Full Stack Web Attack (Java and C# Edition)
Steven Seeley


6th-9th of May 2024






Full Stack Web Attack is not an entry-level course. It’s designed to push you beyond what you thought was possible and set you on the path to develop your own workflow for offensive zero-day web research.

Full chain exploit development is taught in class

This course is developed for web penetration testers, bug hunters and developers that want to make a switch to server-side web security research or see how serious adversaries will attack their web based code.

Students are expected to know how to use Burp Suite and have a basic understanding of common web attacks as well as perform basic scripting using common languages such as python, PHP and JavaScript.

Each of the vulnerabilities presented have either been mirrored from real zero-day or are n-day bugs that have been discovered by the author with a focus on not just exploitation, but also on the discovery.

So if you want to learn how to exploit web technologies without client interaction for maximum impact, that is, remote code execution then this is the course for you.

Leave your OWASP Top Ten and CSP bypasses at the door.


The student should bring with them:

  • An open mind that is ready to focus - level: (10/10)
  • Moderate or advanced skills scripting skills - level: (7/10)
  • Some exposure to container based technologies and unix operating systems - level: (5/10)
  • A strong understanding of various web technologies such as http(s), client/reverse proxies and browsers (not including internals) - level: (10/10)
  • A foundational understanding of common web vulnerabilities - level: (5/10)

The student will also need:

  • A x64 host operating system
  • 16 Gig RAM minimum
  • Virtualization software (VMWare Workstation or Fusion preferred)
  • 100 Gig of available hard disk space

Additionally, before signing up for this course students should complete the challenge to self assess if this course is right for them.

Course Outline

Day 1


    • Java Language Fundamentals
    • Debugging Java Applications

Framework Overview

    • Spring MVC
    • Struts v1/2

Java Deserialization Primer

    • Serializable vs Externalizable
    • Unmarshalling vs Deserialization
    • Reflection in theory and practice
    • Pivot gadgets

JNDI Injection

    • RMI and JRMP overview
    • Remote class loading
    • Exception Handling Deserialization
    • Local Object Factory exploitation

Analyzing the Struts Framework

    • Action Mappings
    • Dynamic Method Invocation
    • Interceptor Stacks
    • Case studies:
      • Do I even exist? - Analyzing an edge-case RCE vulnerability
      • Devil in the details - Analyzing a TOCTOU framework vulnerability

Day 2

JDBC Injection

    • Common drivers and their exploitation primitives
    • Exploiting the MySQL Driver via Deserialization
    • Discovering your own driver primitives

Authentication Bypasses

    • Auditing Servlet Filters
    • Auditing Interceptors
    • Common authentication bypass patterns

Java deserialization for Security Researchers

    • Building upon Ysoserial
    • Custom gadget chain creation
    • Chaining vulnerabilities
    • Server-side template injection*
    • Analyzing and exploiting CVE-2022-XXXXX

Java Bean Validation - Attacking Custom Validators

    • Analyzing and exploiting CVE-2022-XXXXX

Day 3


    • C# Language Fundamentals
    • Debugging C# Applications

Architecture and Framework Overview

    • Internet Information Services
    • Application Pools
    • ASP.NET


    • Disabling CLR optimizations
    • Debugging with DNSpy
    • Program Database Symbols
    • Debugging with Visual Studio/dotPeek

Developing C# Applications in Visual Studio

    • Reusing application code
    • Compiling Release and Debug builds
    • Navigating code
    • Common project options

Day 4

C# .NET Deserialization Primer

    • Unmarshalling VS Deserialization
    • Understanding Ysoserial.net
    • System.Runtime.Serialization.iFormatter Exploitation
    • JavascriptSerializer
    • Json.Net
    • Json.Net Custom TypeConverters
    • ISerializationBinder

Analysis of CVE-2023-XXXXX Remote Code Execution

    • Discovering the Vulnerability
    • Exploitation

Analysis of CVE-2023-XXXXX Elevation of Privilege

    • Discovering the Vulnerability
    • Exploitation

Analysis of CVE-2023-XXXXX File Disclosure

    • Discovering the Vulnerability

Analysis of CVE-2023-XXXXX External Entity Injection

    • Discovering the Vulnerability


My name is Steven Seeley, but I am also known as mr_me. I’m an information security specialist and I’m back in Australia after having worked in north and central America for a decade. I have years of local and international experience in corporate and government penetration tests, source code audits and security research. I also teach a technical hacking class called Full Stack Web Attack where students learn to dive into source code and hunt language specific edge cases to detect high impact vulnerabilities and exploit them.

These days I spend less time on a computer and more time with loved ones and practicing hermeticism. 

Steven Seeley

Steven Seeley

Limited Seats - Remember to reserve your ticket!

register now