Xtreme Web Hacking Express

by Riyaz Walikar and Akash Mahajan


Xtreme Web Hacking Express is a one-day intensive web hacking workshop. The workshop will be conducted in the style of Capture The Flag (CTF) challenges, where the participants will need to accomplish certain objectives in a limited amount of time. This gives participants an opportunity to practice for real world penetration tests by accomplishing pre-defined objectives in a time bound scenario.

While there is clear merit in covering the underlying concepts, sometimes we just need to see the hack succeed. So this training will cover only what is required to get to our objectives.


The course contains multiple challenges spread across levels with increasing difficulty. Each level will provide access to the next level. Although the levels themselves cannot be described here (takes away all the fun ☺), but at a bare minimum, the following techniques will be covered during the course of the CTF.

  • Blind SQL Injection vulnerabilities
  • Brute forcing web applications
  • SSRF/XSPA attacks
  • Serialization bugs
  • Insecure Direct Object Reference
  • Remote File Inclusion vulnerabilities
  • Filter bypasses for XSS vulnerabilities
  • Web Application shells
  • Pivoting to access unreachable applications
  • Exploit chaining to get system access


  • You should be a web application penetration tester as this not a beginner level course at all
  • Ability and familiarity of command line on Windows and Linux
  • Knowledge of JavaScript and at least 1 scripting language like Python, PHP or Ruby


1 day


  • Hands on practice on web application hacking techniques and tools.
  • Learn using a combination of scenarios from the real world, simulated attacks while being guided by the trainers.
  • Write simple scripts to automate your attacks against application.


  • A lot of hand holding about basic concepts already mentioned in the things you should be familiar with.
  • A lot of theory. This is meant to be a completely hands-on training!
  • To become an accomplished hacker in a day.


Riyaz Walikar

Web Application Pentester

Riyaz Walikar is a Web Application Pentester, Security evangelist and researcher. He has been active in the security community for the better part of the last 10 years. He has been actively involved with the Bangalore OWASP and null chapter for the last 7 years and is one of the OWASP and null Bangalore chapter leads.

He is actively involved with Vulnerability Research in popular Web Applications and Network aware services and has disclosed several security issues in popular software like Apache Archiva, Openfire, Joomla!, EJabberd, .NET Script Injection Bypass and has had luck with finding vulnerabilities with popular web applications like Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, Ebay, Apigee, Yahoo, Adobe, Tumblr, Pinterest etc. for which he is on the Hall of Fame for most of these services. He has also been a speaker and trainer at several security conferences including OWASP AppsecUSA 2012, BlackHat Abu Dhabi 2012, Las Vegas 2015, EU 2015, nullcon 2012, 2013, 2014, 2015, 2016 and 2017, DefCon Las Vegas 2016 and c0c0n 2011,2013,2015 and 2016.

His technical interests lie with programming, bug bounty, malware analysis, breaking web applications, playing CTFs, researching devices that fall under the Internet of Things category and penetration testing networks exposed to the Internet. When he is not writing/breaking code, you can find him dabbling in photography, stargazing, playing football, reading or fishing.

 Some of the trainings/workshops by Riyaz Walikar include

  • Xtreme Web Hacking at NULLCON Goa 2012, 2013, 2014, 2015, 2016
  • Cloud Security for Devs & Ops – NULLCON 2017
  • Ninja Level Infrastructure Monitoring – DefCon 2016
  • Xtreme Web Hacking (CTF Style) – c0c0n 2015, 2016

 Some of the talks given by Riyaz Walikar include

  • Poking Servers with Facebook – AppsecUSA 2012, BlackHat Abu Dhabi 2012, c0c0n 2013
  • A Pentester's Methodology to Discover and Exploit Windows Privilege Escalation flaws – c0c0n 2015, nullcon 2016
  • Esoteric XSS Payloads – c0c0n 2016
  • The Whys and Hows of Cyber Attacks – SAP Security Summit 2016

Akash Mahajan

Security Professional

An accomplished security professional with over a decade’s experience of providing specialist application and infrastructure consulting services at the highest levels to companies, governments, and organizations around the world. Deep experience of working with clients to provide innovative security insight that truly reflects the commercial and operational needs of the organization from strategic advice to testing and analysis to incident response and recovery. An active participant in the international security community and conference speaker both individually, as chapter lead of the Bangalore chapter of OWASP the global organization responsible for defining the standards for web application security and as a co-founder of NULL India’s largest open security community. Akash runs Appsecco a company focused on Application Security.

 Some of the trainings/workshops by Akash include

  • Secure Code Review 3-day training at PWC Bangalore 2016
  • Web Hacking for Penetration Testers at NULLCON Goa 2016
  • Using ZAP for Automating Security Testing half day workshop at OPEN SOURCE SUMMIT Bangalore Feb 2016
  • Security Testing in the AWS Cloud 2-day training at PHILLIPS Bangalore
  • Secure Web Programming 3-day training at FREECHARGE Bangalore 2015
  • Web Security Testing 3-day training at STPI Bangalore

 Some of the talks given by Akash include

  • App Sec in the time of Docker Containers at c0c0n 2016 Police Conference
  • How Attackers Hack at THOUGHTWORKS 2016, SAP INDIA 2015 & PHILIPS INNOVATION CAMPUS 2015
  • Building and Operating Secure Applications in The Cloud (Web and Mobile) at UNICOM ETHICAL HACKING SUMMIT 2015, MICROSOFT ACCELERATOR 2015 & ISACA DUBAI 2015
  • Security in The Cloud at HSTC2014, 2014