Web Application Hacker’s Handbook Live Training + DevSecCon 2016

This is a past event

This is the page of a past DevSecCon event. To view and select current events, please return to DevSecCon.com.

DevSecCon is proud to host MDSec’s Web Application Hacker’s Handbook Live Course, which has been previously delivered at BlackHat, HiTB, Syscan, Countermeasure and 44con. MDSec works at the forefront of Application Security and they run numerous global training courses on web application security for development teams, and professional testers alike.

This year we’re offering combined tickets, allowing you to attend the training course and DevSecCon on three consecutive days.

Course overview

MDSec’s Web Application Hacker’s Handbook (WAHH) Live series has been running for seven years and is well respected as an authoritative source for web application security assessment, backed by the author’s Burp Suite tool. Our training course covers the practical aspects of this book, allowing you to gain hands-on experience in how to understand, find and exploit the latest vulnerabilities in web applications.

Because this is DevSecCon, we will also be giving a nod to the effectiveness of automated tools in identifying the issues under discussion. Additionally, many of the vulnerabilities you will be exploiting will be within familiar DevOps applications: Jenkins, GoCD and other familiar names will be exploited to gain full control over the DevOps toolchain!

Course Syllabus

The course is highly practical. There are only 140 slides in the course, which relies primarily on 400+ vulnerable examples from all of the chapters of the book, and a Capture the Flag exercise.

After a short introduction to the subject we delve into common insecurities in logical order:

  • Introduction to Web Application Security Assessment (Chapters 1-3)
  • Automating Bespoke Attacks: Practical hands-on experience with Burp Suite (Chapter 13)
  • Application mapping and bypassing client-side controls (Chapters 4-5)
  • Failures in Core Defense Mechanisms: Authentication, Session Management, Access Control, Input Validation (Chapters 6-8)
  • Injection and API flaws (Chapters 9-10)
  • User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

  • How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
  • How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
  • Real-world, 2015 techniques in SQL Injection against Oracle, MySQL and MSSQL
  • The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
  • Harnessing new technologies such as HTML5, NoSQL, and Ajax
  • New attack types and techniques: Bit Flipping, Padding Oracle, Automated Access Control checking
  • How to immediately recognise and exploit Logic Flaws

Burp Suite Training, at your level.

Our course features Burp Suite at its heart. Whilst many experienced Web Application testers may be currently using Burp, there are often many options and extended capabilities that users do not have time to investigate on time-limited assessments.

Meanwhile, if the above is unfamiliar territory, you can be reassured that if you want a full “zero to hero” approach, we can take you through from the basics of the HTTP Protocol, setting up the tool for optimal use, the capabilities and use of each of the key portions of Burp Suite, and get you performing both automated and manual web application tests. QA Teams love it!


Who is this course for?

DevOps, Developers and Security professionals who want to learn and improve web application security skills.

Student Requirements:

A working knowledge of JavaScript, basic SQL and understanding of the HTTP protocol.

What students should bring:

Students should bring a laptop – A standard windows, Linux or Mac laptop is fine providing it meets the following prerequisites:

  • A version of the JRE, capable of running Burp Suite.
  • An Ethernet connection.
  • Administrative access to the laptop, and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.
  • We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

What students will be provided with:

  • Training manual
  • 2-week trial version of Burp Suite Pro

Book your combined ticket

Get completely immersed in DevSecOps with the 2-day Web Application Hacker’s Handbook Live Training course, followed by a day filled with inspiring talks and workshops at DevSecCon. The combined ticket allows you to attend the training course and DevSecCon on three consecutive days.

What’s included?  Date Time Location
WAHH Live Training 18–19 October 2016 9am–5pm Skills Matter CodeNode, London
DevSecCon 20 October 2016 8.30am–5.30pm Skills Matter CodeNode, London


WAHH Live Training + DevSecCon
£ 1,200.00

– Sold out –

18–20 October 2016

2-day Web Application Hacker’s Handbook Live Training


Full Day Access to DevSecCon

Book Now

Aubout the trainer

Marcus Pinto is a director at MDSec Consulting and author of the “Web Application Hacker’s Handbook” series.
He is internationally recognised as a leader in the application and database security field, having spent the last nine years in Information Security both as a consultant and as an end user responsible for a global team securing over 200 build tracks and 50+ externally facing applications.
He has delivered training to some of the most high-profile audiences, at Blackhat, Syscan, and Hack in the Box. Privately he has run training for many technical audiences including CESG’s penetration testing team.
Marcus also sat on the assessors’ panel providing input for the CREST Web Application Exam, the UK’s number one certification for application assessment.