Building and Breaking:

Web Applications

The AkimboCore team regularly run hands-on security and penetration testing courses across the UK. With labs to allow you to get practical experience breaking security systems, before teaching you how to build the systems in a more resilient way.

Learn how to compromise web applications and APIs with penetration testing techniques; with hands-on labs covering:

Want to know what we cover? Here's the detail:

Want to book a place?

Whether you're looking for a spot just for you, or a course delivered for your whole team, you can get in touch below!

Web Application Security Training Content

Our web application security course covers a lot, here's a list of some of the things we cover:

Web Vulnerabilities

Finding, fixing, and exploiting web application vulnerabilities. We investigate the entire OWASP Top 10, with hands-on labs covering:


Leveraging SQL Injection and Command Injection vulnerabilities – to extract confidential data, compromise database, and compromise web servers directly.

The hands-on lab covers using dynamic analysis to find injection vulnerabilities as well as manual exploitation techniques – including using blind exploitation to prove and exploit difficult vulnerabilities.

Cross-site Scripting

Leveraging Cross-site Scripting (XSS) attacker to perform virtual defacement, extract confidential information, and perform privilege escalation attacks.

The hands-on lab covers using cross-site scripting to extract confidential data, with examples taken from real-world attacks impacting major organisations – plus a few defacements just for fun.

Abusing File Upload

Uploading malicious files to gain command execution on vulnerable web servers, allowing for confidential data theft as well pivoting into DMZ and internal corporate networks.

The lab includes gaining command execution as well as steps to perform privilege escalation.

Broken Authentication and Access Control

We cover a range of authentication and access control vulnerabilities; including brute-forcing web application, insecure direct object reference, and missing functional level access control.

We explore how to test for authentication and access control issues, as well as how to determine the real-world risk of these issues.


It’s not all having fun and hacking; during each section we cover real-world guidance on mitigating the risk of each attack. The course is offensively-led but with the intention of leaving teams more able to secure their system effectively in the future.

Our training courses include instructor led hands-on labs, as well as vulnerability challenges.

Application Mapping

Methods of determining the full attack surface for a system.

Intelligence Gathering

Open Source Intelligence Gathering (OSINT) – Mapping out target organisations and applications to enable efficient, stealthy exploitation of systems – and how to improve privacy and organisational operational security.

Spidering and Forced Browsing

Using automation tools to find application functionality, to allow for efficient attack surface mapping, vulnerability and analysis, and exploitation.

Filter Evasion

Many systems rely on input filtration or are protected by web application firewalls (WAF). We investigate how secure these options really are, and how many of them can be bypassed through crafted payloads.

Application Hardening

Methods of reducing the attack surface for applications or steps which make exploitation more difficult.


A investigation the real-world risk of transport layer security (TLS) issues; Looking at issues in protocols such as TLSv1.1 and attacks such as RC4 no more and Logjam to allow a risk-based approach to cryptographic configuration.

Security Headers

A summary of hardening options allowed through security headers, such as the benefits of strict transport security (HSTS) and the difficulty with deploying a secure content security policy (CSP).

Want to share information about this course with someone?