Full Stack Web Attack

Full Stack Web Attack is not an entry-level course. It’s designed to push you beyond what you thought was possible and set you on the path to develop your own workflow for offensive zero-day web research.

This course is developed for web penetration testers, bug hunters and developers that want to make a switch to server-side web security research or see how serious adversaries will attack their web based code.

Students are expected to know how to use Burp Suite and have a basic understanding of common web attacks as well as perform basic scripting using common languages such as python, PHP and JavaScript. Each of the vulnerabilities presented have either been mirrored from real zero-day or are n-day bugs that have been discovered by the author with a focus on not just exploitation, but also on the discovery.

So if you want to learn how to exploit web technologies without client interaction for maximum impact, that is, remote code execution then this is the course for you.

Leave your OWASP Top Ten and CSP bypasses at the door.

Course Structure

  • Duration: 4 days
  • Language: English
  • Hours: 9am - 5pm*
  • Lunch break: 12.30pm for 1 hour
  • Coffee break: 10.30am for 10 minutes
  • Coffee break: 3.15pm for 10 minutes

* The day to day hours maybe extended at the descretion of the trainer and students.

When and Where

We have three (3) public trainings for Full Stack Web Attack in 2020. Please note that syllabus may change anytime, so an accurate syllabus can be found here.


We are offering two (2) trainings in the USA as part of an agreement with the Center for Cyber Security Training.

East Coast

  • Location: 10480 Little Patuxent Pkwy #700 Columbia, MD 21044
  • Date: February the 24th - 27th 2020

West Coast

  • Location: 33 New Montgomery Street San Francisco, CA 94105
  • Date: December the 1st - 4th 2020


javax.servlet.ServletException: java.lang.NullPointerException

We apologise in advance but we do not offer any certifications.


Steven Seeley (@steventseeley) is an internationally recognized security researcher and trainer. For the last four years, Steven has reached platinum status with the ZDI and has literally found over a thousand high impact vulnerabilities, some of which can be found under the advisories section.

Student Requirements

  • At least basic scripting skills (moderate or advanced skills are prefered)
  • At least a basic understanding of various web technologies such as HTTP(S), proxies and browsers

Hardware Requirements

  • A 64bit Host operating system
  • 16 Gb RAM minimum
  • VMWare Workstation/Fusion
  • 100 Gb Hard disk free minimum
  • Wired and Wireless network support
  • USB 3.0 support

Syllabus *

* This syllabus is subject to change at the discretion of the instructor.

Day 0x01


  • PHP & Java language fundamentals
  • Debugging PHP & Java applications
  • Module overview and required background knowledge
  • Auditing for zero-day vulnerabilities


  • Loose typing
  • Logic authentication bypasses
  • Code injection
  • Filter bypass via code reuse
  • Patch bypass

Day 0x02


  • Java Remote Method Invocation (RMI)
    • Java Remote Method Protocol (JRMP)
  • Java naming and directory interface (JNDI) injection
    • Remote class loading
    • Deserialization 101 (using existing gadget chains)


  • Introduction to object instantiation
  • Introduction to protocol wrappers
  • External entity (XXE) injection
    • Regular file disclosure
    • Blind out-of-band attacks
      • Error based exfiltration using entity overwrites
      • Exfiltration using protocols

Day 0x03


  • Patch analysis and bypass
  • Introduction to object injection
  • Magic methods
    • Customized serialization
    • Phar deserialization
    • Property oriented programming (POP)
    • Custom gadget chain creation
  • Information disclosure
  • Phar planting
  • Building a 7 stage exploit chain for Remote Code Execution

Day 0x04


  • Blacklist bypasses (zero-day vulnerability analysis and exploitation)


  • Introduction to reflection
  • Expression language injection
  • Bypassing URI filters
  • URI forward authentication bypasses (zero-day technique)
  • Deserialization 102 (custom gadget chains)
    • Trampoline gadgets
    • Exploiting reflection
    • Whitelist (ab)use
  • A zero-day bug hunt in a real target


“I recommend @steventseeley’s Full Stack Web Attack from @sourceincite. I know it’s going to be offered a few times next year, you should take it! It’s training unlike anything else. I am excited to put my newly found skills to work. Awesome stuff!”

- @awhitehatter

“Just finished an amazing training course with @steventseeley - Full Stack Web Attack @sourceincite. I highly recommend it if you wanna take your php, java, and general web exploitation skills to the next level.”

- @kiqueNissim

“It was a great course, I think is one of the best I ever had, I liked how Steven always explained each exercise very well and clarified any doubts. Essentially I’m very happy to have taken this course and I will recommend it to my collegues for the next year. Thanks Steven!”

- Anonymous

“GREAT course man! thank you SO much!”

- Anonymous

“try harder, thanks mr_m3”

- Anonymous

“It was very inspiring to see your strategy, way of thinking and searching through code. That is even more valuable than the vulnerabilities themselves. It was possibly one of the most challenging trainings, I took, in a good way.”

- Anonymous


Why are you only offering 3 public trainings this year?

Our primary business is vulnerability research and exploitation. Course content is derived from such research and in order to provide a training that covers bleeding edge attack techniques the instructor needs to continually improve their skills.

Why are you not offering a training in Mexico?

This year we are offering two (2) trainings in the USA and believe this services the American market. However, if demand increases, we may offer a Mexican based training for 2020.

Can I get a discount?


Do you offer private trainings?

Yes, on a case by case basis. For private trainings in the USA please contact the Center for Cyber Security Training. For all other countries please contact [email protected].

Additional Material

The madness doesn’t stop. Preconfigured environments will be provided for additional work after class ends for the rediscovery and exploitation of n-day vulnerabilities.