On This Page

Web Application Bootcamp - Journeyman Level

SensePost | July 30-31 & August 1-2


This two-day course has enough theory to ensure you understand what you are trying to achieve, but with a heavy focus on practical exercises. Students should expect lots of hands-on hacking with some of the finest hackers in the industry!


  • The fundamentals - setting the foundation. Testing basics, tools of the trade, HTTP, and related technology introduction.
  • The hacker mindset how to approach problems, how to ask the correct questions.
  • Know your enemy - reconnaissance, enumeration, and landscape discovery.
  • Breaking bad - the application series:
    • Session Management How to break authentication and identify authorization problems.
    • RCE Remote Command Execution Vulnerabilities and post exploitation.
    • SQL injection on various platforms - how to really pwn databases.
    • NoSQL Injection and Big Data Databases.
    • Local & Remote File inclusion.
    • XML and XML entity injection.
    • Cross-site scripting (reflective, persistent, and DOM based) - this is not the pop-up you are interested in.
    • Cross-site Request forgery attacks.

You will learn how to exploit all the attack vectors using BurpSuite as our only tool, because a good hacker just needs a good MiTM proxy. We will provide you with a pro 2-week license, so you can keep practicing once our course is over.

What's new for 2016?

In what is our biggest change to training at Blackhat in over 15 years, we've moved our entire training operation into Amazon's AWS cloud.

This means that each student signing up to our courses gets access to their own training environment, allowing for as much haxory and experimentation, without other students being impacted. Students will be given access to their environment before Blackhat starts, and for two weeks after Blackhat, so you can experiment and keep on learning once the con is over.

We've also strived to make the theory as practical as possible and break away from
death by slides. It means we are able to move our training away from having "theory
sections" and "practical sections" to a full course of pure pwnage.

Who Should Take this Course

This course is ideally suited to those wishing to learn how to test web applications for vulnerabilities or to those experienced infrastructure pentesters that want to expand their skill set into web applications. This course is about tearing apart applications and understanding how attackers are breaching corporate deployments.

Student Requirements

Students need to ensure they have the necessary level of skill. No hacking experience is required for this course, but a solid technical grounding is an absolute must. This includes basic Linux operating system knowledge, a basic understanding of web applications, and networking fundamentals.

What Students Should Bring

Students should bring a laptop that is capable of running a Kali VMware image, has a Ethernet port available (or a USB Ethernet adapter) and a user that has administrator rights. Please do not bring any devices that contain "Corporate" information.

What Students Will Be Provided With

We have developed a training portal that will be made available to all students before they attend Blackhat. This portal allows you to register an account and gain access to the slides used and any prerequisite information we feel would help you get the best out of this course. All content for the course, including tools required and instructions to configure your environment, will be made available via the training portal before you start, which means less time setting up and more time for learning.

Access to this portal will not stop once the course has finished, allowing you to continue learning in the weeks/months after Blackhat.


All trainers are working analysts in the offensive realm. From stalking corporates to writing malware, infiltrating networks and exfiltrating data, the trainer is well-versed in doing this on a daily basis.