Trainer Name: Marcus Pinto

Title: Beyond the Web Application Hacker's Handbook

Dates: April 5, 2022 To April 7, 2022

Time: 9 a.m. To 5:30 p.m. CEST

Venue: NH Hotel, Alexanderplatz, Berlin-Germany

Registration Closed

Note: Regarding COVID-19 safety, Nullcon will seek to ensure a safe event, as the health and safety of our exhibitors, delegates, speakers, and staff will always be our number one priority. Nullcon will follow all applicable health regulations required by the local and government authorities.


Expand the capabilities of individuals with 3-4 years' experience in web application security assessment, by providing exposure to new technologies, logic puzzles, and writing burp extensions.

Training level: Intermediate to Advanced

Course Outline

The course is heavily lab-based.
Day 1: Setting up, Tooling Up, Arming Up.
- on day 1 we help delegates locate areas of applications they may easily miss. We advise them on the best pre written burp extensions and describe the process of writing extensions

Day 2: Levelling Up
- on day 2 we walk delegates through the design vulnerabilities, covering Access Controls, Logic flaws, and how to really compromise encryption (no weak SSL ciphers or theoretical stuff here)

Day 3: Breaching the Server
- on day 3 we look at breaching the server using today's popular coding-related flaws: SSRF, Deserialisation, SSTI, File format exploitation, and Input Validation

What to Bring

Laptop with access to install and use Burp Suite Professional (a 3 week trial license for Professional will be provided with the course)


Good knowledge of HTTP, HTML, Javascript and some working knowledge of web scripting languages

Who Should Attend

Software Engineers, Quality Assurance teams as well as seasoned Web Application Testers or Consultants moving over from Infrastructure / Network assessment backgrounds

What to Expect

  • writing burp macros and writing Burp extensions
  • finding and exploiting subtle but common logic and access control flaws
  • techniques for getting more out of Burp Suite
  • solving common penetration testing pitfalls
  • beating input validation and other application defences
  • fuzzing techniques and methodologies for interacting with new technologies

What Attendees Will Get

3 week trial license for Burp Suite Professional
1 month access to MDSec's online cloud lab environment

What Not To Expect

We do not provide access to the source for the labs
We do not provide a full year license to Burp Suite Professional
This course does NOT cover SQL Injection, File Traversal, or XSS. These topics are adequately covered, for free, elsewhere, and/or are relatively deprecated.

About the Trainer

Marcus Pinto is the author of the Web Application Hacker's Handbook, still widely regarded as the leading text on professional application security assessment today. Marcus is director of MDSec Consulting Limited, working at the forefront of the industry with worldwide clients.