Presented at
DEF CON 33 (2025),
Aug. 8, 2025, 9 a.m.
(240 minutes).
WWED is designed for students to gain experience exploiting real world web applications and take their assessment skills to the next level. Students will learn advanced vulnerability discovery techniques to identify and exploit vulnerabilities in real world web applications. Getting hands-on experience using free and widely available Linux utilities to observe application behavior, to more effectively discover and exploit application vulnerabilities. Using a whitebox approach students will rapidly discover and exploit non-trivial bugs. Not requiring the use of expensive commercial tools or with the guess work which comes along with blackbox testing.
Students will be provided virtual machines of commercially available software applications which will be used for this heavily lab focused course. At the conclusion of the class each student will have developed a fully functional remote root PoC. This course targets a wide level of skill levels and will leverage a hints system to help students who may fall behind. Incrementally releasing solutions through each exercise.
Presenters:
-
Priyanka Joshi
Priyanka sustained her academic voyage using curiosity as her paddles before landing her first job as a software security engineer in an ancient company. For three years thereafter, she focused on research, development and security testing of OAuth2.0 and OpenID implementations. This experience led to her discovery of her passion in the identity space. In her current appsec engineer adventure at Amazon, she enjoys working on secure design assessments, bug bounty triage and fix validation, consults and security testing of web services. In her leisure, she enjoys hiking, lazy gymming, sketching, singing, watching anime and reading manga.
-
Cale "calebot" Smith
Cale Smith is a nerd who loves both building but also breaking, so he can get better at building. He is passionate about understanding how anything and everything works, improving security along the way is just a bonus. Also, he is passionate about sharing his passion and created this course to pass along some of the more accessible techniques he has picked up. His professional career originated exclusively as a builder, but has been focusing on the security and breaking side for the last 15 years. During that time he has dabbled in the web weenie life, cloud, binary, IoT and mobile most recently. Currently he manages a device oriented AppSec team at Amazon. While AFK he is probably riding a bike or climbing rocks.
-
Luke Cycon
Security engineer by day, barbecue hacker by night—celebrating each fixed bug with a bit too much somaek. Off the clock, you'll find him tinkering with hardware or firing lasers at something.
-
Young Seuk Kim
Husband, father, hacker, gamer.
Young’s path into security started like a good game exploit—he wanted to win, bent the rules, and discovered a passion for hacking. He began as a web app security consultant, moved into penetration testing and red teaming, and now works in application security engineering, helping teams build secure systems (and still breaking things for fun). He also dives into all kinds of games and stories, especially fantasy with Eastern martial arts, and loves dissecting media with the same curiosity he brings to code.
Similar Presentations: