Date: 4 December – 6 December

Course Description

Web Applications are a critical part of business. By holding a treasure trove of data they are a main target for outside threats and attackers making proactive security tests crucial.

In this intermediate to advanced level class, students will learn the art of exploiting Web applications so they can find flaws in Web Applications before the bad guys do. The course provides expert instruction enabling the students to identify, validate and exploit the most prevalent application security threats today, including key OWASP Top Ten web application threats. In various realistic hands-on lab exercises students will gain comprehensive practical experience of the different penetration testing tools used for Web Application testing.

The students will assess all OWASP Top Ten security areas within real world applications. The course explains common application security vulnerabilities, such as SQL injection, Cross-Site Scripting (XSS) and authorization issues. Using this knowledge, developers, or security personnel will be able to address application-level threats.


Software Developers, Web Architects, WAF administrators, Penetration testers

Course Length

3 days

Course Style

This is a highly practical, hands-on course where students are encouraged to experiment, discuss, explore and exploit

Course Outline

• State of Web Application Security

• Understand the specific problems in Web Applications

• Understand and describe the OWASP Top 10 vulnerabilities

• Understand the basics of testing for vulnerabilities in web applications

• Identify and prove the exploitability of most critical OWASP Top 10 vulnerabilities

oSQL Injection (simple, blind, advanced)

oCross-Site Scripting (XSS)

oCross-Site Request Forgery (CSRF)

oAuthentication, Authorization and Sessions management

• Determine the real risk value of web application vulnerabilities

• Post-Exploitation Capabilities (Pivot to backend system, privilege escalation)


The methodology of the training is as follows. The presentation of each OWASP Top 10 vulnerability is divided into 3 different elements:

Definition - defining the vulnerability and its origin in the code

Impact - presenting the potential impact of an exploitation of the vulnerability

Hands-on Labs - explaining how to detect the vulnerability (manually or using vulnerability scanners) and presenting several attack scenarios showing how a hacker would exploit the vulnerability


Day 1

•Web Application (In)Security

Security Challenge and Terminology

Web Application Security Challenge

Definition of Web Application Testing

OWASP Top 10 Project

Testing Methodology

Web Apps Testing Tools

HTML in a Nutshell

•Web Application PenTesting

Session Management

Authentication Testing

SSL - Man-in-the-Middle

Day 2

•Web Application PenTesting

Injection Attacks

Cross-Site Scripting Forgery (CSRF)

Cross-Site Scripting (XSS)

HTML Injections

Command Injections

Day 3

SQL Injections

Remote File Inclusion (RFI)

Advanced Hacker tools

Capture the Flag

Price: EUR 2,400 (discounts for groups of 3 people or more)

Want to register or hear more about the training? Please contact Frédéric Lavend’Homme