KPMG Cyber Security Training:Web Application Security Masterclass

Learn how to spot weaknesses in Web Applications

Learn how to spot weaknesses in Web Applications


The course is easy to follow and suitable for individuals with some experience in IT systems development, maintenance and administration.

This includes (but is not limited to) web application developers and maintainers, information security specialists, managers and testers, IS administratorsarchitects, web server administrators and hosting services providers.

* In-house trainings available upon request.


  • Web Application Security Masterclass by KPMG provides an insight into the mind of a pen-tester. Learn how to break your system so you can make it more secure. KPMG cyber security experts will showcase lessons learned from private and public sector organizations.
  • The course focuses on client side and server side attacks, combining both theory and practical hands on exercises. Participants will learn how to discover common WebApp vulnerabilities (e.g. XSS, SQi, DoS, DDoS, memory corruption, buffer overflow, CSRF, data breach), how to exploit them and how to defend against them.
  • Case studies, motivation and mindset, attack vectors, counter measures, best practices, tools and methods will be discussed. Materials will be provided. 
  • Upon finishing the course, a signed certificate of completion by KPMG will be granted to participants. Participants are required to use their own (VPN enabled) laptop during the course.

Duration: 4 days

Group size: max 15 participants

Date: 24.11-27.11.2020

Price: 1299 EUR + VAT, register before 22.10 to receive an early bird price of 999 EUR + VAT

Location: KPMG Estonia training facility (Narva mnt 5, Tallinn)

* Instructions (room, floor, parking etc) provided after registration.

* In case of coronavirus related restrictions, an online/hybrid course or alternative dates will be provided.



Day 1

Client-Side attacks day 1.

  • Information gathering and configuration review
  • HTTP vs HTTPS and communication manipulation
  • Client side injection attacks: XXS, HTML injection and JavaScript injection

Day 2

Client-Side attacks day 2.

  • Client-side manipulation attacks: URL and cookie manipulation.
  • Session handling attacks: session hijacking, session fixation, CSRF.
  • Addons, plugins, extensions and 3rd party content.
  • Combining attacks.

Day 3

Server-Side attacks day 1.

  • Authentication and authorization attack.
  • Business logic manipulation.
  • Google hacking.
  • Underlaying infrastructure configuration review.

Day 4

Server-Side attacks day 2.

  • Injection attacks: Command injection, XXE, SQL injection.
  • File handling, inclusion and upload attacks.

* Snacks, lunch and refreshments will be provided.

Registration link HERE

More information: Marek Mühlberg,

informative image