WS-09

Home TrainingsHackTheWeb: Pentesting Beyond Basics

HackTheWeb: Pentesting Beyond Basics

07-09 October, 2025

WORKSHOP OBJECTIVE

Modern application security fails not because of single bugs, but because data moves in unexpected ways. This intensive, lab-first course teaches you to map an application’s data flow, identify high-value attack points, and execute real exploit chains that reveal the issues automated scans never find.

Designed for pentesters and security engineers with 1–3 years’ experience, this program builds both skill and mindset. You’ll work through 30+ realistic labs spanning 8+ distinct web and API applications, using detailed mind maps and data-flow diagrams to guide discovery. Every module pairs theory with hands-on labs so you practise the exact steps attackers use - from reconnaissance to privilege escalation and data exfiltration.

What makes this course different:

  • Data-Flow First: Use mind maps and flow diagrams to locate where sensitive data moves and how it can be abused.
  • Mindset Training: Not just checklists - you’ll learn how attackers think and how to structure tests that find logic and design weaknesses.
  • Lab Intensity: 30+ real-world labs across 8+ applications (frontend, API, microservices) - practice chaining vulnerabilities end-to-end.
  • Actionable Outcomes: Walk away with a repeatable methodology, exploit recipes, and reporting guidance that gets developer buy-in.

COURSE HIGHLIGHTS

  • 30+ real-world labs across 8+ applications – exploit vulnerabilities in environments that reflect today’s web and API stacks.
  • Data-flow driven bug hunting – trace how data moves through apps to uncover hidden attack paths scanners miss.
  • Mind maps & attacker’s mindset – build repeatable frameworks and think like an adversary, not a checklist.
  • Exploit chaining & Burp Suite tradecraft – combine vulnerabilities into high-impact attacks using practical tools and techniques.
  • Actionable takeaways – walk away with a battle-tested methodology, reusable mind maps, and skills you can apply immediately.

We will cover topics (not limited to):

  • Mapping the Data Flow – tracing how requests, responses, and tokens move through apps to spot weak links.
  • Exploiting Insecure Design
  • Advanced Injection Attacks
  • Modern Authentication Attacks
  • Chaining SSRF to Exploitation
  • Exploiting Outdated Components
  • Cryptographic Failures
  • Automated Reporting

PRE-REQUISITE

  • Basic understanding of Pentesting

PARTICIPANT'S REQUIREMENTS

What Students Should Bring:

To get the most out of the hands-on labs, please come prepared with the following:

  • Administrator (admin) privileges on your laptop - required to install VirtualBox and Burp Suite and import the lab images.
  • Minimum 16 GB RAM (recommended) - Burp Suite and multiple VMs perform best with more memory.
  • At least 80 GB free disk space - we’ll provide a custom Kali Linux .ova (preloaded with tools) that needs room to import and run.
  • Reliable internet access - needed for some labs, updates, and downloads.
  • Virtualization support / VirtualBox installed - so you can load the supplied Kali .ova. (If you prefer VMware, let us know in advance.)

We supply the Kali .ova and step-by-step setup instructions. If you hit any setup snags, bring your charger and we’ll help you get everything running before the labs start.

TECHNICAL DIFFICULTY

  • Beginner to Intermediate

DURATION

  • 3 days (7-8) Hrs

WHO SHOULD ATTEND

  • Pentesters, Red Teamers, and Bug Bounty Hunters (1–3 years’ experience) who want to move beyond surface-level bugs into real exploit chains.
  • AppSec Engineers, SOC Analysts, and DevSecOps Professionals seeking attacker-mindset skills to uncover what scanners miss.
  • Developers & Security Researchers eager to understand and defend against real-world exploitation of design flaws, workflows, and misconfigurations.

WHAT TO EXPECT

This course is:

  • 30% theory and 70% Hands-on
  • Focuses on the Web application Pentesting in modern days.
  • Focuses on a black/grey box pentest, keeping in mind helping bug bounty hunters understand application workflows to find improved Business logic flaws.
  • Designed with Data Flow analysis to understand the endpoints that could have potential vulnerabilities
  • Designed with the state of the art lab with simulated real world applications and more than 30+ exercises to perform

Trainer


Dhruv Shah

Founder/ Technical Head

TCP Infosec LLP

Training Plan

  • DAY 1 - Mapping & Breaking the Basics
    • Introduction to Web app testing
      • OWASP Top 10 Vulnerabilities
      • OWASP Web App Testing Guide
      • Introduction to Proxies
      • Reporting as you go
    • Information Gathering
      • Search Engine discovery and reconnaissance for information leakage
      • Fingerprinting the web server
      • Enumerating applications on the web server
      • Fingerprinting Application and Application Framework
    • Configuration and Deployment Management Testing
      • Application Platform Configuration
      • Subdomain Takeover
      • Cloud Storage
    • Identity Management Testing
      • Testing for Roles and Privileges
      • Account Enumeration
      • Login Brute Force
      • Default Credentials
      • Weak Username Policy
    • Authentication Testing
      • Testing Lockout Mechanisms
      • Bypassing Authentication Schema
        • JWT Attack
      • Testing for Password Reset Functionalities
      • Testing for Authentication in Alternative Channels
        • 2FA Bypass
  • DAY 2 Exploiting the Core Weaknesses
    • Authorization Testing
      • Directory Traversal vulnerabilities
      • Bypassing Authorization Schema
      • Testing for Privilege Escalation
      • Insecure Direct Object References (IDOR)
    • Input Validation/Injection Testing
      • SQL Injection vulnerabilities
        • Time-Based SQL Injection
        • Data Exfiltration via Blind OOB SQL Injection
      • XML Injection vulnerabilities
        • Vanilla XXE attacks
        • Data Exfiltration via Blind XXE attacks
      • Modern XSS Attacks
      • Host Header Injection
      • SSRF Attacks
        • SSRF on Traditional Web Apps
        • SSRF over Cloud
      • Template Injection Attacks
      • Exploiting File Upload functionalities
      • Deserialization Attacks
  • DAY 3 Exploiting Workflows & Business Logic
    • Session Management Testing
      • Testing Logout Functionality
      • Testing for Session Hijacking
      • Testing for Misconfigured Cookie Attributes
    • Testing for Weak Cryptography
      • Padding Oracle Attacks
      • Exploiting Weak Encryptions
    • Testing for Components with Known Vulnerabilities
      • Attacking PHP Symphony
      • Attacking vulnerable third-party libraries
        • CMS Attacks
        • Log4j
    • Business Logic Testing
      • Building models for Business logic Flows
      • Attacking Coupon Functionality / Process Timing Attacks
      • Attacking Payment Gateways
      • Polluting Application Logs
      • Circumventing Workflows
    • Reporting
      • Reporting Pitfalls
      • Creating Impactful Reports
      • Understanding Opensource Reporting Tools
      • Automating the Reporting Process

Trainings

DIAMOND SPONSOR

PLATINUM SPONSOR

GOLD PARTNER

SILVER SPONSORS

EXHIBITORS (PREMIUM)

EXHIBITORS (BASIC)

LANYARD SPONSOR

INDUSTRY CONFERENCE ALLIES

PODCAST PARTNER