Dawid Czagan shares his bug hunting experience in his hands-on training “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”

See Upcoming editions

Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this unique hands-on training!

I will discuss security bugs that I have found together with Michał Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively.

To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you.

After completing this training, you will have learned about:

– tools/techniques for effective hacking of web applications
– non-standard XSS, SQLi, CSRF
– RCE via serialization/deserialization
– bypassing password verification
– remote cookie tampering
– tricky user impersonation
– serious information leaks
– browser/environment dependent attacks
– XXE attack
– insecure cookie processing
– session related vulnerabilities
– mixed content vulnerability
– SSL strip attack
– path traversal
– response splitting
– bypassing authorization
– file upload vulnerabilities
– caching problems
– clickjacking attacks
– logical flaws
– and more…

This hands-on training was attended by security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips, government sector and it was very well-received. Recommendations can be found here.


Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What’s more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.


To get the most of this training basic knowledge of web application security is needed. Students should have some experience in using a proxy, such as Burp, or similar, to analyze or modify the traffic.


Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player installed (64-bit version). Prior to the training, make sure there are no problems with booting 64-bit VMs (BIOS settings changes may be needed).


Pentesters, bug hunters, security researchers/consultants.

You will have an opportunity to attend this hands-on training at various security conferences around the world.

Upcoming editions:

13-14 September 2016 44CON (London)

What students say about this training:

David Czagan’s course on ‘Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more’ is one of the most practical and realistic courses that I have attended. The two-day sessions are well-paced. He goes to great lengths to explain the underlying concepts and then dive into the various attack vectors targeting the vulnerabilities on those applications. He has also generously shared his experiences with bug bounty programs that he has participated and also touched on the dos and don’ts of what can be expected from such programs. David is meticulous in his explanation of the exploits he performed and demonstrated this in a professional manner. I am glad to have taken his class; it is very well worth the time spent

Cecil Su – Practice Lead, SpiderLabs

I attended Dawid’s training ( “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”) during BRUCON2015 and I have to admit it was really interesting. The working material was very well prepared and the pace of the presentation followed a presenter-audience interaction method. I have like the most , the out-of-the-box approach on how the cases have been presented. Also the fact that these ones were detected in real scenarios made them even more interesting.

Adrian Pauna – Principal Security Analyst at Oracle – Security Audits and Penetration Testing

“Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”
Dawid was my trainer at this great walkthrough of the most interesting and most up-to-date bugs in web applications. He has taught me how to look at the area of application security from the attacker’s angle. This course is not useful just for pentesters and bughunters, but also for web application developers who can try to think as attackers and learn how to defend from them.

Filip Mazán – Software Engineer, ESET

I attended Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more at BRUCON 2015.
The class was intense and very educational and I learned a lot about Web App security and finding bugs. His approach was really good and the labs all worked!
I would highly recommend this training!

Martin de Kok CISSP-ISSAP, CISA, CEH, LPT – Sr. IT Security & Risk Specialist at ING

Dawid’s training, “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more” at BruCON, was really excellent. It broadened my vision on what to look for in web applications. He is an excellent teacher who really knows what he is doing. If you want to have a better understanding in what to look for in bug bounty programs, then I can strongly recommend Dawid’s training.

Alexander Barakazian – Security Consultant at Toreon

Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more” was a really interesting course.
I can honestly say that it allowed me to change my perspective on some vulnerabilities, boosting my pentesting skills. Moreover Dawid is a great teacher, he is clear and always willing to answer to students’ questions.
I can definitely recommend this course.

Lino Antonio Buono – Penetration Tester, Milan Area

I attended Dawid’s training on “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more” during CanSecWest’15. The training was full of hands-on exercises using Burp-Suite. Dawid presented his 36 award winning bugs and most of them were very interesting and new to me. His method of teaching was very good – providing hints step by step and asking trainees to deeply investigate burp-suite data to find out the root issues. He answered all queries very patiently. Overall, I found this training very useful and recommend it to all web app developers and pen testers.

Vijay Kumar Sahu – Manager, Secure Software Engineering – Product Security at Adobe

Dawid was my trainer at HITB: “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more” – I do encourage people, even if experienced in web pentesting, to follow this course. Dawid has a very deep knowledge of the technical matters he talks about, and can give you an insight that I personally found extremely useful in my everyday pentesting, as none of the cases shown was too border line to have no practical applications.

The problems and techniques he shows are applicable straight away, to big&advanced applications developed in big enterprises for top clients (so mature enough to have no trivial vulns/exploits) or by new players in the retail market (so focused enough to have little attack surface). And 99% of the cases are language independent, which is a big pro for me.

As he presents real-life cases, you can always present to your client / the developer team with a reference it has already happened to someone else (which is a huge incentive in my experience). In my edition he presented >35 cases ranging from very focused logical problems to multiple attacks concatenated to get a RCE, SQLI or XSS. Almost none was trivial and, for the few that are simple, Dawid explains you the point of view (threat model) behind it, that is usually the reason why it has been rewarded. After more than 10 years spent pentesting, I learned a lot more than I expected during these 2 days.

Claudio Sasso – Senior Principal Security Analyst, Oracle

I attended Dawid’s course (full title “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”) during Hack in Paris 2015 and thoroughly enjoyed it.
The course was well paced and the hands-on nature of the case studies greatly helped with the learning process. Dawid demonstrated a deep knowledge in Web Application Security, providing great insight into such a broad and complex field. He is also an incredibly friendly chap, always willing to answer questions and share prowerful hacking tips!
This course taught me a lot in a very short space of time. I would definitely recommend it, not only to pen-testers, but also QAs and Devs interested in furthering their knowledge into web security.

Jean-Yves Le Breton – Automation QA Manager, Euromoney Institutional Investor

I took Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more at BRUCON 2015. The class was great and I learned a lot about Web App security and finding bugs. His approach was really good and made the class enjoyable. He spent time answering all the questions from the class and making sure everyone knew what road to take to get the right answer. The approach he took to teach the class drove home his methodology to finding vulnerabilities in Web applications. I highly recommend his class.

Will Havlovick – Director of Information Security at Center for Shared Services

I had the honor of meeting Dawid in my journey to research the latest achievements and trends in Web application vulnerabilities and remediation. Just when I thought I knew it all, Dawid, with his innovative approach, took me a realm above and beyond common Webhacking techniques. His unconventional lessons enable you to think and analyze vulnerabilities from a new perspective. You’re not in to learn in theory; his penetration lab is designed for hands on practices throughout the lessons. I highly recommend taking his class, as I will be looking forward to taking his future classes.

Hooman Pegahmehr – Excelsior College Cybersecurity Club

Wow, what a great training i had with Dawid during Hack In Paris 2015 ! “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more” is a difficulty-rising vulnerability-finding workshop based on real cases. Dawid is very good at accompanying you at finding them, step by step, hint by hint, letting you to think as an attacker and search by yourself. As a web developer interested at InfoSec i knew about some vulns but Dawid’s ones comes with good subtleties and makes you think and search far more. He is also very good at diving, explaining and clearing out what you didn’t understand well. He is passionate & passionating expert, very clear and pedagogic, what a great trainer ! I had two days full of gooood learning 🙂

Thank you Dawid !

Ludovic Affortit – Consulting Engineer at Cellenza

Contrary to most material found on the topic, Dawid’s training focuses on unusual attack vectors which are often overlooked by penetration testers. He develops a methodology and a way of thinking which allows bug hunters to perform exhaustive audits of web applications.

The course also contains a lot of valuable insight regarding browser oddities which can result in aggravated exploitation scenarios. This knowledge allows students to increase the impact of discovered vulnerabilities and get more money out of bug bounty programs.

All in all, I learned a lot and I think that the course will end up paying itself!

Ivan Kwiatkowski, Penetration Tester, France

I attended Dawid’s Web Application Hacking – Case Studies.. course at Hack In the Box 2015, and was deeply impressed with the format and approach of the subject material. Dawid is an excellent instructor who discusses exceptions and corner cases with clarity, building and demonstrating the latest techniques in hacking web applications step-by-step, with effective presentation. I found the emphasis on case studies to be a novel and refreshing approach to web application security training, a subject which is often mired in rote and stale methodologies.

The cases we covered in training were current, and based on detecting security bugs via behavioral analysis of web apps, removing the barrier to understanding web-based security flaws from the realm of implementation. This proved to be invaluable as we made our way through a large set of common use scenarios, covered a set of general but cogent methodologies, and got to see exploits and attack methods that were quite surprising in their effectiveness. Dawid focused on patterns of application design and use/mis-use of common, every day general application features. This is a holistic approach compared to other courses, which focus on flaws that may only exist in some application stacks (..but not others), or go to some length to explain basics, without much grounding, OR emphasize tools which will quickly become outdated.

The course also focuses heavily on browser-dependent exploitation techniques, and Dawid shared critical knowledge related to differences in specific versions of modern browsers, and differences across browser stacks. This is a course that expands on how one considers and goes about discovering vulnerable features.

Training with Dawid greatly improved my confidence in discovering bugs and vulnerabilities in web apps. As a direct result of Dawid’s instruction, I have changed my approach when detecting security flaws in my organization’s applications. Many thanks to Dawid and Silesia Security Lab for compiling such a great training program!

Neha Chriss – Security Engineer, Simple Finance

“Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more” is usually pitched as an introduction to bug bounty programs but its packed full of good info for anyone who wants to do penetration testing or penetrations of hosts at the application layer, not just for bug hunters but anyone who just wants to be a better attacker.

Stan Steenhuis – Security Consultant, Greater Seattle Area


Source: LinkedIn