ZDResearch Advanced Web Hacking


This course is tailored for all security researchers, penetration testers and web designers who like to receive in-depth knowledge of web application security from a hacker’s perspective.

This is the flagship web application security course provided by ZDResearch Training. In this course you will go through a multitude of web application security topics, all accompanied by demos and hands-on labs. Topics will cover traditional OWASP Top 10 issues as well as several other cutting-edge topics, such as HTML5 attacks, Source Code Auditing and Analysis, CAPTCHA bypass and many more.

Advanced Web Hacking course is the product of 10+ years of web application vulnerability research performed by ZDResearch hunters. Not only it will go through some of the typical methods and techniques used to attack and exploit (as well as defend) web applications, it will teach you the delicate tricks of the trade in the process. For example, you will learn how to fully exploit a system that only allows SQL injection into the LIMIT BY clause, or how to bypass taint based web application firewalls.


This course requires basic programming skills, familiarity with HTTP, HTML, CSS, Javascript, at least one server side scripting language besides Javascript (e.g., PHP), as well as a high-speed Internet.


The graduates of this course will be able to pwn 70%+ of the web applications on the Internet, and should be fully qualified to find bug bounties in popular web applications such as Facebook and Gmail. They would also be able to perform advanced web application security analysis, testing and auditing.

 Course Material

  • Several Hours of Lectures
  • Full Slides
  • Hands-on Tutorials
  • Cloud-Powered Labs
  • Customized Assignments
  • Staff Responding to Every Question
  • Lifetime Access


 Preview Material

Use the buttons below to preview some of the course content:


This is our flagship course, and the price is $1999.99 for the entire package.


Upon successful completion of this course, you will receive a completion certificate from Exdemy. You will also be eligible to take ZDResearch Advanced Web Hacker exam, which is based on this course, and receive the ZDResearch Advanced Web Hacker (ZAWH) physical certificate.

 What You Should Bring

Students are required to have a personal computer and a fast enough Internet connection to download materials and access videos. They also need to spend enough time on the course and its labs and assignments. This course has about 1000 minutes of content. Familiarity with Web programming is strongly recommended, as it will help you setup the labs locally and modify the code as needed. A Full HD display is also strongly recommended, as the video content is Full HD and a lower resolution screen will downscale the content, making it harder to see the full details.

 Target Audience

  • Web Application Penetration Testers
  • Security Researchers
  • Code Auditors
  • Bug Bounty Hunters
  • Web App Auditors

 By enrolling you are agreeing to the terms of service.

Buy Now On Exdemy

 What Is Covered?


  • Advanced SQL Injection: From writing custom Double-Blind injection scripts to Second Order injections and Order-By injection clauses resulting in full system takeover, Advanced SQL Injection will cover all the necessary skills for mastering SQLI.
  • Command Injection: With command injection, students will be involved in creating Reverse Shells and Bind Shells which are able to bypass both filetype and filename filters. For completeness, in the ZDResearch Advanced Web Hacking Course other command injection methods are covered as well.
  • Code Injection: Going beyond the typical eval injection, code injection in “Advanced Web Hacking” covers file inclusions (LFI/RFI) and regular expression injections in addition to other types of code injection attacks.
  • Object Injection/Deserialization: An attack that is extremely popular these days is thoroughly and painstakingly detailed for the students particularly with respect to various Java applications.
  • XML XXE/XPath Injections: In this topic, the ZDResearch Advanced Web Hacking course covers injections related to the XML technology. This includes DOM and SAP parsers and XPath/XXE injections.
  • Reflective/Persistent/DOM XSS: With this skill, students will master all types of XSS. This allows students to have the skills necessary to bypass XSS blacklists and filters. An entirely new universe of different exploits applicable to XSS attacks will be covered as well.
  • CSRF: Here, students will forge requests to create new administrator accounts, gain complete access to the system, and bypass CSRF tokens in addition to other CSRF exploitation techniques.
  • HTML5 Attacks: This topic will encourage students to master HTML5-specific attacks from Video/Audio, CORS, CWM, WebSockets, Canvas/SVG, CSP, and Drag & Drop attacks.
  • Session Management Attacks: This topic will introduce students to session management and it’s potential vulnerabilities. This will allow students to accurately understand how attackers may manipulate sessions via session hijacking, session fixation, randomization attacks, etc.
  • Web Service Attacks: This skill provides students with the opportunity to master web service technologies including: REST, SOAP, WSDL, JWT, SAX, SSRF, etc. They will understand how each may be exploited to bypass access control, inject code and leak information which, taken together, results in an application being broken into.
  • Authentication & Authorization: Here, student learning will consist of modern authentication and authorization technologies such as RBAC, oAuth, etc. The topic covers what possible vulnerabilities exist in each of the respective technologies mentioned above. Students will then acquire the skills necessary to exploit these vulnerabilities, bypass CAPTCHAs, gain unauthorized access to systems, and escalate their privileges to root access.
  • Code Auditing: This will provide students the opportunity to understand how code auditing works, how static and dynamic code analysis technologies operate, what SMT and SAT solvers are, what their possible limitations are, how they can be bypassed, and how they can be used to discover new zeroday vulnerabilities within the context of web applications.
  • Other Attacks: Here, students will learn about bypassing WAFs. Attacks such as Open Redirect attacks, Denial of Service attacks, HTTP manipulation attacks, and human API attacks will also be covered in-depth in this chapter.