Join us at APCO 2022 Conference & Expo, August 7-10 in Anaheim, CA.   Learn more.

Back to All Courses
Course Overview

In this course we are going to take your understanding of web exploitation to the next level. We will cover testing for hard to find vulnerabilities and evading filters. We will discuss how to probe these filters and use the flexibility of the language to perform the exploit while evading the filter. Sometimes the method needed to exploit a vulnerability or evade a filter is difficult to find. If you get nothing else out of this course, get this one piece of advice - just because the first check for the existence of a vulnerability failed, that does not mean that the application is not vulnerable. Keep trying until you have exhausted all possible ideas for evading filters.

This course builds upon a prior course that covers the fundamentals of the OWASP Top Ten. In this course, we will assume that you are familiar with how the basic exploits work, why they work, and general principles on how to fix them. We will cover some new types of exploits in this course and some advanced techniques that you may not have seen before, but with this basic foundation, you should be able to follow along and understand the topics.

When you are done with this course, you will come away with a deeper understanding of how to find and exploit difficult vulnerabilities, as well as how to chain lower impact vulnerabilities together to achieve your higher impact objectives. You will also be prepared to understand current research on the topic as you continue to advance your skills, which you will need to do to stay up to date. Also, as you look for vulnerabilities and see interesting behavior as you test, you will need to try to understand what might be happening behind the scenes to cause that behavior. We will get into some of this in the course, but if you want to be truly successful in this field, you will need to research the application you are testing, and understand the language it is written in as well as common practices in that language that could be causing that behavior. This field is one in which you must continuously learn, and constantly adapt to the changing landscape, and I hope that this course will set you up for success in testing web applications.

Course Outline

  • Lab 1: Recon Tools

  • Lab 2.1: Detecting and Exploiting Hard to Find SQL Injection Vulnerabilities
    Lab 2.2: Advanced SQLmap
    Lab 2.3: Manual Blind SQL Injection
    Lab 2.4: NOSQL Injection

  • Lab 3.1: XSS Filter Evasion
    Lab 3.2: Exploiting Misconfigured CORS

  • Lab 4: OS Command Injection Filter Evasion

  • Lab 5: Advanced Local File Inclusion

  • Lab 6: Advanced Cross Site Request Forgery

  • Lab 7.1: XXE to Obtain Arbitrary Files
    Lab 7.2: Out Of Band XXE

  • Lab 8: SSRF for Internal Port Scanning and File Disclosure

  • Lab 9: Exploiting Insecure Deserialization in Java and Python

  • Lab 10: Capstone: Multistage Attack on a Partially Hardened Web Application

Purchase Now

Course Access Duration

6 Months

Course Cost

$99

System Requirements

Download & review the minimum hardware and software requirements to ensure your setup is ready for the virtual training experience.

What Students Will Receive:

  • Expert-Led Instruction: Learn from top cybersecurity practitioners across every niche, gaining insights from industry leaders.
  • Extended Access: Enjoy six months of unlimited online access to your course through the On-Demand training platform, allowing you to learn at your own pace.
  • Hands-On Labs & Exercises: Apply your knowledge in real-world scenarios with interactive labs designed to enhance your practical skills.
  • Knowledge Reinforcement: Quizzes after each module help solidify key concepts and ensure retention.
  • Capstone Lab Challenge: Put your skills to the test with a final hands-on lab, demonstrating mastery of the course material.

With these resources, you'll have everything you need to confidently master the material and achieve your training goals!