Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access - Dawid Czagan - DCTLV2026 **Saturday-Sunday Course**

Name of Training: Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access
Trainer(s): Dawid Czagan
Dates: August 8-9, 2026 **Saturday-Sunday Training**
Time: 8:00 am to 5:00 pm 
Venue: Las Vegas Convention Center
Cost: $2,750 (USD)

**Please note: This two-day training will be offered on Saturday and Sunday (August 8-9). Participants will receive a DEF CON Human Badge with their registration**

Short Summary:

Master full-stack pentesting to identify, exploit, and understand vulnerabilities across today’s complex IT systems—100% hands-on. Apply offensive techniques in enterprise or red-team operations, recommend defensive mitigations, and take home a complete lab environment for continued practice.

Course Description:

### Overview ###

Modern IT systems are increasingly complex, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting (including red team techniques) is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.

For each attack, vulnerability and technique presented in this training, there is a lab exercise to help you develop your skills step by step. What's more, when the training is over, you can take the complete lab environment home to hack again at your own pace.

I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I'll share my experience with you.

### Key Learning Objectives ###

After completing this training, you will have learned about:

-    Hacking cloud applications
-    API hacking tips & tricks
-    Data exfiltration techniques
-    OSINT asset discovery tools
-    Tricky user impersonation
-    Bypassing protection mechanisms
-    CLI hacking scripts
-    Interesting XSS attacks
-    Server-side template injection
-    Hacking with Google & GitHub search engines
-    Automated SQL injection detection and exploitation
-    File read & file upload attacks
-    Password cracking in a smart way
-    Hacking Git repos
-    XML attacks
-    NoSQL injection
-    HTTP parameter pollution
-    Web cache deception attack
-    Hacking with wrappers
-    Finding metadata with sensitive information
-    Hijacking NTLM hashes
-    Automated detection of JavaScript libraries with known vulnerabilities
-    Extracting passwords
-    Hacking Electron applications
-    Establishing reverse shell connections
-    RCE attacks
-    XSS polyglot
-    and more …

### What Students Say About My Training Courses ###

Recommendations are available on my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips, government sector, ...

Course Outline:

### Day 1 ###

1) Hacking cloud applications 
-    Amazon S3: directory listing via AWS CLI tool
-    Amazon S3: bruteforcing buckets
-    Amazon S3: bruteforcing objects in a given bucket
-    Amazon EC2: reading the SecretAccessKey (3 techniques)
-    Bypassing Cloudflare firewall

2) API hacking tips & tricks 
-    API hacking with X-HTTP-Method-Override
-    API hacking with JSON enforcement (in request)
-    API hacking with JSON enforcement (in response)

3) OSINT asset discovery tools 
-    Subdomain enumeration with dnscan and amass
-    Subdomain enumeration with Certificate Transparency log
-    Domain enumeration with NerdyData search engine

4) Hacking with special characters 
-    Visual impersonation with Unicode control characters
-    XSS via response splitting

5) XML attacks 
-    XML External Entity attack (XXE)
-    XML XInclude attack

6) Server-side template injection (SSTI) 
-    RCE via template injection in PHP Smarty
-    RCE via template injection in Python Jinja
-    RCE via template injection in Java FreeMarker

7) Hacking git repos 
-    gitleaks (finding sensitive data based on regular expressions)
-    trufflehog (finding sensitive data based on entropy checking)

8) Google hacking techniques 
-    finding directory listings
-    finding SQL syntax errors
-    finding URLs with API keys

9) Automated SQL injection detection and exploitation 
-    sqlmap: full test case coverage, dumping database table entries
-    sqlmap: installing a backdoor (from SQL injection to remote code execution)

10) File read attacks 
-    Alternate Data Streams notation
-    8dot3 notation
-    Windows NTFS

11) Operational toolkit 
-    Retire.js: finding JavaScript libraries with known vulnerabilities
-    Extracting passwords with LaZagne
-    NTLM hash hijacking with Responder

### Day 2 ###

1) Data exfiltration tools and techniques
-    DNS exfiltration using dnscat2
-    ICMP exfiltration using Data Exfiltration Toolkit
-    image-based steganography exfiltration using LSBSteg

2) GitHub hacking techniques 
-    web config files
-    database config files
-    private keys

3) Smart password cracking with hashcat 
-    cracking NTLM password
-    cracking password-protected PDF document
-    benchmarking

4) File upload attacks 
-    via .htaccess
-    via SVG file
-    via AddHandler

5) CLI hacking scripts 
-    using waybackurls
-    using photon

6) Hacking with wrappers
-    RCE with data: wrapper
-    RCE with zip: wrapper

7) NoSQL injection detection and exploitation
-    Elasticsearch
-    MongoDB

8) Modern full-stack web attacks 
-    HTTP parameter pollution
-    Web cache deception attack

9) Hacking Electron applications 
-    Electron attack surface
-    from XSS to RCE
-    from insecure framing to RCE

10) Additional techniques 
-    Finding metadata with exiftool
-    Reverse shell connection with ShellPop
-    XSS polyglot

11) Q&A session 

12) Certificate of proficiency exam

Difficulty Level:

Intermediate - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.

Suggested Prerequisites:

To get the most of this training intermediate knowledge of pentesting and web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.

What Students Should Bring:

Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs.

What the Trainer Will Provide:

Students will be handed in a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training. When the training is over, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.

### Special Bonus ###

The ticket price includes free access to my 6 video courses:

-    Fuzzing with Burp Suite Intruder
-    Exploiting Race Conditions with OWASP ZAP
-    Case Studies of Award-Winning XSS Attacks: Part 1
-    Case Studies of Award-Winning XSS Attacks: Part 2
-    How Hackers Find SQL Injections in Minutes with Sqlmap
-    Web Application Security Testing with Google Hacking

Trainer(s) Bio:

Dawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs at Apple, Google, Mozilla, Microsoft and many others. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid Czagan shares his offensive security experience through his hands-on training courses. He has delivered training sessions at key industry conferences such as DEF CON (Las Vegas), OWASP Global AppSec EU (Barcelona), Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), NorthSec (Montreal), HITB+CyberWeek (Abu Dhabi) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (recommendations are available on Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions).

Dawid Czagan is the founder and CEO at Silesia Security Lab. To find out about the latest in his work, you are invited to subscribe to his newsletter (https://silesiasecuritylab.com/newsletter) and follow him on Twitter (@dawidczagan), YouTube (https://www.youtube.com/channel/UCG-sIlaM1xXmetFtEfqtOqg), and LinkedIn (https://www.linkedin.com/in/dawid-czagan-85ba3666/).

Proficiency Exam Option:

This course has the option for a proficiency certificate add-on. 

After completing the course, students may take a real-world, scenario-based exam that assesses practical skills. The exam is materials-permitted—students may use all course materials and notes. A minimum score of 65% is required to pass. Each student will receive feedback on their performance.

Please reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.

Registration Terms and Conditions: 

Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.

Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

All trainings are non-refundable after August 5, 2026.

Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.