State of the art of Web Application Attacks

Training delivered by Nicolas Grégoire, founder of the company Agarri and an expert in offensive IT security for more than 15 years. The training reviews the “OWASP TOP 10” but also the new vulnerabilities (XXE, SSRF, injection JSONP) all the most devastating because underestimated. A good assimilation is guaranteed to the trainee thanks to many practical exercises. Tools used during Web intrusive tests will be presented and treated, from the simplest to the most complex. Then, the trainee will be capable of identifying and using the various families of vulnerabilities approached during the training to protect itself from it.


The training is based on a program made up of 50 % of theory and 50 % of practical exercises on the following points:

– Reminder on HTTP
Requests and answers, states and cache management, rerouting, authentication, encryption, implicit actions of browser.

– Current Attacks
Introduction to OWASP “top 10”: injections (HTML and SQL), non-secure direct references, CSRF, versions management, presentation of real examples.

– Tools
Extensions for browsers (Chrome, Firefox), intercept and replay tools (ZAP, Burp Suite).

– Practical exercises
SQL injection, request manipulation (cookies and parameters), password cracking, data mining.

– Advanced exploitation
Advanced techniques to exploit vulnerabilities like SQL and XXS injection: access to the filing system, filters bypassing, mass exploitation, technical sequences.

– Vulnerabilities outside of “OWASP top 10”
Theory and practice of modern attacks (injections JSON, SSRF, XXE)



To ensure the success of the training, you will need:

– a laptop with wire connectivity (RJ45)
– a browser handling extensions (Firefox ou Chrome)
– Java virtual machine (JRE)



This training targets the following profiles:

– Security Consultants
– Software Engineers
– System Administrators



Trainer profile for Web application attacks:

Nicolas Grégoire, founder of the company Agarri, specialized in offensive IT security, with more than 15 years of experience in intrusive tests.



More information about the training:

Duration : 3 days, from 9 am to 6 pm
Location : DenyAll, 6 avenue de la Cristallerie, 92310 Sèvres, FRANCE
Price : 4200€ before taxes


If you need any further information about this training or another one, don’t hesitate to contact us.