// 01 — Introduction

Welcome to Offensive Security.

A hands-on dive into how Red Teams think, operate, and break things — professionally. Today you stop being a user. Today you start being an attacker.

Session Roadmap

The Pentesting Industry

Markets, compliance, and where Red Teams sit in the security stack.

15 min

Web & HTTP Basics

How requests really travel, headers, verbs, status codes.

20 min

Burp Suite Lab

Intercept, tamper, and break a real(ish) checkout flow.

35 min

Session 02 — Coming soon

Authentication & Authorization attacks.

—

Instructor

RBT Security

RED & BLUE TEAM SECURITY

Offensive security specialists breaking enterprise web apps, APIs, and cloud infra. Red & Blue Team engagements that go beyond compliance.

∞

COFFEE

HOURS SLEPT

USE → TO ADVANCE

// 02 — The Industry

The Business of Breaking In.

Pentesting is not a hobby — it's a regulated, multi-billion dollar industry. Click each card to expand.

Asset Class

Vulnerable Assets

Web apps, APIs, mobile, cloud, internal networks, IoT, OT/SCADA.

Web Apps42%

APIs28%

Cloud (AWS/GCP)18%

Internal / AD12%

Web is still king. APIs are catching up — fast.

Frameworks

Compliance

The reason most pentests get funded in the first place.

PCI-DSS — Payments

ISO 27001 — Infosec mgmt

SOC 2 — SaaS / B2B

HIPAA — Healthcare

GDPR — EU data

Operations

Red Teaming

Goal-oriented adversary simulation. No checklist — just objectives.

Pentest: Find vulns in scope X within time Y.

Red Team: Achieve objective (exfil, domain admin, payment fraud) — by any means in scope.

Red Teams test the defenders, not just the systems.

$4.88M

AVG. BREACH COST · 2025

277 days

MEAN TIME TO IDENTIFY

68%

BREACHES INVOLVE HUMANS

3.2M

GLOBAL CYBERSEC SHORTAGE

// 03 — Web & HTTP

How the Web Actually Works.

Before we hack anything, we need to understand it. When you type a URL and hit enter, a chain of ~7 systems collaborates in under 300ms. Every single link in that chain is a potential attack surface.

3.1 // The Client–Server Model

Client

The browser, mobile app, or CLI tool. It asks for things. We attackers control the client completely — that's the whole game.

Network

The wire. TCP/IP, TLS, proxies, CDNs, WAFs. Data travels in packets. If unencrypted, anyone in the middle reads it.

Server

The back-end. Runs code, talks to databases, returns responses. Never trusts the client — or shouldn't, anyway.

3.2 // What happens when you type rbtsec.com and press enter

RBT-BROWSER · NEW TAB

https://rbtsec.com

User Input

Parse URL

DNS Lookup

Name → IP

Routing

ISP → BGP

TCP Handshake

SYN · SYN-ACK · ACK

TLS Handshake

Encrypt channel

HTTP Request

GET / HTTP/1.1

Server Work

App + DB

Render

Paint pixels

CLIENT ── TRANSIT ── SERVER

NETWORK INSPECTOR · LIVE

0 ms

// Click "Press Enter" to begin the trace.

Current Stage

Idle

Press Enter to start the journey.

Target rbtsec.com

Path /

Method GET

IP —

⚡ ATTACK SURFACE: Every step is intercept-able. DNS poisoning · MITM · TLS downgrade · Header injection · Response manipulation.

3.2.1 // TCP Handshake — Establishing a Reliable Connection

TCP (Transmission Control Protocol) is what makes the internet reliable. Before any data is exchanged, the client and server must agree they're both alive and ready. That agreement is the 3-way handshake — three packets, less than a roundtrip apart.

SYN — Client says "Hi, I want to talk. My starting sequence number is X."

Client → Server SYN, seq=X

SYN-ACK — Server says "Heard you. Acknowledging X+1. My own sequence is Y."

Server → Client SYN, ACK, seq=Y, ack=X+1

ACK — Client says "Acknowledged. Connection is open."

Client → Server ACK, seq=X+1, ack=Y+1

Why this design?

• Reliability: sequence numbers track every byte — lost packets are retransmitted.
• Ordering: packets that arrive out of order are reassembled correctly.
• Flow control: the receiver advertises a window size so it isn't overwhelmed.
• Spoof resistance: the initial sequence number is randomized — an attacker has to guess it to inject data.

TCP HANDSHAKE TRACE

  CLIENT                       SERVER
   |                             |
   |  ──── SYN seq=4291 ────►    |  ①
   |                             |
   |  ◄── SYN-ACK seq=8821 ──    |  ②
   |        ack=4292             |
   |                             |
   |  ──── ACK ack=8822 ────►    |  ③
   |                             |
   |  ════ ESTABLISHED ═════     |
   |   ready to send data        |

⚡ Attacker's view

• SYN Flood — send millions of SYNs, never ACK. Server runs out of half-open slots → DoS.
• TCP RST Injection — forge an RST packet to tear down someone's connection (great firewalls do this).
• Sequence Prediction — old bug: if ISNs were predictable, you could spoof an entire session.
• Port Scanning — Nmap maps networks by sending SYNs and watching what comes back (SYN-ACK = open, RST = closed).

3.2.2 // TLS Handshake — Encrypting the Channel

TCP gives you a reliable pipe — but it's plaintext. Anyone on the path can read it. TLS (Transport Layer Security) wraps that pipe in encryption. TLS 1.3 is the modern standard and is what protects every HTTPS site you visit.

TLS provides three guarantees

Confidentiality

Nobody in the middle can read it.

Integrity

Nobody can modify it without detection.

Authenticity

Server proves it's really the server.

The handshake (TLS 1.3, 1-RTT)

ClientHello — Client offers a list of supported ciphers, a random nonce, its key share (X25519/ECDHE) and the SNI (which hostname).

ServerHello + Certificate — Server picks a cipher, sends its X.509 certificate, its own key share, and a signature proving it owns the private key.

Key Derivation — Both sides combine their key shares (ECDHE) to derive the same shared secret — without ever transmitting it.

Finished — Both confirm with a MAC over the whole handshake. From here on, everything is encrypted with the symmetric key (AES-GCM / ChaCha20-Poly1305).

Asymmetric vs symmetric — why both?

Asymmetric crypto (RSA/ECDHE) is slow but solves key exchange. Symmetric crypto (AES) is fast but needs a shared key. TLS uses asymmetric just long enough to agree on a symmetric key — then switches to symmetric for the actual data. Best of both worlds.

TLS 1.3 HANDSHAKE

  CLIENT                       SERVER
   |                             |
   |  ── ClientHello ──────►     |
   |     ciphers, key_share,     |
   |     SNI=rbtsec.com          |
   |                             |
   |  ◄── ServerHello ────────   |
   |     cipher_choice,          |
   |     key_share, Cert,        |
   |     CertVerify, Finished    |
   |                             |
   |  ── Finished ─────────►     |
   |  [APPLICATION DATA 🔒]      |
   |  AES-256-GCM encrypted       |

Certificate Chain

Root CA — pre-installed in your OS / browser

Intermediate CA — e.g. Let's Encrypt R3

Leaf cert — CN=*.rbtsec.com (90-day life)

⚡ Attacker's view

• SSL Strip — downgrade HTTPS to HTTP if HSTS isn't enforced.
• Weak Ciphers — RC4, 3DES, export-grade keys (BEAST, POODLE, FREAK).
• Heartbleed (2014) — OpenSSL bug leaked private keys from server memory.
• Rogue/Mis-issued Certs — compromised CA → attacker mints a cert for your domain.
• Burp's MITM — Burp installs its own CA in your browser to legally decrypt your own traffic for testing.

3.3 // DNS — The Internet's Phone Book

Computers route by IP, humans remember names. DNS bridges the two. A single lookup can hit up to 4 servers:

01
Recursive Resolver — your ISP or 1.1.1.1. Caches answers.
02
Root Servers — 13 root clusters worldwide. "Ask the .com folks."
03
TLD Servers — .com, .org, .pk authorities.
04
Authoritative NS — the actual answer: rbtsec.com → 203.0.113.10

DNS RECORD TYPES

A Hostname → IPv4 address

AAAA Hostname → IPv6 address

CNAME Alias → another hostname

MX Mail server for the domain

TXT Arbitrary text · SPF, DKIM, verify

NS Authoritative name servers

RECON TIP: TXT and CNAME records leak SaaS providers, cloud setups, and forgotten subdomains. Subdomain takeover is born here.

3.4 // Anatomy of a URL

https://user:pass@api.rbtsec.com:443/v1/users/42?role=admin&active=true#profile

Scheme — protocol (http, https, ws, ftp)

Userinfo — basic auth, often abused for phishing

Host — the target server

Port — defaults: 80 / 443

Path — resource location on server

Query — key=value parameters (juicy target)

Fragment — client-side only, never sent to server

3.5 // HTTP vs HTTPS

HTTP — Plaintext

Port 80. Data travels in clear. Anyone on the same Wi-Fi can read your cookies with Wireshark.

• Vulnerable to MITM, sniffing, session hijack
• No integrity guarantee — pages can be modified in flight
• Modern browsers flag it as "Not Secure"

HTTPS — HTTP + TLS

Port 443. TLS provides confidentiality, integrity, and authenticity.

• Uses asymmetric crypto for handshake, symmetric for data
• Server proves identity via X.509 certificate
• Still attackable: weak ciphers, expired certs, mis-issued CAs

3.6 // Live Demo — Send a Request

Pick a verb, watch the packet travel, and read the raw HTTP that crosses the wire.

Method

CLIENT

192.168.1.42

── HTTP/1.1 ──

SERVER

rbtsec.com

RAW REQUEST

▲ OUTBOUND

GET / HTTP/1.1
Host: rbtsec.com
User-Agent: Mozilla/5.0 (RBT-LAB)
Accept: text/html,application/xhtml+xml
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

RAW RESPONSE

▼ INBOUND

// Send a request to populate this panel.

3.7 // HTTP Methods — The Full Set

GET — Read a resource. Should be safe + idempotent.

POST — Create or submit. Not idempotent.

PUT — Replace entire resource. Idempotent.

PATCH — Partial update.

DELETE — Remove a resource.

OPTIONS — Discover allowed methods (CORS pre-flight).

HEAD — GET without the body. Recon-friendly.

TRACE — Echo request. Often disabled (XST attack).

💡 Bug-bounty pearl: try PUT /admin/user/1 on endpoints that "only" allow GET. Method-based access control bypasses are everywhere.

3.8 // Status Codes — The Server's Mood

1xx

Informational

100 Continue · 101 Switching Protocols (WebSockets)

2xx

Success

200 OK · 201 Created · 204 No Content

3xx

Redirection

301 Moved · 302 Found · 304 Not Modified

4xx

Client Error

400 · 401 Unauthorized · 403 Forbidden · 404 · 429 Rate-limit

5xx

Server Error

500 Internal · 502 Bad Gateway · 503 Unavailable

💡 The difference between 401 and 403 tells you whether the username exists. The difference between 200 and 500 tells you whether your payload broke parsing.

3.9 // Headers That Matter for Attackers

Request Headers

Host: virtual-host routing. Try Host header injection.

User-Agent: identifies the client. Servers fingerprint here.

Cookie: session tokens live here. Crown jewels.

Authorization: Bearer / Basic auth. Tampered for IDOR.

Referer: previous page. CSRF defenses rely on this.

X-Forwarded-For: spoofable IP. Bypass IP allow-lists.

Content-Type: parser selector. Swap to abuse mass-assignment.

Response Headers

Set-Cookie: missing HttpOnly/Secure/SameSite = win.

Server: tech leak (nginx, Apache, IIS).

X-Powered-By: framework leak (PHP, Express).

Content-Security-Policy: defines XSS sandbox.

Strict-Transport-Security: forces HTTPS.

X-Frame-Options: clickjacking defense.

Access-Control-Allow-*: CORS — misconfigs = data theft.

3.10 // Cookies, Sessions & State

HTTP is stateless — every request stands alone. To remember you're logged in, servers issue a cookie the browser sends back on every subsequent request.

Set-Cookie: session=eyJ1c2VyIjoxMjN9; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=3600

HttpOnly — JS can't read it. Blocks XSS theft.

Secure — only sent over HTTPS.

SameSite — Strict/Lax/None. Defeats CSRF when set right.

💡 If a session cookie is missing HttpOnly and the app has reflected XSS, an attacker can call document.cookie from injected JS and exfiltrate the session in one line.

// 04 — The Pentester's IDE

Burp Suite — The Hacker's Microscope.

Burp Suite by PortSwigger is the de-facto standard for web pentesting. It's an intercepting proxy that sits between your browser and the target — letting you read, edit, replay, fuzz, and weaponize every request.

4.1 // What Is an Intercepting Proxy?

A proxy is a man-in-the-middle that you put there on purpose. Your browser is configured to send traffic to Burp (127.0.0.1:8080) instead of directly to the internet. Burp forwards it — but along the way you get to inspect and modify everything.

[Browser] → [Burp Proxy :8080] → [Target Server]

For HTTPS, Burp generates its own CA certificate that you install in the browser. That way Burp can decrypt, show you plaintext, and re-encrypt before forwarding. Same trick a corporate firewall uses.

Editions

Community — free, no scanner, throttled Intruder.

