The most advanced course on Java hacking available today

Get FULL ACCESS to our online training course

Hacking Java Web and Client Apps

Developing your skills in Java security means that you are able to find vulnerabilities in all kinds of Java applications. Whether that's for the purpose of penetration testing, hunting for bug bounties, or defending your company infrastructure against Java related attacks.

Start your journey to become a Java hacking expert today.

Java - A universal language

Java is the number one programming language by number of projects and lines of code, and it has been occupying this position for decades.

Still, there isn't a single course fully dedicated to security issues specifically affecting Java.

Until now.

This course has been taught
at Black Hat USA 2019

What you’ll learn

We will take time for both practical exploitation and theoretical understanding of the each presented exploit. Root cause analysis and code review sessions are mixed with explanation of possible detection and bypass techniques.

Exploitation of Java deserialization vulnerabilities

Expression Language Injection

How to find security bugs in Java code

"Overall, an outstanding course. I liked the depth of the subjects. The lab exercises helped with understanding some of the more dense theory. I highly recommend it."

- Black Hat student (anonymous)

Questions on Hacking Java Web and Client Apps?

No problem! We will answer any questions you might have within 24 hours.

Name

Question

Please fill all the required * fields.

Course syllabus

Java Essentials
Serialization and deserialization
Deserialization under the hood
Building gadget chains
Finding trampolines
RCE via deserialization attacks

Expression Language basics
RCE via Expression Language
Understanding Java stack traces
Apache MyFaces exploitation
Decrypting viewstates
RichFaces and JSF

Java Debug Wire Protocol
RCE with JDWP
JMX/RMI basics
Exploitation of JMX/RMI services
Bypassing authentication mechanisms
Much more..

BONUS: Dissection of the Commons Collections gadget chain exploit

Did you ever wonder how a ysoserial payload works under the hood?

We recently added a bonus section in which we go step-by-step through the code of the payload for Apache Commons Collections.

In an elaborate demo video, we explain in detail how each part of the chain works together to eventually cause an RCE condition.

Student requirements

While prior Java programming experience is not a strict requirement, familiarity with main concepts of object oriented programming (OOP) will be greatly beneficial.
For the less advanced students it is worth noting that the course itself will cover the basics and theory behind each presented technique and attack, before the practical part is covered.

Your instructors

Meet our most experienced security professionals

Marco Ortisi has been working in the cybersecurity field for 20+ years. He has a wide experience as penetration tester and Red Team leader, as well as with teaching security courses. He attended both as speaker and as trainer at many international conferences and events such as Blackhat Las Vegas, BruCON, Confidence, Hackinbo, etc...

Stefan Broeder works as senior penetration tester in the financial industry. His main focus is on in-depth code review of web applications and research on Java vulnerabilities. He holds a M.Sc. degree in Computer Science and has several certifications such as OSCP, GXPN, GCED, GWEB, GFOR and RHCSA.

DEMO VERSION

of
Hacking Java Web and Client Apps

FREE

3 lessons

FULL ACCESS

to
Hacking Java Web and Client Apps

€599

25 lessons

15 lab exercises

Quizzes at the end of each
module to test your knowledge

E-Book 'Java Deserialization Bible'

BONUS module:
Apache Commons Collections
payload analysis

Lifetime access

FREE course updates

Premium support