Full Stack Web Attack - Syllabus


Please note: This syllabus is subject to change at the discretion of the instructor.

Day 1

Introduction

  • PHP & Java language fundamentals
  • Debugging PHP & Java applications
  • Module overview and required background knowledge
  • Auditing for zero-day vulnerabilities

PHP

  • Loose typing
  • Logic authentication bypasses
  • Code injection
  • Filter bypass via code reuse
  • Patch bypass

Day 2

Java

  • Java Remote Method Invocation (RMI)
    • Java Remote Method Protocol (JRMP)
  • Java naming and directory interface (JNDI) injection
    • Remote class loading
    • Deserialization 101 (using existing gadget chains)

PHP

  • Introduction to object instantiation
  • Introduction to protocol wrappers
  • External entity (XXE) injection
    • Regular file disclosure
    • Blind out-of-band attacks
      • Error based exfiltration using entity overwrites
      • Exfiltration using protocols

Day 3

PHP

  • Patch analysis and bypass
  • Introduction to object injection
  • Magic methods
    • Customized serialization
    • Phar deserialization
    • Property oriented programming (POP)
    • Custom gadget chain creation
  • Information disclosure
  • Phar planting
  • Building a 7 stage exploit chain for Remote Code Execution

Day 4

PHP

  • Blocklist bypasses (zero-day vulnerability analysis and exploitation)

Java

  • Introduction to reflection
  • Expression language injection
  • Bypassing URI filters
  • URI forward authentication bypasses (zero-day technique)
  • Deserialization 102 (custom gadget chains)
    • Trampoline gadgets
    • Exploiting reflection
    • Allowlist flexability (ab)use
  • A zero-day bug hunt in a real target