Para visualizar el sitio de manera óptima actualice el navegador. ×
23 y 24 de Septiembre

Full Stack Web Attack is not an entry-level course. It’s designed to push you beyond what you thought was possible and set you on the path to develop your own workflow for offensive zero-day web research.

This course is developed for web penetration testers, bug hunters and developers that want to make a switch to server-side web security research or see how serious adversaries will attack their web based code.

Students are expected to know how to use Burp Suite and have a basic understanding of common web attacks as well as perform basic scripting using common languages such as python, PHP and JavaScript. Each of the vulnerabilities presented have either been mirrored from real zero-day or are n-day bugs that have been discovered by the author with a focus on not just exploitation, but also on the discovery.

So if you want to learn how to exploit web technologies without client interaction for maximum impact, that is, remote code execution then this is the course for you.

Leave your OWASP Top Ten and CSP bypasses at the door.

Student Requirements

  • At least basic scripting skills
  • At least a basic understanding of various web technologies such as HTTP(S), proxies and browsers

Hardware Requirements

  • A 64bit Host operating system
  • 16 Gb RAM minimum
  • VMWare Workstation/Fusion
  • 60 Gb Hard disk free minimum
  • Wired and Wireless network support
  • USB 3.0 support


  • Introduction
    • PHP & Java language fundamentals
    • Debugging PHP & Java applications
    • Auditing for zero-day vulnerabilities
  • PHP logic authentication bypasses (zeroday)
  • PHP code injection remote code executon (nday)
  • Java naming and directory interface (JNDI) injection (nday)
    • Remote class loading
    • Java deserialization 101
  • PHP object instantiation (nday)
  • External entity injection (XXE)
    • File disclosure
    • Server-side request forgery (SSRF)
  • PHP Object Injection
    • Property oriented programming (POP)
    • PHP custom gadget chain creation
  • Blacklist bypasses for remote code execution (zeroday)
  • Bypassing Java based URI filters
  • Java URI redirection authentication bypasses (zeroday technique)
  • Expression language (EL) injection
  • Java deserialization 102
    • Pivot gadgets
    • Java Custom gadget chain creation


Fundación Proydesa - Suipacha 280

Ver en Google Maps
  • Los estudiantes deberán traer su propia notebook (excluyente).


USD 2000
Hasta el 02/09
USD 2000
04/09 al 20/09
En sitio
USD 2000
23/09 al 24/09
*Descuentos para los que hayan tomado algún training el año pasado.
*Descuentos para compras en grupos.
*Descuentos para los que hayan asistido a la conferencia en alguna edición anterior.
*Descuento a estudiantes con certificado de alumno regular.
Para realizar consultas sobre el training o alguno de los beneficios, contacta a


Steven Seeley
Steven Seeley - Researcher & Trainer

Steven is an internationally recognized security researcher and trainer. For the last three years, he has reached platinum status with the ZDI and has literally found over a thousand high impact vulnerabilities.