• Bangalore 2019
  • Training
  • Xtreme Web Hacking

Xtreme Web Hacking

Riyaz Walikar & Bharath, Appsecco

Register Now
riyaz-walikar bharath

Trainer Name: Riyaz Walikar & Bharath, Appsecco
Title: Xtreme Web Hacking
Duration: 3 Days
Dates: 20th - 22nd June 2019


This fast paced, completely hands on training is built to teach the student the tricks and tools to detect, identify and exploit vulnerabilities that are commonly found in a lot of modern as well as legacy web applications on the Internet. The training starts off with covering the basics of web application concepts, interception proxies and then deep dives into advanced scenarios over the duration of the course.

The courseware is built to provide a hands on approach to chain multiple vulnerabilities in order to fulfil the objectives of gaining access to data or taking over the underlying operating system. The training provides a custom lab environment complete with multiple networks and applications written in multiple technologies each having vulnerabilities that have been handpicked from our experience in the field or from popular web vulnerabilities that have been discussed within the security community

At the end of the training the student will receive the complete documentation for the training and the labs that can be used to continue learning after the training is over.


  • Basics of Hyper Text Transfer Protoco
    • HTTP Requests Responses
    • Session Management over a Stateless Protocol
    • Basics of SSL/TLS
  • Getting started with an Interception Proxy
    • Performing Man in the Middle Attacks on Web Traffic
    • Automating Simple tasks using an interception proxy
    • Configuring Burp for a power user
  • Domain reconnaissance and OSINT
    • DNS records and subdomain discovery
    • OSINT using services like Shodan, Censys, Certificate Transparency Logs,
    • Code repositories (Github, Bitbucket) and SecurityTrails etc
  • Advanced database injection attacks
    • Detection and Exploitation of a Blind Boolean SQL Injection
    • Writing a custom python script to enumerate data
  • Injection and exploitation with NoSQL databases
    • Bypassing application logic by exploiting injection in MongoDB
  • Insecure Direct Object References
    • Understanding the difference between path traversal and Inclusion vulnerabilities
    • Exploitation using Local and Remote File Inclusion
  • Attacking serialisation
    • Attacking weak serialisation and executing server side code
  • XSS for the modern pentester
    • Bypassing XSS filters
    • Abusing weak CSP configurations
    • Exploiting a Stored XSS to steal session and CSRF tokens
    • Detection and exploitation of DOM XSS in JavaScript rich apps
  • Websockets
    • Tunneling attack traffic through websockets to perform exploitation
  • HTML5 vulnerabilities
    • Attacking and exploiting postMessage
    • Attacking localStorage and sessionStorage
  • Attacking SOP and CORS
    • Workarounds for the Same Origin Policy
    • Exploiting XSS with the help of CORS
    • Exploiting common CORS mis-configurations
  • Attacking REST API
    • Working with OpenAPI spec
    • Working with API testing tools like Postman and Newman
  • Attacking GraphQL
    • Enumerating GraphQL implementations using introspection
    • Identifying and exploiting security issues in GraphQL implementations
  • Attacking file upload functionality
    • Abusing file uploads to create files containing executable code on the server
  • Attacks on Authentication schemes
    • Attacks on JWT and OAuth 2.0
  • Attacking Server-Side Templating
    • Exploiting Server Side Template Injection
  • Server side JavaScript Injection
    • Attacking a web service to execute server side JavaScript
  • Attacking common crypto implementations in web apps
    • Attacking Padding Oracles
    • Performing Hash Length Extensions to steal data
  • XML External Entity (XXE) attack
    • Exploiting XXE to read sensitive files
    • Out-of-band exploitation of XXE to exfiltrate data
  • Server Side Request Forgery/Cross Site Port Attacks
    • Exploiting SSRF/XSPA to read sensitive files
  • Gaining shell access to execute server-side system commands
    • Creating web shells via non executable files
  • Pivoting to Internal networks
    • Jumping across networks using compromised hosts
    • Attacking internal/non-routable machines with web applications
  • Capture the Flag
    • Multiple Challenges

Target Audience (Who should attend)

  • Web Application Security Enthusiasts
  • Application Security Specialists
  • Penetration Testers

Hardware and Software Requirements

  • Laptop with a modern OS (Windows 10/OSX/Linux)
  • A laptop with administrator privileges
  • At least 10 GB of free Hard Disk Space
  • Ideally 8 GB of RAM but minimum 4 GB
  • Laptop should have a working wireless and wired/Ethernet connection
  • Ability to copy files from an external USB and install software on the laptop
  • Laptop should support hardware-based virtualization
    • If your laptop can run a virtual machine in Oracle Virtualbox it should work

    What to expect

    Fast faced, completely attack focused hands-on training with lots of detection and exploitation of vulnerabilities across multiple web and database technologies.

