Overview
The best defence is understanding the offense. To effectively protect your software applications and infrastructure, you first need to understand how malicious actors think, what tools they use and how they systematically compromise systems.
This intensive two-day workshop takes participants on a journey through the attacker's playbook. Through demonstrations and hands-on exploitation exercises, you'll learn to use the same readily available tools that threat actors employ to find and exploit vulnerabilities. But we don't stop at breaking things - we'll explore what you can do to prevent these exploits, detect when your systems have been compromised and build more resilient applications.
By the end of this workshop, you'll have a fundamentally different perspective on application security. You'll understand not just the theory of vulnerabilities, but the practical reality of how easily they can be exploited. This hands-on experience builds the security intuition that developers and engineers need to write more secure code, design better architectures and make security-conscious decisions throughout the development lifecycle.
This course goes deeper than our Capture the Flag experience, providing structured teaching, detailed tool demonstrations and comprehensive coverage of attack techniques rather than competitive challenge-solving.
Outline
Understanding the threat landscape
- Real-world examples of significant security compromises and their impact
- The evolving threat landscape, attacker motivations and legislative drivers
- Security compliance frameworks and the shared responsibility across teams
Reconnaissance and target identification
- How attackers identify and select targets
- Open Source Intelligence (OSINT) and reconnaissance techniques
- Port scanning, service enumeration and fingerprinting
- Minimising your organisation's attack surface
Understanding and exploiting web traffic
- How HTTP and HTTPS work beyond the basics
- Introduction to Burp Suite for web application testing
- Intercepting, analysing and modifying web traffic in real-time
Exploitation frameworks and tools
- Introduction to Metasploit: the penetration testing framework
- Searching for and launching exploits against vulnerable systems
- Defensive strategies: patching, hardening and detection
Authentication and session management vulnerabilities
- Common flaws in authentication mechanisms
- Brute force attacks, credential stuffing and password spraying
- Session hijacking and multi-factor authentication bypass techniques
Input validation failures
- Allowlists vs blocklists: understanding the trade-offs
- Bypassing validation filters through encoding and obfuscation
- File upload vulnerabilities and server-side request forgery (SSRF)
Injection attacks in depth
- SQL injection: from basic to advanced techniques
- NoSQL injection and command injection
- How ORMs and parameterised queries prevent injection
Configuration and deployment vulnerabilities
- Identifying and exploiting security misconfigurations
- Default credentials and information disclosure
- Cloud service misconfigurations and security hardening
Guarding against sensitive data exposure
- Common exposure vectors: logs, error messages, URLs and client-side code
- Proper handling of sensitive data: encryption, tokenisation and data masking
Access control failures
- Horizontal and vertical privilege escalation
- Insecure Direct Object References (IDOR)
- Implementing effective access control
Cross-site request forgery (CSRF)
- Understanding how CSRF attacks work
- CSRF token implementation and Same-Site cookies
Using components with known vulnerabilities
- Identifying outdated and vulnerable dependencies
- Dependency scanning and integration into CI/CD pipelines
Understanding indicators of compromise
- Recognising signs of system compromise
- Log analysis and incident response basics
Proactive vs reactive security
- Integrating security into the development lifecycle
- Threat modelling and security testing approaches
Capture the flag challenge session
- Guided capture the flag session applying learned techniques to real challenges
- Friendly competition with instructor guidance and hints throughout
- Platform choice tailored to the audience and focus areas
- Debriefing: discussing solutions, techniques and lessons learned
Requirements
Attendees should have at least 6 months of experience building or testing applications. Familiarity with web technologies (HTTP, HTML, JavaScript) is beneficial but not required.
This is a hands-on course with extensive practical exercises. Participants will work with vulnerable applications in safe, isolated environments, using real security testing tools. No prior security or penetration testing experience is required - we'll teach you everything you need to know.
Ideally, participants will have attended our Threat Modelling workshop prior to this course, as it provides foundational security thinking that complements the offensive techniques taught here.
A laptop capable of running a web browser and connecting to cloud-based virtual machines is required for the practical exercises.