Full Stack Web Attack

It's days, hours, minutes, and seconds until the training begins!

Full Stack Web Attack is not an entry-level course. It’s designed to push you beyond what you thought was possible and set you on the path to develop your own workflow for offensive zero-day web research.

This course is developed for web penetration testers, bug hunters and developers that want to make a switch to server-side web security research or see how serious adversaries will attack their web based code.

Students are expected to know how to use Burp Suite and have a basic understanding of common web attacks as well as perform basic scripting using common languages such as python, PHP and JavaScript. Each of the vulnerabilities presented have either been mirrored from real zero-day or are n-day bugs that have been discovered by the author with a focus on not just exploitation, but also on the discovery.

So if you want to learn how to exploit web technologies without client interaction for maximum impact, that is, remote code execution then this is the course for you.

Leave your OWASP Top Ten and CSP bypasses at the door.

When and Where

The 3 day training course will take place on October the 1st, 2nd and 3rd of 2019 at the room in Polanco, Mexico City.

Av. Homero s/n frente al 1730, entre Jaime Balmes y Luis Vives.
Planta baja de Corporativo Polanco.
Miguel Hidalgo
Los Morales Polanco
CP 11510 Ciudad de México.

You can use Google Maps for the exact location of the venue. When coming via an Uber or taxi, just state you would like to go to Avenida Homero numero mil setecientos treinta en polanco, se llama The Room. Don’t worry if you don’t speak a little Spanish, the hotel concierges all speak English.

Hotels and Accomodation

The two hotels we recommend are approximately 10 minute’s drive with an Uber or taxi. The cost of the ride to and from the venue should be approximately $5 USD. Walking is possible, but it will take approximately 25 - 30 minutes.


javax.servlet.ServletException: java.lang.NullPointerException


Tickets can be purchased here. Please note that the course is limited to maximum of 20 seats to ensure a high quality deliverable.


Steven Seeley (@steventseeley) is an internationally recognized security researcher and trainer. For the last three years, Steven has reached platinum status with the ZDI and has literally found over a thousand high impact vulnerabilities, some of which can be found under the advisories section.

Student Requirements

  • At least basic scripting skills
  • At least a basic understanding of various web technologies such as HTTP(S), proxies and browsers

Hardware Requirements

  • A 64bit Host operating system
  • 16 Gb RAM minimum
  • VMWare Workstation/Fusion
  • 60 Gb Hard disk free minimum
  • Wired and Wireless network support
  • USB 3.0 support

Syllabus *

Day 0x01


  • PHP & Java language fundamentals
  • Debugging PHP & Java applications
  • Module overview and required background knowledge
  • Auditing for zero-day vulnerabilities


  • Logic authentication bypasses
  • Code injection (n-day patch bypass)

Day 0x02


  • Java naming and directory interface (JNDI) injection
    • Remote class loading
    • Deserialization 101 (using existing gadget chains)


  • Introduction to object instantiation
  • External entity (XXE) injection
    • File disclosure
    • Out-of-band attacks
  • Introduction to object injection
    • Property oriented programming (POP)
    • Custom gadget chain creation
  • Information disclosure
  • Building a 7 stage exploit chain for remote code execution

Day 0x03


  • Blacklist bypasses (zero-day vulnerability)


  • Bypassing URI filters
  • URI forward authentication bypasses (zero-day technique)
  • Expression language injection
  • Deserialization 102 (custom gadget chains)
  • Trampoline gadgets
  • Exploiting reflection

* This syllabus is subject to change at the discretion of the instructor

Additional Material

The madness doesn’t stop. Preconfigured environments will be provided for additional work after class ends for the rediscovery and exploitation of n-day vulnerabilities.