Exploitation over OOB channels

Password reset attacks

Cookie Swap Host Header Validation Bypass Case study of popular password reset fails.

Breaking Crypto

Known Plaintext Attack (Faulty Password Reset) Path Traversal using Padding Oracle Hash length extension attacks

SQL Injection

2nd order injection Out-of-Band exploitation SQLi through crypto OS code exec via powershell Advanced topics in SQli.

Remote Code Execution (RCE)

Java Serialisation Attack Node.js RCE PHP object injection Ruby/ERB template injection Exploiting code injection over OOB channel

Business logic flaws / Authorization flaws

Mass Assignment Invite/Promo Code Bypass Replay Attack API Authorisation Bypass

Server Side Request Forgery (SSRF)

SSL / TLS Bugs Deserialisation Bugs

Unrestricted upload

Malicious File Extensions Circumventing File validation checks

Miscellaneous topics

HTTP Parameter Pollution (HPP) XXE in file parsing A Collection of weird and wonderful XSS and CSRF attacks.

Attack chaining

Combining Client-side and or Server-side attacks to steal internal secrets

Who Should Take This Class?

Web developers
SOC analysts
Intermediate level penetration testers
DevOps engineers, network engineers
Security architects
Security enthusiasts
Anyone who wants to take their skills to the next level

You will need:

Students must bring their own laptop and have admin/root access on it. The laptop must have a virtualization software (virtualbox / VMWare) pre installed. A customized version of Kali Linux (ova format) containing custom tools, scripts and VPN scripts for the class will be provided to the students. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM.

Download

Course Information