Courses
Bughunting bootcamp - 2 Day training
This intense two day, lab based, course will teach you the skills to find new security bugs,
evaluate the root cause, assess impact and write exploits to prove the existence of
vulnerabilities in applications. The course will cover both manual and automated vulnerability
hunting in web applications, source code and compiled binaries.
Additionally we will cover how to chain bugs together to achieve unauthenticated remote
code execution, vendor notification, vulnerability disclosure and how to obtain a CVE. The
training prioritizes real world vulnerabilities across several languages.
Detailed Outline
Day 1
- Theory and web application security
- Choosing suitable targets
- Static and dynamic analysis
- Web application bugs
- Web application exploits
- OWASP top 10
- Logic bugs
- Chaining bugs
Day 2
- Memory corruption bugs and exploits
- Shell code
- Fuzzing
- Triage
- Writing memory corruption exploits
- Dealing with disclosure
- Conclusion
Students will learn how to identify and exploit common security vulnerabilities in open and
closed source software.
Attendees will be provided
- Slides for the training course.
- Virtual Machine with all the required software and reference material.
The course is aimed at beginners and security professionals alike, with a variety of targets to
practice bug hunting skills, so the attendee will find something suitable for their skill level.
Students are expected to be somewhat familiar with the Linux command line as well as
OWASP Top 10 & CWE-25. Basic scripting knowledge is recommended, but not required.
Attendees must bring a laptop capable of running a virtual machine (virtualbox)
in order to complete this course
Bughunting bootcamp - 3 Day training
This intense three day, lab based, course will teach you the skills to find new security bugs,
evaluate the root cause, assess impact and write exploits to prove the existence of
vulnerabilities in applications. The course will cover both manual and automated vulnerability
hunting in web applications, source code, embeded systems, firmware and compiled binaries.
Additionally we will cover how to chain bugs together to achieve unauthenticated remote
code execution, vendor notification, vulnerability disclosure and how to obtain a CVE. The
training prioritizes real world vulnerabilities across several languages.
Detailed Outline
Day 1
- Theory and web application security
- Choosing suitable targets
- Static and dynamic analysis
- Web application bugs
- Web application exploits
- OWASP top 10
- Logic bugs
- Chaining bugs
Day 2
- Embedded and web vulnerabilities and exploits
- Logic flaws
- Chaining bugs in exploits
- Bug hunting in embedded devices
- Basic reverse engineering using Ghidra
Day 3
- Memory corruption bugs and exploits
- Shell code
- Fuzzing
- Triage
- Writing memory corruption exploits
- Dealing with disclosure
- Conclusion
Students will learn how to identify and exploit common security vulnerabilities in open and
closed source software.
Attendees will be provided
- Slides for the training course.
- Virtual Machine with all the required software and reference material.
The course is aimed at beginners and security professionals alike, with a variety of targets to
practice bug hunting skills, so the attendee will find something suitable for their skill level.
Students are expected to be somewhat familiar with the Linux command line as well as
OWASP Top 10 & CWE-25. Basic scripting knowledge is recommended, but not required.
Attendees must bring a laptop capable of running a virtual machine (virtualbox)
in order to complete this course
