Brian King - Modern WebApp Pentesting

May 27th and 28th

Course Abstract

Modern Webapp Pentesting is unique in its approach to testing webapps. Too many courses are built around the assumption that a webapp pentester’s skills should grow along a straight line, starting with something like the OWASP Top Ten and culminating in something like Attacking Web Cryptography. Real webapps don’t follow that same path, and neither should real webapp pentesters. Attacking Web Sockets is not more difficult than attacking HTTP traffic, it’s just different. Web APIs are not something you’re qualified to test only after you’ve put your time in on traditional webapps… they’re just different. This course doesn’t worry about where a student falls on the imaginary scale of beginner to expert but instead focuses on finding and exploiting the kinds of issues found in real webapps today, based on the instructor’s many years of ongoing experience in testing real webapps today.


The course starts with a review of HTTP, URLs, HTML and what the instructor calls, “the fundamental problem for web browsers.” After that, the major sections are:

  • In-Browser “Developer Tools” for Pentesters
  • Pentesting Step 1: Understand the Target
  • Hidden Content: On Servers and in Client-side Frameworks
  • Maintaining State: Cookies, Local Storage, HTTP Headers
  • Web APIs
  • Identifying and Bypassing Client-Side Controls
  • Filters and filter evasion
  • Regular Expressions and their role in filters
  • Direct Object References
  • Encoding Information: Context and Translations
  • SQL Injection
  • Credential Attacks
  • NoSQL Injection in MongoDB
  • JSON Web Tokens and Federated Authentication
  • Web Sockets

Who Should Attend

  • Pentesters who want to do more than “The OWASP Top Ten”
  • Bug Bounty Hunters looking for new avenues of attack.
  • Web Developers who want to see what attackers see

What You Need

  • Curiosity and tenacity
  • A laptop that can run VMWare and one virtual machine (8GM RAM, 10GB free disk).
  • VMWare (Workstation, Fusion, or Player - free versions or demo licences will work)
  • Fast Internet connection (prior to class) to download the VM
  • Current Firefox web browser.


Brian King Penetration Tester, Black Hills Information Security

Brian King has been pentesting webapps since 2008. He was the second hire into his employer's application security team at a time when "PCI" was brand new and long before bug bounty programs - when experienced webapp pentesters had to be made, not found. His internal training and coaching efforts built a successful team of 30 testers, few of whom had significant security experience before joining the team. Brian believes that webapps are the best targets for pentesting because although they all look familiar on the surface, they're all different and often in surprising ways. Each webapp is a collection of puzzles for a pentester and the first puzzle is figuring out where the other puzzles are! Once you get started, each test can be an engaging chance to practice your problem-solving skills and dive into new technologies.

Return to training sessions