WEB-300: Advanced Web Attacks and Exploitation (OSWE)

  • Learn advanced web application attacks and exploits, including advanced SSRF, persistent XSS and blind SQLi to .NET deserialization, source code analysis, session hijacking, fuzzing, and authentication bypass
  • Become a certified OffSec Web Expert (OSWE)
Google 4.3/5 Average Rating
1,270+ Learners
Industry Recognized
Certification Body Offensive Security
Delivery Profice
Lowest price guaranteed
Self Paced Learning - 90 Days Access
€1950
Excl. VAT
Slef Paced Learning - 365 Days Access
€3000
Excl. VAT
  • Exam voucher
  • Hands-on labs
  • Certificate
  • Lifetime support
  • Official courseware

Flexible payment — invoice, card or PayPal

About This Course

WEB-300 (Advanced Web Attacks and Exploitation) provides experienced offensive team members with a comprehensive analysis of various vulnerabilities and their exploitation techniques in web applications. Building on the PEN-200 and WEB-200 programs, this program will dig deep into the methodologies and techniques used to analyze the target web applications. This will give learners a complete understanding of the underlying flaws that we are going to exploit. The goal of this course is to expose you to a general and repeatable approach to web application vulnerability discovery and exploitation, while continuing to strengthen the foundational knowledge that is necessary when faced with modern-day web applications.

WEB-300 covers a wide range of advanced web exploitation skills and techniques, including:

  • Analyzing and exploiting a deserialization remote code execution (RCE) vulnerability in the DotNetNuke (DNN) platform
  • Mastering advanced web security methodologies such as fuzzing, static and dynamic analysis, and manual code review
  • Practicing session hijacking techniques to gain unauthorized access to sensitive data and functionality, including exploiting an RCE vulnerability in the Dolibarr application using a dedicated virtual machine

WEB-300 is organized into 17 in-depth modules, each focusing on different topics. Many modules include companion videos and hands-on activities to reinforce the learning experience. Additionally, 20 Challenge Labs are provided to test learners’ understanding and prepare them for the OffSec Web Expert (OWSE) certification exam.

As an advanced offensive course, WEB-300 is developed to test experienced penetration testers and security professionals seeking to master advanced web application attacks and exploitation techniques. It is expected that learners are not only familiar with basic web technologies and scripting languages, such as JavaScript, PHP, Java, and C#, but also have a high level of experience in offensive techniques taught in PEN-200.

Course Information

Course Code OSWE
Duration Self Paced
Delivery Self Paced
Exam Voucher Included
Certification Body Offensive Security
Certification OSWE

What You Will Learn

Understand and exploit stored cross-site scripting (XSS) vulnerabilities
Gain insights into SQL injection attacks and develop methods to exploit them
Analyze and exploit code injection vulnerabilities in server-side JavaScript
Understand deserialization vulnerabilities and learn to exploit them for remote code execution
Perform manual source code analysis to identify potential security flaws
Develop custom fuzzing tools for vulnerability discovery
Develop custom fuzzing tools for vulnerability discovery
Bypass authentication mechanisms using SQL injection and other techniques
Exploit file upload vulnerabilities to gain remote code execution
Understand and exploit type juggling vulnerabilities in PHP applications

Course Curriculum

Understand how attackers can manipulate JavaScript’s inheritance model to inject malicious data, compromise logic, and execute code remotely in your web applications

Bypass filters, access internal resources, and exploit complex application architectures through SSRF vulnerabilities

Master web security tools and methodologies like: fuzzing, static analysis, dynamic analysis, and manual code review

Analyze source code and parse application logic to identify potential attack vectors and security vulnerabilities

See how attackers store malicious code on web servers to launch persistent XSS attacks on multiple users over time

Understand how attackers take over user sessions to gain access to sensitive data and functionality

Identify the ways attackers can exploit vulnerabilities caused by deserialization in .NET applications

Explore the techniques attackers use to execute system-compromising code on targeted web servers

Use different techniques to exploit SQL injection vulnerabilities to compromise databases without direct application feedback

Understand how attackers use SQL injection, XXE attacks, and compromised file uploads to extract sensitive data from web applications

Understand how attackers can bypass security mechanisms designed to prevent malicious files from being uploaded

Learn how to exploit type juggling and loose comparison behaviors in PHP to bypass authentication to perform malicious actions

Learn how attackers can access private data, execute commands, and establish persistent backdoors by leveraging PostgreSQL extensions and user-defined functions

Evade regex-based input validations to inject malicious payloads into web applications

Bypass authentication mechanisms and perform unauthorized actions by exploiting “magic hashes” in PHP applications

Explore the techniques attackers use to bypass character restrictions in web applications in order to inject malicious payloads and manipulate application behavior

Learn how attackers can leverage user-defined functions to create reverse shells in order to access underlying operating systems

Learn how attackers store/execute malicious code and exfiltrate sensitive data by abusing large objects in PostgreSQL databases

Learn how the browser’s Document Object Model (DOM) can be manipulated to execute malicious JavaScript code in web applications without direct server-side interaction

Identify and exploit vulnerabilities in server-side templates in order to execute remote code, disclose information, or escalate privileges

Understand the risks associated with poorly implemented random token generation in web applications and how attackers can exploit them or compromise user sessions

Discover the ways attackers can exploit XML parser weaknesses to access files, execute commands, or perform DDoS attacks, and how to prevent XXE vulnerabilities in your web applications

Learn how vulnerabilities in database functions can be exploited to execute arbitrary code on the server to compromise your web applications

Identify and mitigate WebSocket vulnerabilities that can be used to inject operating system commands to gain control of underlying servers

Get the Full Syllabus as a PDF

Curriculum, exam format & everything included — sent straight to your inbox.

All You Need to Know

Who Should Attend

The WEB-300 course is ideal for

  • Experienced penetration testers and security professionals seeking to master advanced web application attacks and exploitation techniques
Prerequisites

While there are no formal certification prerequisites, it’s strongly recommended that you have:

  • Comfort reading and writing at least one coding language
  • Familiarity with Linux
  • Ability to write simple Python / Perl / PHP / Bash scripts
  • Experience with web proxies
  • General understanding of web attack vectors, theory, and practice

Premium training, now at the lowest price.

Self Paced Learning - 90 Days Access €1950 excl. VAT
Slef Paced Learning - 365 Days Access €3000 excl. VAT
4.3/5 Official Offensive Security partner Exam included 1,270+ alumni
Lowest price guaranteed Ready to enrol?

No payment now — reserve your seat and we'll send the invoice.

Under a minute · invoice, card or PayPal
How it works: 1 Submit your details 2 Receive your invoice 3 Pay & get access