Whitebox web vulnerability research (Java/PHP)


This training is intended for people with a technical background who are seeking to improve their skills regarding whitebox vulnerability research in Java and PHP applications. With the support of multiple practical cases, it aims to present the various vulnerability research methods and tools used to do so. Indeed, these step-by-step practical works are intended to let the trainees discover the methodology that helps to discover critical vulnerabilities in web applications source code. Considering each framework brings its specificity and sometimes vulnerabilities by itself, we will pay a special attention to the main ones.


5 days / 16 theoretic hours / 19 practical hours


The training can be adjusted to fit in 2 (for PHP) or 3 (Java) days as well, depending on the chosen language-specific modules.


  • Introduction

    • Order the analysis

    • Chosing a suitable methodology

    • Static vs Dynamic analysis

    • Build an analysis environment


  • Java basis

    • Application structure

    • Navigate through an application

    • Common vulnerabilities


  • Java frameworks

    • Frameworks identification

    • Spring

    • Struts2

    • Hibernate

    • Other frameworks and vulnerabilities


  • Java instrumentation

    • Byteman

    • AspectJ

    • Hooking JDWP


  • Java decompilation


  • PHP basis

    • Rappels sur les vulnérabilités traditionnelles en PHP


  • PHP frameworks

    • Zend

    • Symfony

    • Laravel


  • PHP unserialize

    • Searching and building a « popchain »


  • Analyze obfuscated or encrypted PHP applications