Ruxcon Training



Louis Nyffenegger & Luke Jahnke

October 20 - 21, Melbourne, Australia



ENDS July 31



ENDS August 31



STARTS September 01

Prices do not include GST


Do you want to know more about all these serialization bugs? You think there is more too life than Burp scanner? You went through PentesterLab's exercises and thought "I WANT MORE!!"? This training is for you!

This 2-day training will get you to the next level. We will look into CORS, WebSockets, the exploitation of vulnerabilities published in 2015/2016. This includes bugs in Spring, Jenkins... We will also get shells using serialisation in multiple languages and find vulnerabilities that you may have missed in the past.

After a quick overview of what you need to know to attack web applications, we will directly jump to the interesting stuff: Hands-on training and real attacks. The class is a succession

of 10 minute explanations on what you need to know, followed by hands-on examples to really understand and exploit vulnerabilities. After the training, you go home with the course (slides based), the detailed version of the course (in-depth walk-through), and the systems to be able to play and refresh your memory!

This training also includes one-year access to PentesterLab Pro (


Key Learning Objectives

  • Cross-origin resource sharing
  • Struts RCE
  • Multiple Serialisation attacks (PHP, Python, Java)
  • Jboss web-console
  • JWT
  • Padding Oracle
  • Outbound XML entities attacks

Day 1:

  • Review of HTTP essentials
  • Attacking JSON Web Token
  • Attack on Electronic CodeBook
  • Directory traversal and Tomcat Manager
  • Heartbleed
  • Outbound XML entities
  • Attacks on Cipher Block Chaining
  • Serialisation in Python
  • Serialisation in Java 

Day 2:

  • Padding Oracle
  • Struts Dev Mode
  • Play Session Injection
  • Cross-Origin Resource Sharing attacks
  • Signature bypass using Bad Hash
  • Serialization attacks in PHP
  • Attacking JBoss console
  • XSS and SQL injection to gain command execution
  • Attacks against Gitlist