Register Online

Contact Info

(+91)-974-690-6654
support@c0c0n.org

Social Links

WS-09

Home TrainingsHackTheWeb: Pentesting Beyond Basics

HackTheWeb: Pentesting Beyond Basics

07-09 October, 2025

WORKSHOP OBJECTIVE

Take your web application pen-testing skills to the next level with this intermediate- level training course tailored for professional pen testers, bug hunters, and security enthusiasts. Rooted in the principles of the Open Web Application Security Project (OWASP) Testing Guide, this comprehensive course equips you with a structured and practical approach to uncovering vulnerabilities. By mapping workflows, understanding the intricate components of web applications, and utilizing open-source tools, you'll sharpen your ability to identify critical bugs with precision and efficiency. Designed for those actively engaged in pentest projects, this training is your key to becoming a more proficient and impactful web application pentester.

PRE-REQUISITE

Laptop with

  •     Admin Privileges
  •     minimum 16 GB ram
  •      100 GB Disk space for Ova
  •      Internet Access
  •      Ability to install Virtual Box
  •      minimum
  •      minimum
  •      minimum

PARTICIPANT'S REQUIREMENTS

  •      Basic Knowledge of Web Application Pentesting.
  •      Basic understanding of BurpSuite
  •      Basic Understanding of using Linux CLI

Note: This is a Begginer/Intermediate Level Training

WHO SHOULD ATTEND

  •      Senior Web Application Pentesters
  •      Junior Web Application Pentesters
  •      Security Engineers
  •      Bug Bounty Hunters
  •      DVA

WHAT TO EXPECT

This course is:

  •      30% theory and 70% Hands-on
  •      Focuses on the Web application Pentesting in modern days.
  •      Focuses on a black/grey box pentest, keeping in mind helping bug bounty hunters understand application workflows to find improved Business logic flaws.
  •      Designed with Data Flow analysis to understand the endpoints that could have potential vulnerabilities
  •      Designed with the state of the art lab with simulated real world applications and more than 30+ exercises to perform

WHAT NOT TO EXPECT

  •      This is not beginner training, Prior knowledge of Web App Pentest is required. We will be building upon the existing knowledge to improve the understanding of the vulnerabilities and learn how to exploit them
  •      This is 30% theory and 70% hands-on training. There will be lots of exercises.
  •      An additional 5 days of lab time will be given to play with the lab environment

DURATION

Duration: 3 days

Trainer

Dhruv Shah

Founder/ Technical Head, TCP Infosec LLP

Training Plan

  • Introduction to Web app testing
    • OWASP Top 10 Vulnerabilities
    • OWASP Web App Testing Guide
    • Introduction to Proxies
    • Reporting as you go
    • Understanding Workflows
    • Integrating workflows to enhance your pentesting process
  • Information Gathering
    • Search Engine discovery and reconnaissance for information leakage
    • Fingerprinting the web server
    • Enumerating applications on the web server
    • Fingerprinting Application and Application Framework
  • Configuration and Deployment Management Testing
    • Application Platform Configuration
    • Subdomain Takeover
    • Cloud Storage
  • Identity Management Testing
    • Testing for Roles and Privileges
    • Account Enumeration
    • Login Brute Force
    • Default Credentials
    • Weak Username Policy
  • Authentication Testing
    • Testing Lockout Mechanisms
    • Bypassing Authentication Schema
    • JWT Attack
    • Testing for Password Reset Functionalities
    • Testing for Authentication in Alternative Channels
    • 2FA Bypass
  • Authorization Testing
    • Directory Traversal vulnerabilities
    • Bypassing Authorization Schema
    • Testing for Privilege Escalation
    • Insecure Direct Object References (IDOR)
  • Input Validation/Injection Testing
    • SQL Injection vulnerabilities
    • Time-Based SQL Injection
    • Data Exfiltration via Blind OOB SQL Injection
    • XML Injection vulnerabilities
    • Vanilla XXE attack
    • Data Exfiltration via Blind XXE attacks
    • Modern XSS Attacks
    • Host Header Injection
    • SSRF Attacks
    • SSRF on Traditional Web Apps
    • SSRF over Cloud
    • Template Injection Attacks
    • Exploiting File Upload functionalities
    • Deserialization Attacks
  • Session Management Testing
    • Testing Logout Functionality
    • Testing for Session Hijacking
    • Testing for Misconfigured Cookie Attributes
  • Testing for Weak Cryptography
    • Padding Oracle Attacks
    • Exploiting Weak Encryptions
  • Testing for Components with Known Vulnerabilities
    • Attacking PHP Symphony
    • Attacking vulnerable third-party libraries
    • CMS Attacks
    • Log4j
  • Business Logic Testing
    • Building models for Business logic Flows
    • Attacking Coupon Functionality / Process Timing Attacks
    • Attacking Payment Gateways
    • Polluting Application Logs
    • Circumventing Workflows

Book your seat Now

Trainings

Windows Kernel Exploitation Foundation & Advanced Training
Read More
Multi-Cloud (AWS, Azure & GCP) Security [2025 Edition]
Read More
Offensive OSINT
Read More
Android Security Primer
Read More
Automotive Security: A Hands-On Approach
Read More
Mastering Telecom Security: A Hands-on Guide to RAN & Core Network Protection
Read More
Hands on in Signal intelligence, Electronic Warfare, and CEMA for Security Applications
Read More
StealthOps: Red Team Operations 2025 Edition
Read More
HackTheWeb: Pentesting Beyond Basics
Secure Code Audit Exclusive Edition
Read More
Hacking Android, iOS and IoT apps by Example
Read More
Attacking CI CD Environments
Read More
Breaking Smart Kiosks with Windows 11 OS Hardening
Read More
Offensive Tradecraft Development
Read More

DIAMOND SPONSOR

LANYARD SPONSOR

COMMUNITY PARTNERS

INDUSTRY CONFERENCE ALLIES

PODCAST PARTNER

Contact Us

© Copyright 2025 -c0c0n. All Right Reserved