Web application Penetration Testing

Name: Web application Penetration Testing
Rating: 4.2 (84 reviews)

A Beginners' guide to Practical Web Security.

Created bySrinivas .

Last updated 4/2025

English

What you'll learn

Students will learn Web Application Penetration Testing
Students will learn how to identify vulnerabilities in web applications
Students will learn how to exploit vulnerabilities identified in web applications
Students will learn how to prevent common vulnerabilities in web applications
Students will learn vulnerability categories covered in OWASP TOP 10 2017

Course content

16 sections • 64 lectures • 4h 51m total length

Introduction1:05

Web Application Architecture3:12
HTTP Requests & Responses6:40
Learn how http requests and responses enable data exchange, including get and post methods, headers, and cookies. Identify how untrusted inputs and misconfigurations create attacker entry points.
A word about OWASP TOP 101:27
Explore the OWASP top 10 attacks overview, learn how the 2017 top 10 categories guide web application security, and preview practical examples to come in later videos.

Lab Downloads0:11
Overview of the lab setup3:13
Verifying the lab setup2:40
Verify the lab setup by logging in with default credentials, adjusting terminal preferences, and confirming access to the bookshelf and XviD applications via IPs using a private browser window.
SSH into BookShelf Server0:38
Log into the bookshelf server via ssh using the bookshelf username and the server's IP address, then enter the password to access settings and perform tasks.
Overview of BookShelf custom Vulnerable Application3:56

Introduction to SQL Injection3:01
Authentication Bypass using SQLi - Payload 13:24
Authentication Bypass using SQLi - Payload 21:44
Exploiting SQL Injection, manual way - Part 11:35
Exploiting SQL Injection, manual way - Part 217:55
Learn to perform manual, error-based sql injection to exploit an editor-based app, identify columns, use union queries with information_schema, and reveal database details and user credentials.
A word about Blind SQLi and Introduction to SQLMap7:59
Exploiting SQL Injection using SQLMap4:41
Learn to use sqlmap to exploit sql injection on a login page, and dump databases, tables, and columns to retrieve user data from the users table.
SQL Injection Prevention3:00
SQL Injection Quiz

Introduction2:32
Types of XSS4:54
Testing for Reflected XSS5:18
Testing for Stored XSS2:17
Explore stored cross-site scripting by submitting anonymous comments that save JavaScript, which later executes for other users, potentially stealing cookies.
Testing for DOM XSS6:46
XSS Example 1 in BookShelf Application1:18
Test the bookshelf application for reflected cross-site scripting by injecting input, viewing the page source, and confirming the reflected JavaScript appears in the source.
XSS Example 2 in BookShelf Application2:03
Exploiting XSS - Cookie Stealing7:24

XPATH Injection4:12
Explore how XPath injection targets XML data stores to bypass authentication and reveal other users' borrowed books, highlighting similarities to SQL injection.
Preventing XPATH Injection1:12
Introduction to XML Entities2:28
Exploiting XXE8:00
Explore how external entity (xxe) injection can exploit insecure xml parsers to read arbitrary server files and potentially execute remote code, with denial of service and internal network access possible.
A Quick XXE Tip0:47
Blind XXE and SSRF5:31
Exploiting Blind XXE14:18
Preventing XXE1:07
Prevent XXE by avoiding external entities and enforcing strict input validation, and enable security features in Java DOM and SAX parsers to protect XML processing.

Requirements

A computer with administrative access, if you want to follow the hands-on exercises.
Good to have knowledge of any one programming language.

Description

Are you a beginner and looking to break into the AppSec field? Don't know where to start your Application Security journey? Curious to know what it takes to get started with Bug Bounties? Then, this course is a great start for you. This practical web application penetration testing course is suitable for beginners and it covers a wide range of common web application attacks. Once you get the foundations right, you can build your skills on your own from there. This entry level web security course also provides a custom web application developed in Java specifically for this course. In addition to it, the course also covers some challenges in a publicly available vulnerable web application. The course provides necessary background details to the concepts wherever necessary.

Following are some of the topics covered in this course:

Web Application Architecture
HTTP Requests and Responses
SQL Injection - Authentication Bypass
Manually Exploiting Error Based SQL Injection
SQLMap for exploiting SQL Injection
Cross Site Scripting - Reflected, Stored and DOM Based
Cross Site Request Forgery
Broken Cryptography
Access Control Issues
Arbitrary File Uploads
XPATH Injection
XML External Entity (XXE) Injection
Java Deserialization
Command Execution via Security Misconfigurations
Command Execution via outdate software

You will learn the following for most vulnerabilities discussed in the course.

Identifying a vulnerability
How to exploit an identified vulnerability
How to prevent the discussed vulnerability

NOTE: This is course is being updated and new content will be uploaded until all the advertised modules are covered.

Who this course is for:

Bug bounty hunters
Penetration testers
Security Auditors
Red Team Operators
Web Application Developers
Anyone interested in security.

Web application Penetration Testing

What you'll learn

Explore related topics

Course content

Course Introduction1 lecture • 1min

Introduction to Web Applications3 lectures • 11min

Lab setup5 lectures • 11min

SQL Injection8 lectures • 43min

Same Origin Policy1 lecture • 6min

Cross Site Scripting8 lectures • 33min

Cross Site Request Forgery (CSRF)2 lectures • 19min

XML vulnerabilities8 lectures • 38min

Access Control Issues2 lectures • 7min

File upload Vulnerabilities2 lectures • 10min

Requirements

Description

Who this course is for: