Practical Web Application Penetration Testing: From Fundamentals to Exploitation // Jonathan Machnee, Field Effect

In-Person | November 2-4 | 3 Days

BOOK NOW

ABSTRACT

Modern organizations rely heavily on web applications and APIs, making them one of the most frequently targeted attack surfaces. Especially with the rise of LLM assisted web application development the attack surfaces are getting more varied, more complex, and more vulnerable.

This lab-driven, hands-on course provides a practical introduction to web application penetration testing, equipping students with the foundational knowledge and real-world skills needed to identify and exploit common vulnerabilities.

Designed specifically for security analysts transitioning into offensive security roles, this course emphasizes understanding why vulnerabilities exist, how they are introduced into modern applications, common and how attackers leverage them in real-world scenarios.

Students will work through guided labs targeting intentionally vulnerable applications, gaining experience with industry-standard tools, open-source frameworks, and emerging techniques including the use of modern large language models (LLMs) to accelerate testing workflows and analysis.

INTENDED AUDIENCE

This course is ideal for:

• Security analysts looking to transition into penetration testing
• SOC analysts seeking to understand attacker techniques
• Application security professionals wanting hands-on exploitation experience
• Red team beginners building foundational web testing skills

KEY LEARNING OBJECTIVES

By the end of this course, participants will be able to:

• Understand the architecture of modern web applications and associated attack surfaces
• Identify and exploit common web application vulnerabilities
• Analyze root causes behind insecure design and implementation flaws
• Perform structured web application penetration tests
• Leverage both manual techniques and automated tools effectively
• Use modern tooling including AI-assisted workflows to enhance testing capabilities
• Communicate findings clearly and prioritize remediation efforts

COURSE OUTLINE

This course focuses on real-world, high-impact vulnerability classes aligned with modern threat landscapes and OWASP guidance, including:

Access Control Flaws

• Broken object-level authorization (BOLA)
• Privilege escalation techniques
• IDOR exploitation

Authentication & Session Management Issues

• Credential attacks
• Session hijacking and fixation
• Multi-factor bypass techniques

Injection Vulnerabilities

• SQL injection (classic and modern)
• Command injection
• Template injection

Security Misconfigurations

• Misconfigured servers and services
• Debug exposure and sensitive data leakage

Insecure Design

• Trust boundary violations
• Business logic abuse

Software & Data Integrity Failures

• Dependency and supply chain risks
• Unsafe deserialization (conceptual and practical)

Mishandling of User Input

• Stored, reflected, and DOM based cross-site scripting (XSS)
• Input validation failures
• Encoding and sanitization issues

Hands-On Labs

This is a heavily lab-focused course. Students will spend the majority of their time actively:

• Discovering vulnerabilities in live web applications
• Exploiting weaknesses in controlled environments
• Chaining vulnerabilities to achieve deeper access
• Using tools such as Burp Suite, browser developer tools, and open-source testing frameworks
• Applying AI-assisted techniques to accelerate reconnaissance and payload generation
• Each lab is designed to simulate real-world scenarios, reinforcing both foundational concepts and practical exploitation skills.

Tools & Techniques

Participants will gain hands-on experience using:

• Commercial tools (e.g., Burp Suite Professional)
• Open-source penetration testing frameworks
• Browser-based debugging and analysis tools
• Custom scripts and payload crafting techniques
• Frontier LLM models as an augmentation layer for testing workflows

Suggested Prerequisites

Participants should have:

• An understanding of HTTP and web technologies
• Familiarity with networking concepts (TCP/IP, requests/responses)
• Experience with security and security fundamentals

Takeaways

After completing this course, students will leave with:

• Practical, real-world web application testing experience
• A repeatable methodology for identifying and exploiting vulnerabilities
• A deeper understanding of attacker mindset and techniques
• The ability to confidently begin performing web application security assessments

YOUR INSTRUCTOR: Jonathan Machnee

Jonathan Machnee is a Principal Security Analyst at Field Effect Software where he focuses on penetration testing, incident response, and training the next generation of Cyber Analysts.

He has spent the first ten years in the Canadian Armed Forces (CAF) as a Captain in the Royal Canadian Corp of Signals where he specialized in cyber security and focused on execution of a wide variety of technical projects including the development of the CAF Cyber personnel selection as well as the development of CAF Cyber Operator trade. For the last six years he has led Field Effect's Web Application penetration testing program and trained Cyber Security Analysts for penetration testing roles.

OTHER IN-PERSON TRAINING COURSES