Workshop

Attacking & Defending Modern Web Applications

March 16th, 17th & 18th

3 days training by Orange Cyberdefense Switzerland
This training will be given in ENGLISH

Normal price: CHF 3000.
Student price: CHF 2250.- (limited availability)

Workshop with certification (35 credit hours)

Description

Learn how real web applications are attacked and how to stop it.

Modern web applications are complex, fast-moving, and constantly exposed. This hands-on workshop introduces participants to the most common and impactful web application attack techniques, while providing the methodology and tooling needed to assess real-world applications from an attacker’s perspective.

Designed for developers and junior security engineers, the training focuses on building strong fundamentals rather than diving too deeply into isolated vulnerabilities. Participants will learn how to think like an attacker, how to identify entry points, and how vulnerabilities are chained together, while continuously linking each attack to its defensive implications.

By the end of the workshop, attendees will have a solid mental framework to analyze web applications, understand common failure patterns, and communicate risks more effectively within development or security teams.

Hands-on by design

This is a practical, lab-driven workshop. Concepts are demonstrated live and immediately applied using real tools and scenarios, including a final Capture-the-Flag exercise to reinforce learning in a realistic and engaging way.

About the trainer

Alain Mowat

Alain Mowat is Head of Research & Development at Orange Cyberdefense Switzerland. He joined the company (formerly SCRT) in 2009 as a penetration tester and went on to lead the offensive security team for several years before transitioning into R&D.

Alain remains actively involved in security engagements while focusing on developing new offensive techniques to better secure client infrastructures. He is a former member of the 0daysober CTF team, which placed 3rd at DEFCON CTF in 2015, and has responsibly disclosed vulnerabilities in major products including Citrix NetScaler, SonicWall, Barracuda, Twitter, and McAfee.

In addition to his research work, Alain regularly delivers security trainings at Orange Cyberdefense Switzerland and has spoken at multiple conferences such as Insomni’hack (where he is also an organizer), Secure IT VS, CyberSecurity Alliance, SIGS, and Area41.

X | Bluesky | Mastodon | LinkedIn

Sébastien Sauty

Course outline

Course Outline

Foundations & Tooling

Overview of modern web technologies
Encodings and data handling
Introduction to Burp Suite

Information Gathering

Generic and specific reconnaissance techniques
Entry point identification and analysis
Fuzzing entry points

Authentication & Authorization

Session management issues
Authentication flaws
Delegated authentication (SAML, OAuth2/OIDC, JWT)
Access control vulnerabilities (function- and resource-based)

Server-Side Attacks

Injection flaws
XML-related vulnerabilities
Path traversal
Server-Side Request Forgery (SSRF)
Deserialization vulnerabilities
Race conditions

Client-Side Attacks

Same Origin Policy
Cross-Origin Resource Sharing (CORS)
PostMessage API
JSONP
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
WebSockets

Infrastructure-Level Attacks

Attacking encryption mechanisms
Request smuggling
Cache poisoning

Hands-on Challenge

Capture-the-Flag exercise

Course requirements

Workshop level

Beginner

Who should attend

Junior pentesters
Developers interested in application security
Security engineers starting in web application testing

Key takeways

After the workshop, participants will:

Understand the main exploitation techniques used against web applications
Know how attackers identify and chain vulnerabilities
Be able to assess a web application using a structured methodology
Gain practical experience with industry-standard tools

Course requirements

Basic understanding of web development concepts
Basic scripting knowledge

Hardware materials

Laptop with unfiltered Internet access