As a security specialist, you’re always trying to expand your knowledge on how to identify security vulnerabilities and understand the real risk that these vulnerabilities pose by exploiting them.

We’re here to help you with that through our ASVS Level 2 Training.

What is ASVS Level 2?

An application achieves ASVS Level 2 (or Application Security Verification Standard Level 2) if it adequately defends against most of the risks associated with software today.

Level 2 is typically appropriate for applications that contain sensitive data, such as those that handle significant B2B transactions, process healthcare information, implement business critical or sensitive functions.

Our “ASVS Level 2” Training is a specialist 4-day web hacking course, designed for experienced penetration testers, developers and security professionals who need to expand their knowledge on hacking web applications.

What you will learn:

  • You will be led through a range of state-of-the-art hacking tools and techniques that will enable you to conduct a complete web application security assessment.
  • Once able to identify and exploit vulnerabilities, you will learn a range of defensive counter measures, which will allow you to develop applications that are more resistant to attacks and provide a better protection for data assets.

What we require of you:

If you want to attend this course, it is highly recommended that you have knowledge of networking and a practical experience of modern web application technologies (e.g. GTML, JavaScript, PHP, ASP, MSSQL, MySQL). Experience with modern hacking trends, tools and technologies would also be an advantage.

Attend this course if:

You’re working in an application testing or developing environment for some time and you have hands-on experience with web application security administration and testing.

This course is especially useful for:

  • Penetration testers
  • Application developers
  • Security professionals


  • HTTP protocol
  • Authentication
  • Authorisation
  • Cookies
  • Types of authentication
  • Clear text HTTP protocol
  • Advanced username enumeration/brute force issues
  • Security through obscurity
  • Session management issues
  • Weak ACLs
  • Cookie analysis
  • Attacks on SSL
  • TLS renegotiation
  • MD5 collisions
  • Insecure design
  • Echo Mirage, MiTM, replaying traffic etc.
  • IIS/Apache/OpenSSL exploitation
  • Oracle application server exploits (bypass exclusion list etc.)
  • Insecure HTTP methods
  • WebDAV issues
  • Types of XSS
  • Identifying XSS
  • Exploiting XSS
  • Secure cookie, HTTP-only
  • Advanced XSS exploitation
  • Pitfalls in defending XSS
  • Fixing XSS
  • Identifying/exploiting CSRF
  • Complicated CSRF with POST requests
  • CSRF in web services
  • Impact\
  • Fixing CSRF
  • Introduction to SQL injection
  • Impact: Authentication bypass
  • Impact: Extracting data (Blind SQL Injection, UNION injection, OOB channels)
  • OS code execution (MS-SQL, MySql)
  • SQL injection within stored procedures, parameterised statements
  • Places where you never thought SQLI could occur
  • Pitfalls in defending SQL injections
  • Fixing SQL Injections
  • Cookie fixation
  • Faulty log-out functionalities
  • Proxy poisoning
  • XSS with CRLF injection
  • Impact of clickjacking and proof of concept
  • File uploads
  • IIS zero-day
  • Hacking unprotected application servers
  • Authentication bypass
  • Insecure coding
  • Other logical flaws
  • File inclusion
  • OS code execution
Notify me!

Interested in any of our courses?

Leave us your name and email through the contact page, and we’ll notify you as soon as we set a date for the following session.
Notify me!