MDSec’s Web Application Hacker’s Handbook, Live Edition

Sold out

Marcus Pinto

August, 20th – 21st (2 day)

The course follows the chapters of the Second Edition of The Web Application Hacker’s Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:

  • Introduction to Web Application Security Assessment (Chapters 1-3)
  • Automating Bespoke Attacks: Practical hands-on experience with Burp Suite (Chapter 13)
  • Application mapping and bypassing client-side controls (Chapters 4-5)
  • Failures in Core Defense Mechanisms: Authentication, Session Management, Access Control, Input Validation (Chapters 6-8)
  • Injection and API flaws: (Chapters 9-10)
  • User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

  • How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
  • How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
  • Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL
  • The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
  • Harnessing new technologies such as HTML5, NoSQL, and Ajax
  • New attack types and techniques: Bit Flipping, Padding Oracle, Automated Access Control checking
  • How to immediately recognise and exploit Logic Flaws


Participants should bring their own laptop with a Java Runtime, capable of running Burp Suite, either free or pro version ( Please pre-install Burp and verify it works.

About the trainer

Marcus Pinto is a Director of MDSec and co-author of the Web Application Hacker’s Handbook, with over 13 years’ experience in technical security assessment and 8 years’ experience in delivering technical security training for global audiences such as Blackhat, Hack in the Box, Hacker Halted, Syscan and 44con.

For further information and questions please contact Marcus directly at marcus _at_