BSidesCharm 2025 - Web Application Penetration Testing Training

About BSidesCharm Conference

BSidesCharm is the Baltimore region’s premier grassroots cybersecurity conference, held annually in Towson, Maryland. The 2025 conference (April 12-13 at the Sheraton Baltimore North) brought together hundreds of security professionals, researchers, students, and enthusiasts for technical talks, hands-on workshops, CTF competitions, and career development sessions.

BSidesCharm embodies the Security BSides philosophy: creating an intimate, accessible environment prioritizing community and education over commercialization. The conference has a strong commitment to welcoming students and newcomers, offering free tickets to help the next generation of security professionals get started.

Training: Web Application Penetration Testing

Training Overview

This 3-hour hands-on training provided practical skills for identifying and exploiting common web vulnerabilities. Participants worked with real vulnerable applications, professional security tools, and practiced the complete workflow from reconnaissance to exploitation to reporting. Designed for security professionals, developers, and IT administrators—no prior penetration testing experience required.

Training Structure and Curriculum

Part 1: Introduction and Environment Setup OWASP Top 10 overview, setting up safe testing environment (DVWA, WebGoat), essential tools (Burp Suite, SQLMap, Nmap)

Part 2: Reconnaissance and Information Gathering Passive and active reconnaissance, identifying attack surfaces, understanding application architecture

Part 3: Core Exploitation Techniques

Each vulnerability covered theory, live demo, and hands-on practice:

• SQL Injection: Identifying injection points, extracting data, bypassing authentication, automated (SQLMap) and manual techniques

• Cross-Site Scripting (XSS): Reflected/stored/DOM-based variants, crafting payloads, bypassing filters

• Broken Authentication: Session hijacking, credential stuffing, brute force, MFA bypass methods

• CSRF: Exploiting missing CSRF tokens, chaining with other vulnerabilities

• Security Misconfigurations: Default credentials, directory listing, misconfigured CORS, cloud storage exposures

Part 4: Advanced Topics Chaining vulnerabilities, privilege escalation, file upload exploits, API security testing basics

Hands-On Labs and Exercises

Participants worked through guided exercises using DVWA, OWASP WebGoat, and custom scenarios. Each exercise followed: reconnaissance → exploitation → post-exploitation → documentation.

Professional Reporting and Mitigation Strategies

Report Writing: Executive summaries, technical findings with PoCs, CVSS risk scoring, prioritized remediation, evidence collection

Defensive Strategies: Input validation, parameterized queries, secure session management, CSP headers, security testing integration (SAST/DAST)

Tools and Technologies Covered

• Burp Suite: HTTP interception, automated scanning, fuzzing (Intruder), manual testing (Repeater)

• SQLMap: Automated SQL injection, database fingerprinting, data extraction

• Additional Tools: Nmap, browser dev tools, Nikto, OWASP ZAP

Key Takeaways for Participants

Practical exploitation skills, proficiency with industry-standard tools, structured testing methodology, professional reporting abilities, defensive security knowledge, and career development resources.

Ethical and Legal Considerations

Always obtain written authorization, respect scope boundaries, handle sensitive data responsibly, understand legal frameworks (CFAA), and practice only on legal targets (CTFs, bug bounties, personal labs).

Resources for Continued Learning

Practice Platforms: HackTheBox, TryHackMe, PortSwigger Web Security Academy, bug bounty programs (HackerOne, Bugcrowd)

Certifications: OSCP, CEH, GWAPT, eWPT

Community: Local BSides events, OWASP chapters, DEF CON, Black Hat

Slides can be found here: View Slides