Introduction to Web Hacking 101

November 1-2nd

Hackfest is proud to offer “Introduction to Web Hacking 101” by HackerOne with support from PentesterLab!


This two day training is geared towards new hackers with limited knowledge of vulnerabilities, bug bounties, penetration testing, etc. The first day will be focused on explaining common vulnerability types with examples from real world vulnerabilities on well known websites. We’ll detail what each vulnerability type is, the impact of the vulnerability, what to look for when testing for them and techniques to use when bug hunting. Where possible, we’ll also rely on Pentester Labs for examples, with each participant receiving 1 month free on the platform.

The second day of the training will be focused on tools used for hacking. The morning will focus on bug bounty success. We’ll cover what bounty programs are and how to be successful before teaching attendees how to make the most of the proxy software Burp Suite, including the history, repeater, intruder, collaborator and other helpful tools. In the afternoon, we’ll finish up Burp and move on to look at other tools spending a majority of time on content discovery. The afternoon will conclude with tips on where / how to dig deeper including where we’ve found success in bug bounty programs both in terms of the number of submissions and earnings.


FREE (Refund after class is completed)


HackerOne is the no.1 hacker-powered security provider, connecting organizations with the world’s largest community of trusted hackers. More than 800 organizations, including The U.S. Department of Defense, General Motors, Intel, Uber, Twitter, GitHub, Nintendo, Lufthansa, Panasonic Avionics, Qualcomm, Square, Starbucks, and the CERT Coordination Center trust HackerOne to find critical software vulnerabilities before criminals can exploit them. HackerOne customers have resolved more than 50,000 vulnerabilities and awarded more than $18M in bug bounties. HackerOne is headquartered in San Francisco with offices in London, Seattle, Los Angeles and the Netherlands.


PentesterLab is a learning platform dedicated to the learning of Web Security. We provide well thought-out hands-on exercises to get you from zero to hero. Our exercises cover everything from really basic bugs to advanced vulnerabilities. You will have fun and we will help you in your learning!


  • Badge to access the conference November 3 and 4
  • Lunch for both training days
  • Coffee breaks
  • 1 month access to Pentester Labs
  • 1 copy of Web Hacking 101
  • HackerOne swag


0900 to 1700 each day

Suggested Reading

Course Content

Topics that will be covered in the class include:

Day 1

  • 9H - Welcome / Background Knowledge / HackerOne Platform
  • 10H - Cross Site Request Forgery
  • 11H - Cross Site Scripting (Stored, Reflected, DOM, Blind)
  • 12H - Lunch
  • 13H - 13:30H - SQLi
  • 13:30H - 14:30H - IDOR / Information Disclosure
  • 14:30H - 15:30H - Local File Inclusion
  • 15:30H - 16:30H - SSRF (Port scanning, exfiltration)
  • 16:30H - 17:30H - Remote Code Execution

Day 2

  • 9H - Bug Bounty Success
  • 10H - Burp Proxy History / Configurations
  • 11H - Burp Repeater / Intruder
  • 12H - Lunch
  • 13H - Extender/Scanner/Collaborator
  • 14H - Finding Content - Sublist3r, Dirbuster, Nmap, Gitrob, Bucket Finder, HTTPScreenshot
  • 15H - Finding content continued
  • 16H - Digging deeper: Mobile Apps, APIs, 2FA, AWS, etc.

Class Requirement

  • Free version of Burp Suite installed
  • Laptop


Anyone who wishes to be part of this training should meet the following prerequisites:

  • Basic understanding of how the internet works (suggested reading meets that)
  • High degree of curiosity, willingness to learn and perseverance
  • Bonus to anyone with a technical background, eg., programming, networking, pentesting, etc.



Jobert Abma is a co-founder of the #1 bug bounty and vulnerability disclosure platform HackerOne. He is an accomplished ethical hacker with thanks from Yahoo, GitLab, Slack, Zendesk and many more. He’s currently ranked 61st on HackerOne.


Peter Yaworski is an application security engineer with Shopify and the author of Web Hacking 101. He’s been thanked by companies like Twitter, HackerOne, Starbucks, the Department of Defense and many more. He’s currently ranked 43rd on HackerOne.