Full Stack Web Attack
Full Stack Web Attack is not an entry-level course. It’s designed to push you beyond what you thought was possible and set you on the path to develop your own workflow for offensive zero-day web research.
This course is developed for web penetration testers, bug hunters and developers that want to make a switch to server-side web security research or see how serious adversaries will attack their web based code.
So if you want to learn how to exploit web technologies without client interaction for maximum impact, that is, remote code execution then this is the course for you.
Leave your OWASP Top Ten and CSP bypasses at the door.
- Duration: 4 days
- Language: English
- Hours: 9am - 5pm*
- Lunch break: 12.30pm for 1 hour
- Coffee break: 10.30am for 10 minutes
- Coffee break: 3.15pm for 10 minutes
* The day to day hours maybe extended at the descretion of the trainer and students.
We have three (3) public trainings for Full Stack Web Attack in 2020. Please note that syllabus may change anytime, so an accurate syllabus can be found here.
We are offering two (2) trainings in the USA as part of an agreement with the Center for Cyber Security Training.
- Location: 10480 Little Patuxent Pkwy #700 Columbia, MD 21044
- Date: February the 24th - 27th 2020
- Location: 33 New Montgomery Street San Francisco, CA 94105
- Date: August the 3rd - 6th 2020
As part of an agreement with SHACK we are offering a training in Singapore.
- Location: TBD
- Date: 29th of March - 1st of April 2020
- Registration: https://www.coseinc.com/shack/register
- Details: https://www.coseinc.com/shack/training#training-SH2043
javax.servlet.ServletException: java.lang.NullPointerException com.source.incite.FullStackWebAttack.certification(FullStackWebAttack.java:38) org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425) org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228) org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913) org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
We apologise in advance but we do not offer any certifications.
Steven Seeley (@steventseeley) is an internationally recognized security researcher and trainer. For the last four years, Steven has reached platinum status with the ZDI and has literally found over a thousand high impact vulnerabilities, some of which can be found under the advisories section.
- At least basic scripting skills (moderate or advanced skills are prefered)
- At least a basic understanding of various web technologies such as HTTP(S), proxies and browsers
- A 64bit Host operating system
- 16 Gb RAM minimum
- VMWare Workstation/Fusion
- 100 Gb Hard disk free minimum
- Wired and Wireless network support
- USB 3.0 support
* This syllabus is subject to change at the discretion of the instructor.
- PHP & Java language fundamentals
- Debugging PHP & Java applications
- Module overview and required background knowledge
- Auditing for zero-day vulnerabilities
- Loose typing
- Logic authentication bypasses
- Code injection
- Filter bypass via code reuse
- Patch bypass
- Java Remote Method Invocation (RMI)
- Java Remote Method Protocol (JRMP)
- Java naming and directory interface (JNDI) injection
- Remote class loading
- Deserialization 101 (using existing gadget chains)
- Introduction to object instantiation
- Introduction to protocol wrappers
- External entity (XXE) injection
- Regular file disclosure
- Blind out-of-band attacks
- Error based exfiltration using entity overwrites
- Exfiltration using protocols
- Patch analysis and bypass
- Introduction to object injection
- Magic methods
- Customized serialization
- Phar deserialization
- Property oriented programming (POP)
- Custom gadget chain creation
- Information disclosure
- Phar planting
- Building a 7 stage exploit chain for Remote Code Execution
- Blacklist bypasses (zero-day vulnerability analysis and exploitation)
- Introduction to reflection
- Expression language injection
- Bypassing URI filters
- URI forward authentication bypasses (zero-day technique)
- Deserialization 102 (custom gadget chains)
- Trampoline gadgets
- Exploiting reflection
- Whitelist (ab)use
- A zero-day bug hunt in a real target
“I recommend @steventseeley’s Full Stack Web Attack from @sourceincite. I know it’s going to be offered a few times next year, you should take it! It’s training unlike anything else. I am excited to put my newly found skills to work. Awesome stuff!”
“Just finished an amazing training course with @steventseeley - Full Stack Web Attack @sourceincite. I highly recommend it if you wanna take your php, java, and general web exploitation skills to the next level.”
“It was a great course, I think is one of the best I ever had, I liked how Steven always explained each exercise very well and clarified any doubts. Essentially I’m very happy to have taken this course and I will recommend it to my collegues for the next year. Thanks Steven!”
“GREAT course man! thank you SO much!”
“try harder, thanks mr_m3”
“It was very inspiring to see your strategy, way of thinking and searching through code. That is even more valuable than the vulnerabilities themselves. It was possibly one of the most challenging trainings, I took, in a good way.”
Why are you only offering 3 public trainings this year?
Our primary business is vulnerability research and exploitation. Course content is derived from such research and in order to provide a training that covers bleeding edge attack techniques the instructor needs to continually improve their skills.
Why are you not offering a training in Mexico?
This year we are offering two (2) trainings in the USA and believe this services the American market. However, if demand increases, we may offer a Mexican based training for 2020.
Can I get a discount?
Do you offer private trainings?
The madness doesn’t stop. Preconfigured environments will be provided for additional work after class ends for the rediscovery and exploitation of n-day vulnerabilities.