Web Application Security

"Web Applications Security" in hands-on hacking format is an eye-opening course for developers and those who have to keep web sites up and running on daily basis

Course duration : 4 days of instructions heavily mixed with hands-on labs.

Group size : 12 participants maximum

Target audience : WebApp developers, maintainers, web server or hosting providers/administrators, information security specialists and managers, testers

Web Application Security course consists of two modules:

  • Client-Side Attacks
  • Server-Side Attacks

It's possible to order the modules on separate weeks (2 days + 2 days).


Next public training courses


Trainers are Elar Lang and Marko Belzetski .

Elar Lang Elar Lang

Elar is an experienced PHP developer who enjoys researching web attacks and security. In Estonian IT College he wrote his diploma on "PHP Application Layer Attacks - mechanisms and protection" and in Tallinn University of Technology his master thesis on "Web Application Security - hands-on training". Both schools were graduated with honors ( cum laude ), of course. He is constantly improving and working on his trainings to keep them up to date and for giving the best trainings possible. In March 2017 he rounded up 2000 hours of WAS training given since 2012 March launch and the count is growing fast.

Marko Johani Belzetski Marko Belzetski

Marko joined the team in August 2016. His focus lies in Android and web application penetration testing. He is also one of the main lecturers of our 4-day Web Application Security course. Previously he has worked in finance and business support along with some freelance web application development. Marko has a diploma of professional higher education in IT systems development from Tallinn Technical University. His thesis on the subject of Android IPCs was awarded best thesis in the BSc category of his graduation year. He also holds a bachelor's degree in business administration from Northwood University, which he graduated magna cum laude.

Training methods

Trainers will engage participants with lectures, live attack demonstrations and practical examples followed by individual hands-on exercise scenarios. Training is interactive, practical, and besides active participation also full of attack stories that help to change the perspective and understanding of real life security threats.

Ideology of this course

This training focuses on attacks so that the need for defence is better understood. OWASP project should be the bible of everyone dealing with WebApp development and security and OWASP ASVS (Application Security Verification Standard) is one of the golden standards of WebApp security testing. This training will cover all WebApp attack types and instills this knowledge with lot of hands-on exercises. With first-hand experience in those attacks, participants are better armed with understanding the attacks and why they are conducted.

Contents of this course

Web Application security essentials (4 parts, 8 lectures with practical demos and exercises for each vulnerability, including complex attack scenarios):

Client-Side attacks

  • Security, Information sources
  • Client-Server communication, HTTP vs HTTPS, HTTP request methods
  • User input and why it can not be trusted
  • XSS (Cross-Site Scripting) - one of the most widespread, yet often trivialized vulnerabilities that in reality opens up many other vectors for combined attacks
  • HTML and HTML injection
  • JavaScript and JavaScript injection
  • URL and URL manipulation
  • Cookies and cookie manipulation
  • Session and session hijacking, session fixation
  • Request forgery attacks (CSRF & OSRF) – goes together wonderfully with XSS
  • UI Redress Attacks (ClickJacking, CursorJacking, TypeJacking)
  • Using 3 rd party content
  • Combined client side attacks – how some vulnerabilities give you complete control over a victim’s browser and a gateway into internal networks

Server-Side attacks

  • Authentication, passwords and hashes
  • Authorization vulnerabilities (lacking access controls)
  • Business logic issues
  • Google hacking
  • Web server configuration and the file system
  • Command injection
  • File handling (file extensions, public folders, enumeration, metadata)
  • File inclusion attacks (LFI, RFI, LFI2RCE)
  • File upload
  • XXE (XML eXternal Entity) attacks
  • SQL injection – detection, query and database structure identification, blind and partially blind attacks, incorrect defenses and bypasses

* All attacks have hands-on demos, exercises and “lessons learned” from our pentesting services.

Intended outcome

Participants will have their assumptions challenged, get a healthy dose of paranoia and will start to fear user input. In other words: learn the security basics of producing better software.
Participants will receive a certificate of completion for 32-hour hands-on course to clarify web application attacks, vulnerabilities and defence.


We can deliver on-site at group pricing anywhere in the world where decent Internet connection is available. Ask us for the group pricing or for times and locations of our public courses. Public groups are currently available directly or via partners in Estonia: BCS Koolitus , Äripäeva koolitused , Nordic Koolitus .


Priit Matiisen Priit Matiisen,
CO-Founder & CTO of Scoro
27 JAN 2017
The most valuable asset of this training was the „reality check“. The technologies we use on a daily basis have their weak spots and quirks that could be exploited, if not properly handled. This training is structured very well and suits everybody. Even people who are not developers by profession. All participants got a valuable theoretical and practical overview of how to defend our personal and our clients’ data against external attacks. Best training ever – really : )
Raul Ennus Raul Ennus,
Head of Development,
Helmes AS
31 JUL 2017
For Helmes solid software security is essential and different security trainings are mandatory for every Helmes software and infrastructure engineer. CS WAS trainings are one important part in Helmes security trainings roadmap. CS has been providing continuously excellent quality with its trainings despite quickly changing global cyber-attacks and risks. WAS training is a must for every serious software engineer.