Course Overview
Advanced Web Hacking is designed to take your web penetration testing skills to the next level. This course dives deep into advanced topics, exploring edge-case vulnerabilities, sophisticated attacks, and complex scenarios faced in modern web applications. Each module will offer in-depth exploration through code review, debugging, and hands-on labs.
Module 2: Attacking GraphQL is Available Now!
This module goes in-depth on how GraphQL works and the attack surface it presents to us as attackers. We'll explore both common mistakes in GraphQL applications as well as "features" that can help us attack GraphQL applications. Our next module will be coming in early 2025!
Key Topics
- Advanced web attacks
Prerequisites & System Requirements
It's recommended that students have the following experience or equivalent:
- Practical Web Pentest Professional (PWPP) certification
- 3+ years of web application penetration experience
Students should also have:
- The ability to run a Linux virtual machine (VM)
- Standard penetration testing tools like Burp Suite, a code editor such as Visual Studio Code
Advanced Web Hacking Course Objectives
- Identify and exploit web application vulnerabilities
- Ability to use techniques such as code review and debugging to find and exploit vulnerabilities
- Gain a deep understanding of how web applications work
Who Should Take Advanced Web Hacking?
Advanced web hacking is aimed at those who want to understand, find and exploit advanced vulnerabilities within web applications for penetration testing and bug bounty.
- Experienced web application penetration testers looking to expand their knowledge and skillset
- PWPP certification holders
- Developers that want to understand advanced web attacks from a code perspective
Advanced Web Hacking Course Curriculum
Modules 1 & 2 are available now! Additional content is coming in early 2025.
- Introduction (4:31)
- Prerequisite Knowledge - Part 1 - Object Structures and Prototypes (26:44)
- Prerequisite Knowledge - Part 2 - Deep and Shallow Copy (8:29)
- Prerequisite Knowledge - Part 3 - Prototype Pollution and "__proto__" (14:22)
- Prerequisite Knowledge - Part 4 - Methodology (5:49)
- Lab Setup (13:26)
- Client-Side Prototype Pollution (28:22)
- Client-Side Prototype Pollution with DOM Invader (5:44)
- Client-Side Prototype Pollution Challenge Introduction (1:23)
- Client-Side Prototype Pollution Challenge Walkthrough (8:25)
- Server-Side Prototype Pollution (28:56)
- Server-Side Prototype Pollution with Scanners (8:02)
- Prototype Pollution Reports (6:27)
- Checking NPM Libraries for Known Prototype Pollution Vulnerabilities (4:58)
- Finding Undiscovered Prototype Pollution in NPM Libraries (13:35)
- Capstone Challenge Introduction (1:51)
- Capstone Challenge Walkthrough (16:59)
- Welcome to the Module (0:37)
- What is GraphQL? (7:12)
- Building a Simple GraphQL Application (19:48)
- Recon: Finding GraphQL Endpoints (16:17)
- Introspection (21:28)
- Information Disclosure (14:31)
- Information Disclosure Challenge Walkthrough (6:33)
- Authentication and Access Control (18:13)
- Authentication and Access Control Challenge Walkthrough (5:25)
- Denial of Service (14:37)
- Injection, CSRF, and Other Web Attacks (15:38)
- Capstone Challenge (3:33)
- Capstone Walkthrough (8:45)
About the Instructor: Alex Olsen
Alex is a Web Application Security specialist with experience working across multiple sectors, from single-developer applications all the way up to enterprise web apps with tens of millions of users. He enjoys building applications almost as much as breaking them and has spent many years supporting the shift-left movement by teaching developers, infrastructure engineers, architects, and anyone who would listen about cybersecurity.
Alex holds a Master’s Degree in Computing, as well as the PNPT, CEH, and OSCP certifications.
This course is included in our All-Access Membership starting at $29.99/month
Get full access to the Advanced Web Hacking course and our full course catalog when you enroll in our All-Access Membership.
Courses Included with the All-Access Membership
Frequently Asked Questions
Can I get a refund if I'm unhappy with my purchase?
Yes. All courses come with a 24-hour money-back guarantee.
Will I receive a certificate of completion when I finish a course?
Yes. All courses come with a certificate of completion.
Do the courses count as Continuing Education Units (CEUs)?
Yes. Every certificate of completion comes with the total CEUs earned listed on the certificate.
What is the All-Access Pass?
As of July 1st, 2023 TCM Academy transitioned to a monthly subscription model, where you now receive full access to all of the courses on our platform for as long as your subscription remains active.
What if you already own courses on TCM Academy?
If you already own a course on our platform, you will continue to own that course forever. Previously owned courses will not be affected by this change.
I can see the course, but it won’t load or play. What should I do?
We use Cloudflare to protect our course platform and unfortunately, it does not play nice with VPNs. If you are experiencing issues, turn off your VPN and try again. If that does not solve the issue, please contact our support team at [email protected] and we will help you out.