Hands-On Web Exploitation with Python

Back in 2015, a colleague and friend asked if I would be interested in teaching a training class with him at OWASP AppSec USA. After carefully considering, I agreed. It’s a good thing, because he had already submitted the class to the call for trainings before asking me.

Fast forward a bit and we’re now gearing up to teach our third version of the class. What started out as a one-day training session has turned into a three-day course. Based on the feedback we have received over the previous years, my colleague and I have tweaked the class in an attempt to provide a class for all levels of programmers, from beginners who may be new to Python to veteran programmers.

Much like our first class, I have taken the time to develop a new vulnerable virtual machine for the test lab. This time around, I applied several lessons I learned along the way. The primary change to the virtual machine is that I made it quite a bit more simplistic. I did this because I noticed students spending more time trying to identify as many vulnerabilities as possible, instead of focusing on developing the scripts my colleague and I would teach in the class. So, in an effort to help the students focus more on learning Python, we’ve made the vulnerable application with additional simplicity. Here’s a screenshot teaser of what the vulnerable application will look like.

Along with some of the previous vulnerabilities from past classes, we’ve included a few more scenarios. Students this time around will use Python to exploit stored cross-site scripting (XSS) and SQL Injection. Some of the previous vulnerabilities have been tweaked slightly as well, requiring different exploit scripts. To throw in an additional challenge, my colleague and I will address threading and multiprocessing in the class. Specifically, we’ll introduce these concepts when attacking user passwords with large wordlists. If that isn’t enough, students will be encouraged to group into teams to face a “capture the flag” type of cryptography challenge. There will be prizes for the members of the winning team.

This training will be held in Belfast, United Kingdom May 8 - 10, 2017 with the AppSec EU conference scheduled to follow May 11 - 12, 2017. If you are unable to attend the European version of this conference, my colleague and I plan on submitting this class to the USA version tentatively scheduled in September 2017.

If you’d like to join us in Belfast for this training, you can sign up for the class here:


The OWASP AppSec EU Conference registration and additional information can be found here: https://2017.appsec.eu/