Advanced Web Attacks and exploitation (WEB-300) is an advanced web application security course that teaches the skills needed to conduct white box web app penetration tests. Learners who complete the course and pass the exam earn the OffSec Web Expert (OSWE) certification and will demonstrate mastery in exploiting front-facing web apps.
- ATutor LMS
- Authentication Bypass via Blind SQL Injection
- Authentication Bypass via PHP Type Juggling
- Remote Code Execution via File Upload
- ManageEngine Applications Manager
- PostgreSQL Authentication Bypass and Remote Code Execution
- Bassmaster NodeJS
- Remote Code Execution via Arbitrary JavaScript Injection
- DotNetNuke
- Remote Code Execution via Deserialization
- ERPNext
- Authentication Bypass via SQL Injection
- Remote Code Execution via Server-Side Template Injection
- openCRX
- Authentication Bypass via Weak Random Generator
- openITCOCKPIT
- Remote Code Execution via WebSocket Command Injection
- Concord
- Authentication Bypass via Permissive CORS and CSRF
- Authentication Bypass via Insecure Defaults
- Guacamole Lite
- Prototype Pollution
- TUDO
- Authentication Bypass via Blind SQL Injection
- Authentication Bypass via Weak Random Generator
- Privilege Escalation via Cross-Site Scripting (XSS)
- Remote Code Execution via PHP Object Injection
- Remote Code Execution via File Upload + Filters Bypass
- Remote Code Execution via PostgreSQL
- Remote Code Execution via Server-Side Template Injection