O'Reilly logo
live online training icon Live Online training

Intense Introduction to Hacking Web Applications

Topic: Security
Omar Santos

This course starts with an introduction to modern web applications and then immediately dives into the mapping and discovery phase of testing. In this course, you will learn security penetration testing methodologies and concepts by going over step-by-step examples in real time.

This hands-on training course will use various open source tools. You will learn how to exploit SQL injection, command injection, cross-site scripting (XSS), XML External Entity (XXE), and cross-site request forgery (CSRF). You will also learn how to perform assessments of modern APIs used for mobile and IoT applications. This course includes interactive labs where students can interact with a series of vulnerable web applications in a safe environment. Learn how to craft the exploits used by ethical hackers to perform real-world penetration testing attacks and vulnerabilities.

What you'll learn-and how you can apply it

  • Learn through step-by-step interactive demonstrations
  • Perform real-world pen testing

This training course is for you because...

  • You have an understanding of cybersecurity fundamentals.
  • You are interested in cybersecurity and penetration testing (ethical hacking)
  • You want to learn different methodologies and best practices to perform security penetration testing assessments.


Course participants should have a basic understanding of cybersecurity and networking, plus core familiarity with Microsoft Windows and Linux operating systems. The following books and video courses provides a good overview of cybersecurity fundamentals that are pre-requisites for this course:

Course Set-up:

  • This is a hands-on course. Please go to the accompanying site for this Live Training course to download and install the required virtual machine (VM): https://webapps.h4cker.org

Recommended Preparation:

Recommended Follow-up:

About your instructor

  • Omar Santos is an active member of the cybersecurity community, where he leads several industry-wide initiatives. He is the lead of the DEF CON Red Team Village; the chair of the Common Security Advisory Framework (CSAF) technical committee; the co-chair of the Forum of Incident Response and Security Teams (FIRST) Open Source Security working group; and has been the chair of several initiatives in the Industry Consortium for Advancement of Security on the Internet (ICASI). His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to increasing the security of their critical infrastructures.

    Omar is the author of over twenty books and video courses, as well as numerous white papers, articles, and security configuration guidelines and best practices. Omar is a principal engineer of the Cisco Product Security Incident Response Team (PSIRT), where he mentors and leads engineers and incident managers during the investigation and resolution of cyber security vulnerabilities. Additional information about Omar’s current projects can be found at omarsantos.io and you can follow Omar on Twitter @santosomar.


The timeframes are only estimates and may vary according to how the class is progressing

Section 1: Introduction to Web Application Penetration Testing Methodologies (20 minutes)

  • An introduction to ethical hacking and penetration testing methodologies
  • Reviewing the OWASP Testing Methodologies

Section 2: Building Your Own Web Application Lab (20 minutes)

  • Building your own lab
  • Installing WebSploit
  • Reviewing the Installation and Tools
  • Reviewing additional tools and web application hacking environments

Section 3: Reconnaissance and Profiling Web Applications (20 minutes)

  • Conducting information gathering using appropriate techniques
  • Vulnerability Scanning
  • Analyzing vulnerability scan results
  • The process of leveraging information to prepare for exploitation
  • Weaknesses related to specialized systems

Section 4: Authentication and Session Management Vulnerabilities (20 minutes)

  • Introducing authentication methods
  • Exploiting authentication-based vulnerabilities
  • Exploiting session management vulnerabilities

Lab Exercises and Break: 60 minutes

Section 5: Exploiting Cross-site Scripting (XSS) and Understanding Cross-site Request forgery (CSRF/XSRF) Vulnerabilities (20 minutes)

Reflected XSS Stored XSS DOM-based XSS Understanding Cross-site Request forgery (CSRF/XSRF)

Break 5 minutes

Section 6: Exploiting SQL Injection (25 minutes)

  • Overview of SQL Injection
  • Exploiting SQL Injection Vulnerabilities

Section 7: Exploiting XML External Entity (XXE) Vulnerabilities (30 minutes)

  • Understanding XXE
  • Exploiting XXE vulnerabilities

Section 6: Hacking APIs, Fuzzing, and Q&A (20 minutes)

  • Overview of APIs
  • Hacking APIs
  • Fuzzing
  • Q&A