AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
Back To Schedule
Tuesday, June 24 • 09:00 - 13:00
Training room 4 - MDSec's Web Application Hacker's Handbook, Live Edition

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

The course follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:

  • Introduction to Web Application Security Assessment (Chapters 1-3)

  • Automating Bespoke Attacks: Practical hands-on experience with Burp

    Suite (Chapter 13)

  • Application mapping and bypassing client-side controls (Chapters 4-5)

  • Failures in Core Defense Mechanisms: Authentication, Session

    Management, Access Control, Input Validation (Chapters 6-8)

  • Injection and API flaws: (Chapters 9-10)

  • User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

  • How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications

  • How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI

  • Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL

  • The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise

  • Harnessing new technologies such as HTML5, NoSQL, and Ajax

  • New attack types and techniques: Bit Flipping, Padding Oracle, Automated

    Access Control checking

  • How to immediately recognise and exploit Logic Flaws

For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the original version of the book.

To see the practical exercises, in action, please visit:



Marcus Pinto

Marcus Pinto is a Director of MDSec and co-author of the Web Application Hacker’s Handbook, with over 13 years’ experience in technical security assessment and 8 years’ experience in delivering technical security training for global audiences such as Blackhat, Hack in the Box... Read More →

Tuesday June 24, 2014 09:00 - 13:00 BST

Attendees (0)