It is commonly stated that Web applications are a primary means to breaching a company's external network. It is a coveted goal by both malicious targets and security professionals to gain this valuable foothold. But how do you get from mere vulnerabilities to a server takeover? Common testing guidelines tell you what to test for, but very few show you how to go from zero to hero. This talk intends to help testers understand the vulnerabilities and strategies commonly used from an AppSec perspective.

Andrew Wilson is presenting at ToorCon San Diego - If You Like It, Then You Shouldn't Put a Ring3 On It