Full Stack Web Attack is not an entry-level course. It's designed to push you beyond what you thought was possible and set you on the path to develop your own workflow for offensive zero-day web research. This course was developed for web penetration testers, bug hunters and developers that want to make a switch to server-side web security research or see how serious adversaries will attack their web based code.
Students are expected to know how to use web proxies and have a basic understanding of common web attack patterns as well as perform basic scripting using scripting languages such as python, PHP and JavaScript.
Each of the vulnerabilities presented have either been mirrored from real zero-day or are n-day bugs that have been discovered by the author with a focus on not just exploitation, but also on the discovery.
So if you want to learn how to exploit web technologies without client interaction for maximum impact, that is, remote code execution then this is the course for you.
Language
Java has been the predominate language used in web technology stacks for enterprises for the past several years. Several high impact vulnerabilities in Java based applications are constantly exploited in the wild. In 2022 we saw Log4Shell which was a JNDI Injection vulnerability within the very popular Log4j library, deployed by thousands of applications and exposed to the internet.
This version of the course will focus on server-side Java related technologies. You instructor will walk you through how to navigate and debug highly abstracted Java code for the purpose of discoveringand exploiting high impact vulnerabilities.
Format
This is a two (2) day class held on: Saturday March 18th - Sunday March 19th between 7am - 3pm (AEST).
Instructor
Steven Seeley (@steventseeley) is an internationally recognized security researcher and trainer. For the last six years, Steven has reached platinum status with the ZDI and has literally found over a 1,500 high impact and critical vulnerabilities.
In 2020, Steven teamed up with Chris Anastasio and won the ICS Pwn2Own competition held in Miami. Later on, Steven went on to play in Pwn2Own Vancouver in 2021 targeting Microsoft Exchange Server with an Remote Code Execution and obtained a successful (partial) win and since then came runner up with Chris Anastasio again in Pwn2Own Miami 2022.
Steven has also compromised Microsoft's 365 Cloud and presented at BlackHat USA 2022 whilst working for Qihoo 360 within the Vulnerability Research Institute.
What must I bring into the event?
The student should bring with them:
- An open mind that is ready to focus - level: (10/10)
- Moderate or advanced skills scripting skills - level: (7/10)
- Some exposure to container based technologies and unix operating systems - level: (5/10)
- A strong understanding of how to use various web technologies such as http(s), client/reverse proxies and browsers - level: (10/10)
- A foundational understanding of common web vulnerabilities - level: (5/10)
Since this course is offered online, the student will also need:
- A stable and fast internet connection
- A x64 host operating system (please, no M1 Macbooks)
- 16 Gig RAM minimum
- Virtualization software (VMWare Workstation or Fusion preferred)
- 100 Gig of available hard disk space
Additionally, before signing up for this course students should complete the challenge to self assess if this course is right for them.
Where can I find more information?
An updated syllabus can be found here or feel free to email us at training@srcincite.io.
Will this cover memory corruption vulnerabilities and exploits?
No, that is beyond the scope of this training course.
Where will this event be held?
Online via Zoom.
What's the refund policy?
A minimum of 5 people must sign up for this training to take place. Tickets will be refunded in full if this requirement is not met.
