Web Hacking Black Belt Edition Training

  • Learn via: Classroom / Virtual Classroom / Online
  • Duration: 3 Days
  • We can host this training at your preferred location. Contact us!
Upcoming Training

05 June 2021

3 Days

NotSoSecure is pleased to launch their much awaited advanced Web Hacking course. Much like the Advanced Infrastructure Hacking class, this course talks about a wealth of hacking techniques to compromise web applications, APIs and associated end-points. This three day course will focus on specific areas of app-sec and on advanced vulnerability identification and exploitation techniques (especially server side flaws).

The course allows attendees to practice some neat, new and ridiculous hacks which affected real life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the course either typically go undetected by modern scanners or the exploitation techniques are not so well known.

Attendees can also benefit from a state-of-art Hacklab and we will be providing 30 days lab access after the course to allow attendees more practice time. This fast-paced course, gives attendees an insight into Advanced Web Hacking, the NotSoSecure team has built a state of the art Hacklab and recreated security vulnerabilities based on real life Pen Tests and real bug bounties seen in the wild.

Whoever works with or against the security of modern web applications will enjoy and benefit from this course. This is not a beginner class and attendees are expected to have a good prior understanding of the OWASP top 10 issues to gain maximum value from the class. Further to this, the course does not cover all AppSec topics and focuses only on advanced identification and exploitation techniques of the vulnerabilities shown on the right.

This course will be suitable for delegates Interested in the SANS Institute course SEC542: Web App Penetration Testing and Ethical Hacking

  • Authentication bypass
  • Saml / oauth 2.0 / auth-0 / jwt attacks
  • Password reset attacks
  • Breaking crypto
  • Business logic flaws / authorization flaws
  • Sql injection
  • Remote code execution (rce)
  • Server side request forgery (ssrf)
  • Unrestricted file upload
  • Attack chaining


  • Token Hijacking attacks
  • SQL column truncation attack
  • Logical Bypass / Boundary Conditions


  • JWT Token Brute-Force attacks
  • SAML Authentication and Authorization Bypass
  • XXE through SAML
  • Advanced XXE Exploitation over OOB channels


  • Cookie Swap
  • Host Header Validation Bypass
  • Case study of popular password reset fails.


  • Known Plaintext Attack (Faulty Password Reset)
  • Path Traversal using Padding Oracle
  • Hash length extension attacks


  • Mass Assignment
  • Invite/Promo Code Bypass
  • Replay Attack


  • 2nd order injection
  • Out-of-Band exploitation
  • SQLi through crypto
  • NoSQL Injection
  • OS code exec via PowerShell
  • Advanced topics in SQLi


  • Java Serialisation Attack
  • Node.js RCE
  • PHP object injection
  • RCE through XXE (with blind XXE)
  • RCE through XSLT
  • Rails’ Remote Code Execution
  • Ruby/ERB template injection
  • Exploiting code injection over OOB channel


  • SSRF to query internal network
  • SSRF to code exec


  • Malicious File Extensions
  • Circumventing File validation checks
  • Web shells for modern platforms


  • HTTP Parameter Pollution (HPP)
  • XXE in file parsing
  • A Collection of weird and wonderful XSS and CSRF attacks


  • Combining Client-side and Server-side attacks to
  • steal internal secrets
  • B33r 101

Contact us for more detail about our trainings and for all other enquiries!

Upcoming Trainings

Join our public courses in our Istanbul, London and Ankara facilities. Private class trainings will be organized at the location of your preference, according to your schedule.

05 June 2021
3 Days
Classroom / Virtual Classroom

Istanbul, Ankara, London
09 June 2021
3 Days
Classroom / Virtual Classroom

Istanbul, Ankara, London
10 July 2021
3 Days
Classroom / Virtual Classroom

Istanbul, Ankara, London
02 August 2021
3 Days
Classroom / Virtual Classroom

Istanbul, Ankara, London

Related Trainings

Certified in The Art of Hacking

Securing customer data is often crucial when deploying and managing web applications and network i...

  • Classroom
  • Virtual Classroom
  • Online

5 Day

CREST Practitioner Security Analyst

The CPSA course leads to the CREST Practitioner Security Analyst (CPSA) examination, which is an e...

  • Classroom
  • Virtual Classroom
  • Online

5 Day

Advanced Infrastructure Hacking

An Advanced Infrastructure Hacking class, new for 2017, designed for those who wish to push their...

  • Classroom
  • Virtual Classroom
  • Online

5 Day