Training Teaser: Black Belt Pentesting a.k.a. Bug Hunting Millionaire – Mastering Web Attacks with Full-Stack Exploitation

René Pfeiffer/ July 11, 2019/ Conference, Training

Source: web applications consist of far more components than HTML content and a few scripts. In turn properly attacking web applications requires a diverse set of skills. You need to know how the back-end and the front-end works. This includes all of the scripting languages, data storage technologies, user interface peculiarities, frameworks, hosting technologies, and many more layers. DeepSec 2019 will feature a full-stack web exploitation dojo enabling you to understand the security of web applications, how to break them, and how to protect them. The training will be hosted by Dawid Czagan, expert in the field. He will guide you through every technology and attack method relevant to information security of web applications such as:

  • REST API hacking
  • AngularJS-based application hacking
  • DOM-based exploitation
  • Bypassing Content Security Policy (CSP)
  • Server-side request forgery
  • Browser-dependent exploitation
  • Database truncation attack
  • NoSQL injection
  • Type confusion vulnerability
  • Exploiting race conditions
  • Path-relative stylesheet import vulnerability
  • Reflected file download vulnerability
  • Subdomain takeover

The list is not complete. It serves to illustrate the meaning of full-stack. We have come a long way from simple HTML tags and simple script libraries. The use of web technology on mobile devices, all kinds of gadgets, even auto-mobiles have far reaching consequences for the security of these endpoints. Once you know how to use the full-stack to your advantage, then you can reach a lot more systems than a few web sites or clients.

Dawid will host the training at DeepSec 2019. All attendees will get six extra online courses:

  • Start Hacking and Making Money Today at HackerOne
  • Keep Hacking and Making Money at HackerOne
  • Case Studies of Award-Winning XSS Attacks: Part 1
  • Case Studies of Award-Winning XSS Attacks: Part 2
  • Double Your Web Hacking Rewards with Fuzzing
  • How Web Hackers Make Big Money: Remote Code Execution

The course is intended to be used for defence and offence alike. You will get the latest examples covering modern and widespread technology in use. In addition all training materials will be interactive so you can practice on actual deployed web applications.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.