Full-Stack Pentesting Laboratory
Online, Available in English
Topics:
- Browser-dependent exploitation
- DOM-based exploitation
- Exploiting race conditions
- Remote cookie tampering
- Bypassing Content Security Policy
- Exploiting type confusion
- Exploiting parameter pollution
- Hijacking tokens via PDF
- Exploiting DB truncation
- Exploiting NoSQL injection
- Using wrappers to launch RCE
- RCE via serialization/deserialization
- Exploiting path-relative stylesheet import
- Exploiting reflected file download (various browsers)
- Hacking AngularJS applications
- Non-standard XSS attacks
- Hacking with polyglot
- Subdomain takeover
- REST API hacking
- XML attacks
- Advanced clickjacking in modern browsers
- Advanced SSRF with gopher protocol
- Bypassing XSS protection with Shift_JIS encoding
- Chaining vulnerabilities for red team objectives
Overview
Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified at some of the greatest companies? If that sounds interesting, join this unique 100% hands-on training.
Discuss security bugs found in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for and exploit vulnerabilities effectively.
To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and diving into full-stack exploitation, then this 100% hands-on training is for you. There is a lab exercise for each attack presented in this training + students can take the complete lab environment home after the training session.
Students will be handed in a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training. When the training is over, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.