    What not to expect

    • A lot of theory. This is meant to be a completely hands-on training!!
    • Vulnerability Mitigations and discussions around server/app hardening

    Student Giveaways

    • Tools, virtual machines and software provided for the training
    • Completely documented script and programs
    • A simple to follow step by step walk through of the entire training in a PDF file
    • Virtual machines with code used during the training so that you can even practice after the training is over

    Trainer Profile

    Bharath Kumar

    Bharath is a Security Engineer with Appsecco. He has a strong passion for information security and building solutions that solve real world problems.

    Bharath is an active member and contributor at various security and developer communities including null open security community and Python Malaysia User Group.

    His core interest lies in Application security, Infrastructure security, Reconnaissance and Protocol security.

    Bharath holds multiple CVEs, the latest include - CVE-2018-15635, CVE-2018-15636, CVE2018-15638, CVE-2018-15639 and CVE-2018-15641.

    Some of the talks given by Bharath include

    • "Building visualisation platforms for OSINT data using open source solutions" - Defcon 26: Recon Village
    • "Practical recon for pentesters and bounty hunters" - Bugcrowd LevelUp 2018
    • "Doing recon like it's 2017" - Bsides Delhi 2017
    • "Esoteric sub-domain enumeration techniques" - Bugcrowd LevelUp 2017

    Some of the trainings/workshops by Bharath include

    • "JavaScript for Pentesting the Modern Application Atack" - c0c0n, 2018
    • "Xtreme Web Hacking" - Nullcon, Bangalore, 2018


    Riyaz Walikar

    Riyaz Walikar currently heads the Offensive Security Team at Appsecco and is responsible for the assessment and delivery of Web and Mobile Application Security Testing engagements. He is a OSCP certified Web Application Pentester, Security evangelist and researcher. He has been active in the security community for the better part of the last 10 years. He has been actively involved with the Bangalore OWASP and null chapter for the last 7 years and is one of the OWASP and null Bangalore chapter leads.

    He is actively involved with Vulnerability Research in popular Web Applications and Network aware services and has disclosed several security issues in popular software like Apache Archiva, Openfire, Joomla!, EJabberd, .NET Script Injection Bypass and has had luck with finding vulnerabilities with popular web applications like Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, Ebay, Apigee, Yahoo, Adobe, Tumblr, Pinterest etc. for which he is on the Hall of Fame for most of these services. He has also been a speaker and trainer at several security conferences including OWASP AppsecUSA 2012, BlackHat Abu Dhabi 2012, Las Vegas 2015, EU 2015, nullcon 2012, 2013, 2014, 2015, 2016 and 2017, DefCon Las Vegas 2016 and c0c0n 2011,2013,2015 and 2016.

    His technical interests lie with programming, bug bounty, malware analysis, breaking web applications, playing CTFs, researching devices that fall under the Internet of Things category and penetration testing networks exposed to the Internet.

    Some of the trainings/workshops by Riyaz Walikar include

    • Web Security Testing 101 at Govt. Dept., Bangalore 2017
    • Xtreme Web Hacking at nullcon Goa 2012, 2013, 2014, 2015, 2016
    • Cloud Security for Devs & Ops – nullcon 2017
    • Breaking and Pwning Apps and Servers on AWS - nullcon 2018
    • Ninja Level Infrastructure Monitoring – DefCon 2016
    • Xtreme Web Hacking (CTF Style) – c0c0n 2015, 2016, 2017
    • Secure Web Programming 2-day training at HackerRank Bangalore 2017

    Some of the talks given by Riyaz Walikar include

    • A Pentester's Methodology to Discover and Exploit Windows Privilege Escalation flaws – c0c0n 2015, nullcon 2016
    • Esoteric XSS Payloads – c0c0n 2016
    • The Whys and Hows of Cyber Attacks – SAP Security Summit, Bangalore 2016
    • Pentesting an ELK Stack – DevOpsDays India, Bangalore 2016
    • Poking Servers with Facebook – AppsecUSA 2012, BlackHat Abu Dhabi 2012, c0c0n 2013
    • Threats with Online Gaming – c0c0n 2017



Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved