Webinar

The Truth About Security In Open-Source CMS

Register now →
Book a discovery call
Book a discovery call

Web Hacking 101: Hands-On Security Workshop at Codegarden

Key Lessons and materials

Written by: Steven Harland

The date was June 17th, 2025. The sun was shining on Odense, Denmark. A crew of friendly pirates were docked at a nearby port, drinking grog and preparing for a long week of plundering, looting, and downloading music from the Internet onto floppy disks.

Their main objective, however, was to hack their way into The Scumm Bar (or The "Scummy" Bar as it will now be known, thanks to the anonymous pirate who defaced the site!).

Background

The idea for this workshop grew out of the work we've been doing on the Umbraco Community Security and Privacy Team over the past year. We help to investigate security vulnerabilities that are reported in the core CMS, test out patch releases, review source code, update documentation, and things like that (this is in addition to the excellent work HQ do internally around security by the way).

I typically use Burp Suite for web security testing and I think it's a great tool for any developer to have in their arsenal (along with swords and cannons of course). From what I can gather, it is a tool that many developers know about, but have simply never tried out.

That's a shame because developers make for great security testers. After all, they know the inner workings of their applications better than anyone, and where the weak spots might be. But I find that a lot of offensive security training is aimed at security people and those who want to be pentesters, rather than software developers.

“This is one of the best-prepared training sessions I've ever attended. The exercises were very well explained - easy to understand and follow for the attendees. I especially appreciated the ‘Damn Vulnerable Umbraco Application,’ which showed how even smaller security issues can have real impact, and how important it is to fix them. It also highlights a key strength of open source: transparency makes us stronger.”

Lasse Fredslund, Product Manager, Umbraco HQ

This workshop is intended to be a gentle introduction to some basic hacking tools and techniques, aimed at developers with no prior security experience. The hope is that it will empower them to perform security testing on their own applications, find and fix issues in their code, and end up with more secure applications as a result. That's the idea at least...

Arrival at Port

The workshop was hosted at Umbraco HQ in the Unicorn Room 🦄

I was sweating so much after the walk there from the hotel, partly because of the unreal weather, but also because of nerves. I am not a regular conference speaker, workshop teacher, or anything like that, and this was my first time running a workshop (which I may or may not have finished writing and tweaking a couple of hours prior in my hotel room!).

I was greeted by some friendly HQ staff and community members when I arrived which helped to put me at ease. There were some other fantastic workshops going on at the same time and there was a great energy in the building.

We couldn't have asked for a better setting - just look at that view!

The Mighty Pirates

Ten aspiring hackers attended the workshop and it was great to have folks with varying levels of experience, from flooring inspectors (me) to sword-fighting masters (everyone else).

These folks are a credit to themselves and the community, and I thank them.

The Target

To make the workshop as realistic as possible, I deployed a vulnerable, Umbraco-based web application to Azure App Services. It had a real domain name, valid TLS certificate, Azure Front Door (albeit terribly configured), and so on.

The application was built on Umbraco 16.0.0-rc4 (for no particular reason other than it had just been released at the time I built it) with The Starter Kit and some intentionally vulnerable features added to it, as well as an appropriate theme.

I have named this project Damn Vulnerable Umbraco Application, or DVUA for short and you can find it on GitHub.

The Trials

We had two hours and six exercises to complete. These were:

  1. Passive Recon: gathering information about the target stealthily.

  2. Active Recon: gathering information with automated tools and scanners.

  3. Burp Repeater: manipulating and replaying web requests to exploit a privilege escalation bug.

  4. User Enumeration: identifying valid member accounts using Burp Intruder.

  5. Password Guessing: brute forcing logins with Burp Intruder.

  6. Cross-Site Scripting: exploiting a stored XSS vulnerability to hijack member sessions.

The vulnerabilities covered were inspired by issues I have seen in real-world web applications and in the Umbraco CMS over the years. We also discussed some potential bug fixes and mitigations against the different attacks.

Capture the Flag (CTF)

Along the way, our hackers were looking out for flags hidden around the application, which could be discovered by completing the exercises.

These were submitted to the CTF platform (a self-hosted CTFd instance for anyone interested) to get points and appear on the leaderboard.

Everyone did brilliantly I am glad to say, but it was Rockerby who came out on top in the end!

Loot / Takeaways

Of course, the main point of the workshop was to try and teach people something about security, and importantly to put some security tools in the hands of developers - these are not just for security people or pentesters.

A basic knowledge of Burp Suite is all developers need to get started breaking their applications and finding bugs (as if we weren't breaking them enough already, I know...). I hope the workshop has provided that.

I won't start listing all the specific advice and recommendations we went through or this post will get very long and start sounding like one of my old pentest reports. All the materials for the workshop can be found online here: Web Hacking 101

“Having been in the industry for a long time, Steve's workshop was a real eye-opener! I'm aware of security risks when creating websites, and Steve did a fantastic job explaining the vulnerabilities and how to avoid them in the first place. We were shown how to use some powerful beginner-friendly tools to hack into a real Umbraco website - all while keeping things fun and engaging. 5* would definitely recommend!”

Richard Ockerby, Founder and Tech Lead at Arjo.dev
Umbraco MVP

Web Hacking 102?

There's a lot more to web security than we could cover in a 2-hour workshop. I have a few more exercises in mind that didn't make the cut, and there may be potential for more workshops in the future, either online or at other conferences.

There are some improvements I'd like to make, but I welcome feedback from the community on how to make the workshop better and ensure the material is accessible to as wide an audience as possible.

I have already received some great comments from those who attended the workshop and I am honoured to be mentioned in these community blog posts:

Thank You

Once again, I would like to thank everyone who came along to the workshop for being a part of this crazy experiment, everyone who checked in on me during one of my many meltdowns, and of course all the friendly HQ staff and organisers for making it such an enjoyable experience. #H5YR! ❤️