On This Page

Advanced Web Attacks and Exploitation

Offensive Security
July 30-August 2


The days of porous network perimeters are fading fast as services become more resilient and harder to exploit. In order to gain that initial critical foothold in a network, penetration testers must be fluent in the art of exploiting front-facing web applications.

Offensive Security's Advanced Web Attacks and Exploitation was created by taking widely deployed web applications found in many enterprises and actively exploiting them. This intensive, hands-on course takes your skills beyond run-of-the-mill SQL injection or mediocre file inclusion attacks and propels you into a world of brain-melting SQL queries, mind-blowing XSS and remote code execution attacks starting from that initial foothold and ending with a complete compromise.

Topics covered include:

  • Advanced XSS attacks and exotic payloads
  • Leveraging CSRF attacks to achieve remote code execution
  • Advanced SQL injection attacks
  • Compound attacks making use of multiple vulnerabilities
  • Bypassing character restrictions in payloads
  • Remote command execution attacks
  • Advanced file inclusion attacks, and more
  • Real world attacks on widely deployed network infrastructure applications

Who Should Take this Course

Advanced Web Attacks and Exploitation is NOT an entry level course. The pace of learning is fast and furious - students are expected to have a solid understanding of how to perform basic web application attacks, at a minimum. This class is perfect for experienced network penetration testers who are looking to take their web application penetration testing skills to the next level, as well as web application developers who need to understand how their code is attacked.

Student Requirements

It is assumed that the student already has a medium understanding of the underlying protocols and technologies involved in testing web applications such as the HTTP protocol, SSL communications, and the usage of various browser plugins and proxies. A basic familiarity with web based programming languages such as PHP, JavaScript and MySQL will also prove helpful.

What Students Should Bring

Students are required to bring their own laptops with:

  • 64bit Host operating system
  • A minimum 8 GB RAM installed
  • VMware Workstation / Fusion installed
  • At least 60 GB HD free
  • Wired Network Support
  • USB 2.0 support or better

What Students Will Be Provided With

Students will be provided with virtual machines for use in class. Additionally, the Advanced Web Attacks and Exploitation lab guide will be provided. An in-class "Hint System" will provide electronic distribution of all scripts, POCs, and so on.

AWAE does not have an exam yet. A date for the exam release is not available yet, but when it is, AWAE Vegas students will receive one single free exam attempt free of charge.


Jim O'Gorman leads Offensive Security's penetration testing team and manages related consulting services. Jim is also an Offensive Security instructor, Kali Developer, and is a co-author of the "Metasploit: The Penetration Tester's Guide". He has been online from the days Gopher sites outnumbered websites and started working professionally in the field 18 years ago.

Mati Aharoni is deeply involved in the security community and has laid several corner stones in the community, such as the Exploit Database, the Kali Linux Distribution as well as the industry leader of practical, hands-on, information security training - Offensive Security. Mati is also the creator and lead instructor of the Advanced Web Attacks and Exploitation class - which has been the first class to sell out at Black Hat Vegas consecutively since its premier three years ago.