Full Stack Web Attack

Full Stack Web Attack is not an entry-level course. It’s designed to push you beyond what you thought was possible and set you on the path to develop your own workflow for offensive zero-day web research.

Full chain exploit development is taught in class

This course is developed for web penetration testers, bug hunters and developers that want to make a switch to server-side web security research or see how serious adversaries will attack their web based code.

Students are expected to know how to use Burp Suite and have a basic understanding of common web attacks as well as perform basic scripting using common languages such as python, PHP and JavaScript. Each of the vulnerabilities presented have either been mirrored from real zero-day or are n-day bugs that have been discovered by the author with a focus on not just exploitation, but also on the discovery.

So if you want to learn how to exploit web technologies without client interaction for maximum impact, that is, remote code execution then this is the course for you.

Leave your OWASP Top Ten and CSP bypasses at the door.

Audience

This course is developed for web penetration testers, bug hunters and developers that want to make a switch to server-side web security research or see how serious adversaries will attack their web-based code. Students are expected to know how to use web proxies and have a basic understanding of common web attacks as well as perform basic scripting using common languages such as Python, PHP and JavaScript. Additionally, seasoned professionals are sure to be challenged!

Objectives

Upon completion of the training course, students should be able to:

  • Setup debugging environments for Java and C# stacks.
  • Trace code through a debugger.
  • Discover basic zero-day vulnerabilities.
  • Chain and exploit web-based vulnerabilities for maximum impact.
  • Write quality patches and bypass vendor developed patches.
  • Perform patch differentiation to reveal n-day vulnerabilities.
  • Write high quality vulnerability reports.
  • Stay focused for long periods of time to achieve results.

Certification

We do not provide certifications at this time; however digital certificates are provided upon class completion.

Course Structure

  • Training hours: 9am* - 5pm*.
  • Lunch break: 12.30pm for 1 hour.
  • Coffee break: 10.30am for 10 minutes.
  • Coffee break: 3.15pm for 10 minutes.

* The day-to-day hours maybe adjusted at the discretion of the trainer and students.

Training Approach

The trainer uses a hybrid model of training combining theory and practice. Each of the theoretical techniques are practically applied in class with a focus on high information retention using Jungian psychological techniques.

The students are lead through a series of exercises and challenges broken down into “modules” that cogitatively reinforce theoretical concepts and encourage creative thinking by applying problem solving skills. The content presented and trained is 100% original and applicable to current real-world software and systems.

All too often training classes miss the gap – They don’t cover the complete stages of vulnerability research. In Full Stack Web Attack, we help the student to build their skills in vulnerability discovery and exploit development.

About The Instructor

Playing at Pwn2own in 2021

Steven Seeley (@steventseeley is a world-renowned security researcher who has over a decade of experience in application security. He has been credited with finding over 1500 high impact security vulnerabilities affecting vendors such as Microsoft, VMWare, Apple, Adobe, Cisco and many others which can be found under the advisories section.

In 2020, Steven teamed up with Chris Anastasio competing in Pwn2Own Miami and winning the Master of Pwn title. In 2021, Steven reached 12th position on the MSRC top 100 Vulnerability Researchers list and continued to play in Pwn2Own in 2022. Steven’s outside interests include motorcycling, spritual practices and fitness training.