WEB-300 (Advanced Web Attacks and Exploitation) provides experienced offensive team members with a comprehensive analysis of various vulnerabilities and their exploitation techniques in web applications. Building on the PEN-200 and WEB-200 programs, this program will dig deep into the methodologies and techniques used to analyze the target web applications. This will give learners a complete understanding of the underlying flaws that we are going to exploit. The goal of this course is to expose you to a general and repeatable approach to web application vulnerability discovery and exploitation, while continuing to strengthen the foundational knowledge that is necessary when faced with modern-day web applications.

WEB-300 covers a wide range of advanced web exploitation skills and techniques, including:

  • Analyzing and exploiting a deserialization remote code execution (RCE) vulnerability in the DotNetNuke (DNN) platform
  • Mastering advanced web security methodologies such as fuzzing, static and dynamic analysis, and manual code review
  • Practicing session hijacking techniques to gain unauthorized access to sensitive data and functionality, including exploiting an RCE vulnerability in the Dolibarr application using a dedicated virtual machine

WEB-300 is organized into 17 in-depth modules, each focusing on different topics. Many modules include companion videos and hands-on activities to reinforce the learning experience. Additionally, 20 Challenge Labs are provided to test learners’ understanding and prepare them for the OffSec Web Expert (OWSE) certification exam.

As an advanced offensive course, WEB-300 is developed to test experienced penetration testers and security professionals seeking to master advanced web application attacks and exploitation techniques. It is expected that learners are not only familiar with basic web technologies and scripting languages, such as JavaScript, PHP, Java, and C#, but also have a high level of experience in offensive techniques taught in PEN-200.

Understand and exploit stored cross-site scripting (XSS) vulnerabilities
Gain insights into SQL injection attacks and develop methods to exploit them
Analyze and exploit code injection vulnerabilities in server-side JavaScript
Understand deserialization vulnerabilities and learn to exploit them for remote code execution
Perform manual source code analysis to identify potential security flaws
Develop custom fuzzing tools for vulnerability discovery
Develop custom fuzzing tools for vulnerability discovery
Bypass authentication mechanisms using SQL injection and other techniques
Exploit file upload vulnerabilities to gain remote code execution
Understand and exploit type juggling vulnerabilities in PHP applications

The WEB-300 course is ideal for

  • Experienced penetration testers and security professionals seeking to master advanced web application attacks and exploitation techniques

While there are no formal certification prerequisites, it’s strongly recommended that you have:

  • Comfort reading and writing at least one coding language
  • Familiarity with Linux
  • Ability to write simple Python / Perl / PHP / Bash scripts
  • Experience with web proxies
  • General understanding of web attack vectors, theory, and practice

Up to 40 (ISC)² CPE credits.