Skip to main content

Web Application Security Masterclass: “Hack Yourself First”

Scott Helme
On the web
On Twitter
Get a ticket

Workshop includes:
  • Working examples to take away
  • Interactive sessions
  • Workshop recordings
  • Dedicated Q&A time
  • Smashing Certificate

Workshop, 4×4h + Q&A • Thu & Fri, August 6–14
09:00 AM — 1:00 PM PDT (Pacific Daylight Time)

“Hack Yourself First” is all about building up defensive skills for software developers. We’ll explore common risks and attacks in the browser, SQL injection, XSS, CSRF, HTTPS, password cracking, Content Security Policy, Session Hijacking, Subresource Integrity, Brute Force Attacks and Automating Attacks. You’ll leave with practical techniques to better understand security and protect your apps.

It looks at security from the attacker’s perspective and takes you through the steps necessary to exploit vulnerable software on the web, so that you can experience hacking first hand.

You must complete specific goals that involve probing for risks and exploiting discrete vulnerabilities in an application. The workshop’s interactive nature means that multiple attack vectors are usually identified across the spectrum of participants, and each person contributes their unique perspective on how specific risks are exploited.

What You Will Learn:

  • Mechanics of specific security risks and defensive patterns.
  • How to tackle security risks in depth via multiple defences.
  • How to choose appropriate controls based on the specific risk of the feature.
  • How to argue about what makes sense in different circumstances.
  • How to assess the situation and prioritize sufficiently between security, usability, costs, and other things for best interests of the product being built.

This workshop helps those who attend have the right discussions about when and where to invest in security.

The Format

Each module of the workshop goes through a three stage cycle:


What the risk is, how exploits are executed and why it’s important to understand.


Attendees are set an objective where they must exploit the risk to achieve a goal.


Collectively discuss how the challenge was solved and what was learned.

Modules average out at about 45 to 50 minutes each and are divided down approximately equally between each of the three stages above. It always adapts to the classroom; some organisations have a greater need to focus on a specific area of security or drill deeper in one of the cycles so the workshop responds appropriately and becomes tailored to the audience.

It’s security, but it’s for developers

This workshop is platform agnostic; whether you’re working in ASP.NET, PHP, Node or anything else sending angle brackets over HTTP, the workshop modules are equally relevant. Where an organisation specialises in the Microsoft stack we have the option to go deeper and look at discrete defences within technologies such as ASP.NET and SQL Server.

Frequently, attendees find serious risks in their own applications during the course of the workshop. Sometimes, they find serious risks in other people’s which leads to firsthand exposure to the ethics of security.

Who Is This For?

This workshop is for software developers, security professionals, testers and technology management. There’s always a breadth of competency and experience so Scott will tailor the pace and depth accordingly. Often this means a combination of one-on-one time with some participants whilst setting stretch goals for others.

Ultimately, everyone gets the opportunity to be challenged whilst not being overwhelmed.

Register for this workshop →

About Scott Helme

Hacker, researcher, builder of things. Pluralsight author, BBC hacker in residence, award winning entrepreneur. He is the creator of and, free online tools to help sites deploy better security. His goal is to make the Web a safer place.

Time & Schedule

This masterclass takes place over four days in four hour sessions with time for questions and discussion about your work and how to apply what you’ve learned. Our virtual doors open at 8:45, we start at 9 AM PDT.

Please mark your calendars:

  • Thu, August 6, 09:00 – 1:00 PM PDT
  • Fri, August 7, 09:00 – 1:00 PM PDT
  • Thu, August 13, 09:00 – 1:00 PM PDT
  • Fri, August 14, 09:00 – 1:00 PM PDT

Day 1

8:45 AM PDT
Virtual doors open and registration.

9:00 AM – 9:30 AM

9:30 AM – 10:30 AM
Discovering Risks via the Browser

10:30 AM – 10:45 AM

10:45 AM – 11:15 AM
Using an HTTP proxy

11:15 AM – 12:10 PM

12:10 AM – 1:00 PM
Q&A with Scott on the day’s material. Networking!

Day 2

8:45 AM PDT
Virtual doors open and registration.

9:00 AM – 9:55 AM
SQL Injection

9:55 AM – 10:45 AM

10:45 AM – 11:00 AM

11:00 AM – 12:10 PM

12:10 PM – 12:40 PM
Framework Disclosure

12:40 PM – 1:00 PM
Q&A with Scott on the day’s material. Networking!

Day 3

8:45 AM PDT
Virtual doors open and registration.

9:00 AM – 10:00 AM
Password Cracking – 60 mins

10:00 AM – 10:30 AM
Account Enumeration

10:30 AM – 10:45 AM

10:45 AM – 11:20 AM

11:20 AM – 12:30 PM
Content Security Policy

12:30 PM – 1:00 PM
Q&A with Scott on the day’s material. Networking!

Day 4

8:45 AM PDT
Virtual doors open and registration.

9:00 AM – 9:35 AM
Session Hijacking

9:35 AM – 10:25 AM
Subresource Integrity

10:25 AM – 10:40 AM

10:40 AM – 11:10 AM
Brute Force Attacks

11:10 AM – 12:05 PM
Automating Attacks and Review

12:05 PM – 1:00 PM
Q&A with Scott on the day’s material. Networking!

Register for this workshop →