Web App Hacker’s Handbook: Live Edition

Presented By: Marcus Pinto and Aaron Devaney, MDSec

For many years, the Web Application Hacker’s Handbook has been the de facto resource for professional web application assessment. The authors have run training courses based on the book for over 10 years for thousands in the field.

However we believe today’s readers can find numerous online examples and labs which cover the basics. We’ll even give you access outside of the course to our WAHH labs server with over 400 examples and 100 videos describing these, so that we can focus on the next level.

This course focuses on giving delegates the grounding in tooling, methodology and experience to take on areas of an application which may previously have felt out of reach on a short term assessment. If you have been in professional appsec for over a year or so, you will likely empathise with the issues at the heart of the “Course Contents” shown below.

We assume a common body of knowledge (the OWASP Top 10, HTTP Protocol, JavaScript and basic programming ability) and aim to immediately build on this with variants and more complex testing environments which we will overcome together in the classroom.

This course is for the professional who can churn through the 5-10 day apptests but:

  • always meant to use burp macros
  • kept meaning to get around to writing a burp extension
  • read about SSTI, blind XXE and Java Deserialisation but not done the deep dive
  • is looking for new technologies to target and logic puzzles to solve, but keeps running into the same material (and same online CTFs)

The 2 day course will take place on the 10th & 11th September 2019 at the Novotel London West
Cost is £ 1,300 (inc VAT). Buy your place in our shop now.

Course Outline

You can get the quickest feel for what’s on the course, by understanding that we do not for example cover SQL Injection or XSS. This is not a course on basics that you can find elsewhere; in fact we will give delegates free access outside of the course to our previous labs server with over 400 examples in all of these common areas. This will allow us to focus on areas you will not have encountered elsewhere:


  • Testing “Untestable” Apps: learn how to deal with what may have seemed deal-breakers in the past such as reactive session termination, custom data encapsulation schemes, CSRF and other obstacles to testing
  • Assessing Rare Technologies: develop an approach to fuzzing, fingerprinting, researching and exploiting any of the rarer technologies that you may encounter
  • Deep Exploitation: cover hot topics that deserve a deep dive such as Java Deserialisation, External Entity Injection, and SSTI and Server Side Request Forgery
  • Exploiting Encryption: understand the ways in which the use of hashing and encryption may be flawed, and how you can overcome it
  • Breaking Logic: learn to identify the common logic flaws due to developers’ assumptions or non-comprehensive coverage of application behaviour

Student Requirements

The course is designed to provide additional capabilities and learning for appsec professionals who can already achieve general security coverage of a web application. Delegates should be able to meet the following:

  • Familiarity using an intercepting proxy
  • Understanding of basic concepts such as the HTTP protocol, session management, and basic HTML.
  • Computers capable of running Burp Suite (www.portswigger.net).
  • Note that attendees should have administrative access on these machines in order to set IP addresses, modify hosts files and install software.

Delegates will be expected to have practical experience of the OWASP Top 10, HTTP, HTML, JavaScript and the basics of a scripting language such as Python (or any other language).

What to Bring

  • A version of the JRE, capable of running Burp Suite.
  • An Ethernet connection.
  • Administrative access to the laptop, and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.

We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

About the Trainer

Marcus Pinto is internationally recognised as a leader in the application and database security field, having spent the last nine years in Information Security both as a consultant and as an end user responsible for a global team securing over 200 build tracks and 50+ externally facing applications. He has delivered training to some of the most high-profile audiences, at 44CON, BlackHat, SyScan, and Hack in the Box. Privately he has run training for many technical audiences including CESG’s penetration testing team.

Marcus also sat on the assessors panel providing input for the CREST Web Application Exam, the UK’s number one certification for application assessment.

Book your 44CON 2019 training course now!