On This Page

The Web Application Hacker's Handbook, Live Edition

MDSec | August 1-2 & 3-4


The course syllabus follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks and methods. After a short introduction to the subject we delve into common insecurities in logical order:

  • Introduction to Web Application Security Assessment (Chapters 1-3)
  • Automating Bespoke Attacks: Practical hands-on experience with Burp Suite (Chapter 13)
  • Application mapping and bypassing client-side controls (Chapters 4-5)
  • Failures in Core Defense Mechanisms: Authentication, Session Management, Access Control, Input Validation (Chapters 6-8)
  • Injection and API flaws: (Chapters 9-10)
  • User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

  • Real-world, 2015 techniques in blind / parameter XXE injection, request method abuse, relative path overwrites, XSS filter evasion
  • How to hack using all of the "OWASP top 1"...from SQLi to LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
  • How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
  • The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
  • Harnessing new technologies such as HTML5, NoSQL, and Ajax
  • New attack types and techniques: Bit Flipping, Padding Oracle, Automated Access Control checking
  • How to immediately recognize and exploit Logic Flaws

For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the original version of the book.

Who Should Take this Course

This course is typically taken by those who wish to build out their skills in web application security.

The course is also suitable for new entrants to webappsec, either new to the industry or who have a historical Network Assessment focus and are looking to gain new skills.

Student Requirements

A working knowledge of JavaScript, basic SQL and understanding of the HTTP protocol.

What Students Should Bring

Students should bring a copy of the Web Application Hacker's Handbook and a laptop. A standard windows, Linux or Mac laptop is fine providing it meets the following prerequisites:

  • A version of the JRE, capable of running Burp Suite.
  • An Ethernet connection.
  • Administrative access to the laptop, and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.
  • We strongly recommend a personal laptop - if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

Finally, bring an ethernet adaptor if your laptop/netbook does not have one by default, or check with Black Hat prior to attending.

What Students Will Be Provided With

  • Training manual
  • 2-week trial version of Burp Suite Pro


Marcus Pinto is a co-author of the Web Application Hacker's Handbook, and director of MDSec (http://www.mdsec.co.uk, http://mdsec.net), an education-focused consultancy performing training, penetration testing and research. Marcus is internationally recognized as a leader in the application and database security field, having spent the last ten years in Information Security. His consulting experience has placed him in front of hundreds of clients and some of the most technical areas of security currently in commercial demand. He has delivered to some of the most high-profile audiences, including training many commercial and government penetration testing teams as well as key developers and architecture teams, and advising banks and other high-profile clients on structuring their key applications.

Video Preview (Training Description Above - Top of Page)