Web Exploitation

Web Exploitation

Manual-first pentest skills against a realistic stack.

A four-day track that goes deep on OWASP Top 10 and beyond - business-logic flaws, chained attacks, modern auth attacks (JWT / OAuth), SSRF and request-smuggling - entirely in a hands-on lab.

Enroll now All tracks
4 days
Duration
≤ 15
Cohort size
Intermediate
Level
Verifiable
Certificate

What you'll walk away with

  • Confidently test against the OWASP Top 10 and Top 25 lists
  • Find and exploit business-logic flaws that scanners can't
  • Chain low-impact bugs into critical-impact compromises
  • Reproduce findings with copy-pastable PoCs
  • Write a finding worthy of an enterprise bug-bounty report
  • Use Burp Suite + Caido fluently - including extensions

Who this is for

Designed for the prerequisites below - but motivated learners outside the profile are welcome with a short pre-call.

  • HTTP / TLS / cookies / sessions fundamentals
  • Some scripting (Python / JS) is helpful
  • Comfortable in a browser DevTools console
  • A laptop with Burp Suite Community (we'll set up the rest)

Curriculum

Day-by-day breakdown

Day 1

Foundations + injection

  • Modern threat model of a web app
  • Recon + content discovery
  • SQL / NoSQL / SSTI injection
  • Burp Suite power-user tour
Day 2

Auth, sessions & access control

  • Auth bypasses (classic + modern)
  • JWT attacks (algorithm + claim + signature)
  • OAuth misconfigurations
  • IDOR / BOLA / BFLA hunting
Day 3

Advanced web attacks

  • SSRF + cloud-metadata abuse
  • Request smuggling + cache poisoning
  • Prototype pollution + deserialization
  • CORS + clickjacking + cookie-jar weirdness
Day 4

Chaining + reporting

  • Business-logic abuse patterns
  • Chaining 3 low-impact bugs into a critical
  • CTF-style final challenge
  • Writing the killer finding write-up

Hands-on labs

Realistic, isolated environments - you break things safely and rebuild them harder.

  • Custom vulnerable app - modern stack, not DVWA-era
  • Anti-cheat & flag-based progression
  • Real-world bug case studies from bug bounty
  • Recorded walk-throughs included post-cohort
  • Final-day chained-attack CTF

Tools you'll use

No proprietary kit - everything is industry-standard.

Burp Suite Pro/CommunityCaidoffufsqlmapParamMinerTurbo Intruderjwt_toolSemgrep

Your instructor

Senior Application Security Engineer

Practising web pentester with bug-bounty Hall-of-Fame credits across NASA, UN and major SaaS programs. Teaches what they actually find in real engagements - including the boring stuff that pays the bills.

Practitioner firstLab-drivenOffice hours after class

Reserve your seat

Cohorts are small on purpose. Email us to confirm dates, request a corporate cohort, or ask anything about the curriculum.

Next cohort: On request - quarterly cohorts
Enroll Other tracks