Professional — $475/yr. Scanner, Collaborator, full Intruder.

Enterprise — CI/CD scanning at scale.

4.2 // The Core Tools — What Each Tab Actually Does

Proxy

THE HEART OF BURP

Captures every request between browser and server. Two sub-tabs you'll live in:

• Intercept — pause requests live, edit, then forward or drop.
• HTTP History — chronological log of every request that passed through.
• Match & Replace — auto-rewrite headers/body on the fly.

Target

SITE MAP + SCOPE

A tree view of every URL Burp has seen. Define your Scope here so you only attack what you're paid to.

• Site Map — full hierarchy of host/path.
• Scope — include/exclude regex rules. Critical for ethics + sanity.
• Issue Definitions — Burp's own bug encyclopedia.

Repeater

MANUAL TESTING'S BEST FRIEND

Take any request, modify it manually, send it again. Tweak one byte, hit Send, see the diff in the response.

• Test SQLi, XSS, IDOR payloads one at a time.
• Verify a vulnerability without re-doing the whole flow.
• Shortcut: Ctrl+R from any request → "Send to Repeater".

Intruder

AUTOMATED FUZZER

Mark positions in a request as §payload§ and Burp fires hundreds of variations. 4 attack types:

• Sniper — one payload set, one position at a time.
• Battering Ram — same payload in all positions.
• Pitchfork — parallel lists (user[i] + pass[i]).
• Cluster Bomb — every combination (brute force).

Decoder

ENCODING SWISS-ARMY KNIFE

Convert between URL, Base64, HTML, Hex, ASCII, Gzip. Chain decodes to peel back layers.

• Decode JWTs, session tokens, encoded payloads.
• Quick hashing: MD5, SHA-1, SHA-256.
• Smart "Auto" mode guesses the encoding.

Comparer

DIFF TWO RESPONSES

Visual diff between two requests or two responses. Spot a 1-byte change that flips behavior.

• Identify which header triggered a different reply.
• Find blind injection points by length/content delta.
• Compare valid vs invalid auth responses for user enumeration.

Sequencer

RANDOMNESS ANALYSIS

Statistically analyse the randomness of session tokens, CSRF tokens, password-reset codes.

• Captures hundreds of tokens, runs FIPS-style entropy tests.
• Predictable token = session hijack or reset-link guessing.

Scanner (PRO)

AUTOMATED VULN HUNTING

Active + passive scanning for OWASP-class bugs. Crawls, audits, reports — but never replaces a human.

• Passive: watches your traffic, flags low-hanging issues.
• Active: injects payloads — get authorization first.

Collaborator (PRO)

OUT-OF-BAND DETECTION

PortSwigger-hosted server with a unique subdomain per session. Detects blind vulns where the response doesn't echo your payload.

• Blind SSRF, blind XXE, blind SQLi, OOB exfil.
• If your payload triggers a DNS/HTTP callback → confirmed.

Extender / BApp Store

PLUGINS

Free marketplace of community extensions. Must-haves:

• Autorize — automated authz testing.
• JWT Editor — tamper, sign, none-alg attacks.
• Param Miner — find hidden parameters & headers.
• Logger++ — better history with filters.
• Turbo Intruder — race conditions at 30k req/s.

4.3 // A Typical Web Pentest Workflow in Burp

01 · MAP

Browse the app

Walk every flow with intercept off. Build the site map.

02 · SCOPE

Set Target Scope

Stay legal. Filter the noise.

03 · ANALYZE

Review History

Hunt for params, tokens, hidden endpoints.

04 · EXPLOIT

Repeater + Intruder

Manual proof → automated scale.

05 · REPORT

Document everything

Save requests/responses as evidence.

4.4 // Hands-On Lab — Price Tampering

Theory's done. Time to break something. Below is a miniature checkout with a proxy in the middle. Your job: intercept the purchase request and change the price after the browser has sent it.

This bug — client-side trust / parameter tampering — is the bread and butter of bug bounty programs. When a server believes whatever the browser sends, you can buy a $499 device for $1.

RBT-SHOP // STOREFRONT

demo.rbtsec.com

RBT-X1 Hardware Implant

Bluetooth-enabled USB ninja. Black hat-grade. Ships globally.

PRICE

$499.00

Order Log

// Awaiting orders…

Burp Suite Community — RBT Edition

_□×

Dashboard

Target

Proxy

Intruder

Repeater

Logger

Intercept

HTTP history

WebSockets

Options

PROXY :8080

Proxy is listening on 127.0.0.1:8080

Trigger a request from the storefront to intercept.