Countermeasure|2012 General Info Registration Program Training Location Sponsors News

The Web Application Hacker's Handbook –
2nd Edition Live by MDSec

Trainer: Marcus Pinto, MDSec

Course Syllabus:

The course syllabus follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks and methods. After a short introduction to the subject we delve into common insecurities in logical order:

  • Introduction to Web Application Security Assessment (Chapters 1-3)
  • Automating Bespoke Attacks: Practical hands-on experience with Burp Suite (Chapter 13)
  • Application mapping and bypassing client-side controls (Chapters 4-5)
  • Failures in Core Defense Mechanisms: Authentication, Session
  • Management, Access Control, Input Validation (Chapters 6-8)
  • Injection and API flaws: (Chapters 9-10)
  • User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

  • How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
  • How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
  • Real-world, 2011 techniques in SQL Injection against Oracle, MySQL and MSSQL
  • The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
  • Harnessing new technologies such as HTML5, NoSQL, and Ajax
  • New attack types and techniques: Bit Flipping, Padding Oracle, Automated Access Control checking
  • How to immediately recognise and exploit Logic Flaws

Teaching Methods:

We have run courses for over 6 years, and we know that most people prefer a practical focus. This structured course is balanced at 130 slides with numerous opportunities to watch instructor-led demos, whilst hacking our library of over 150 lab exercises, finishing with a "Capture the Flag" contest.

The course is executed in the following style:

  • Brief theory delivered in lecture-style with examples
  • Interactive demonstrations of key techniques
  • Hands-on hacking, supported by the WAHH authors
  • Capture the flag contest.


Marcus Pinto

Marcus Pinto is internationally recognised as a leader in the application and database security field, having spent the last nine years in Information Security both as a consultant and as an end user responsible for a global team securing over 200 build tracks and 50+ externally facing applications. He has delivered training to some of the most high-profile audiences, at Blackhat, Syscan, and Hack in the Box. Privately he has run training for many technical audiences including CESG's penetration testing team.

Marcus also sat on the assessors' panel providing input for the CREST Web Application Exam, the UK's number one certification for application assessment.

Minimum Class Size:

Course minimum has been reached. This class is confirmed to run.

Author Background:

The Web Application Hacker's Handbook was co-authored by Marcus Pinto and Dafydd Stuttard. Dafydd Stuttard is an independent security consultant, author and software developer. He has ten years' experience in security consulting and specializes in the penetration testing of web applications and compiled software. He works with banks, retailers and other enterprises to help secure their critical applications. Dafydd is author of The Web Application Hacker's Handbook and SQL Injection Attacks and Defense. Under the alias "PortSwigger" Dafydd created the popular Burp Suite of web application hacking tools. He has developed and presented training courses at security conferences around the world.

Student Requirements:

  • Familiarity using an intercepting proxy
  • Understanding of basic concepts such as the HTTP protocol, session management, basic HTML and Javascript