MDSec Training

MDSec Consulting LtdCourse Title:  Web Application Hacker’s Handbook (WAHH), Live Edition
Course Length:  2 days
Web Link:
Useful preparation for:
CREST Certified Infrastructure Tester (CCT INF)
CREST Certified Web Applications Tester (CCT APP)

CREST Overview
This course has frequently been recommended by candidates who have taken both the CREST CCT Infrastructure and CCT Web Applications exams.

About the Course
The Web Application Hacker’s Handbook (WAHH) Series is the most deep and comprehensive general purpose guide to hacking web applications that is currently available. This course is a practical opportunity to take the skills and theory taught in the book to the next level, experimenting with all of the tools and techniques against numerous vulnerable web applications and labs, under the guidance of the book’s authors. A walkthrough of the online environment can be seen at

Course Syllabus
The course is 2 days in length and follows the contents of WAHH, with a strong focus on practical techniques:

We will cover a huge range of attacks and techniques, including:

And much more …

The course employs a range of demo applications and lab exercises, containing hundreds of different examples of web application vulnerabilities.

Student Requirements
Delegates should be able to meet the following:

What to Bring
A version of the JRE, capable of running Burp Suite;
An Ethernet connection;
Administrative access to the laptop, and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.

We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

About the Trainer
Marcus Pinto is internationally recognised as a leader in the application and database security field, having spent the last nine years in Information Security both as a consultant and as an end user responsible for a global team securing over 200 build tracks and 50+ externally facing applications. He has delivered training to some of the most high-profile audiences, at 44CON, Blackhat, Syscan, and Hack in the Box.