On This Page

Advanced Web Attacks and Exploitation

Offensive Security | March 20 - 23


The days of porous network perimeters are fading fast as externally facing services become more resilient and harder to exploit. In order to gain that critical initial foothold in a network, penetration testers must be fluent in the art of exploiting front-facing web applications.

Offensive Security's Advanced Web Attacks and Exploitation (AWAE) Course was created by taking widely deployed web applications found in many enterprises and actively exploiting them. This intensive, hands-on course takes your skills well beyond standard SQL injection or file inclusion attacks and will propel you into a world of mind-bending, blinded, SQL Injection, illogical authentication bypasses, heavy deserialization, and pass-the-hash web authentication weaknesses all chained to gain remote code execution unassisted. And that's just scratching the surface.

Topics covered include:

  • Advanced web application source code auditing
  • Non-interaction XSS attacks and exotic payloads
  • Leveraging CSRF attacks to achieve virtually unassisted remote code execution
  • State of the art SQL injection attacks (time based blind)
  • Authentication weakness/bypass attacks
  • Bypassing character restrictions in payloads
  • Command injection attacks
  • Java deserialization of untrusted data exploitation
  • PHP Object injection (attacking PHP's state machine)
  • Exotic file inclusion attacks (non PHP environments)
  • Multi-step, chained attacks making use of multiple vulnerabilities
  • Real world attacks on widely deployed network infrastructure applications.
  • ...and more!

***Registration for this course will include complimentary post-event access to Online Streaming for all Black Hat Asia 2018 Briefings presentations***

Who Should Take this Course

Advanced Web Attacks and Exploitation is NOT an entry level course. The pace of learning is fast and furious, and students are expected to have a solid understanding and experience of how to perform basic web application attacks, at a minimum. This class is perfect for experienced network penetration testers who are looking to take their web application penetration testing skills to the next level, as well as web application developers who need to understand how their code is attacked.

Student Requirements

AWAE students should already have a moderate understanding of the underlying protocols and technologies involved in testing web applications such as the HTTP protocol, SSL communications, and the usage of various browser plugins and proxies. A basic familiarity with web based scripting languages such as PHP, Ruby, Java, JavaScript, .NET C# is strongly recommended.

What Students Should Bring

Students are required to bring their own laptops with:

  • 64bit Host operating system
  • 8 GB RAM minimum
  • VMware Workstation / Fusion
  • 60 GB HD free minimum
  • Wired network support
  • USB 2.0 support or better

What Students Will Be Provided With

Students will be provided with virtual machines for use in class and the Advanced Web Attacks and Exploitation Lab Guide. An in-class "Hint System" will provide electronic distribution of all scripts, POCs, etc.


While this course does not include a certification exam at this time, a token for one examination session is included with this course and can be redeemed once the certification exam has been completed.


Steven Seeley is the lead instructor for Offensive Security's AWAE course. He's found and exploited a few bugs in his time.