Course Foundation (Web App Security)
Web Penetration Testing is the art of identifying security flaws in web applications before attackers do. This course covers everything from reconnaissance and fingerprinting to exploiting complex vulnerabilities like SQL injection, XSS, and modern API flaws.
Core Domains
A comprehensive curriculum covering the OWASP Top 10 and advanced web exploits:
Info Gathering & Recon
Subdomain enumeration, DNS records, virtual host discovery, and tech stack fingerprinting.
Authentication & Session
Password spraying, session hijacking, JWT manipulation, and OAuth misconfigurations.
Injection Attacks
SQL Injection, XSS (Reflected/Stored/DOM), Command Injection, and SSTI.
File & Resource Exploits
File upload bypasses, LFI/RFI, path traversal, and misconfigured cloud storage.
Advanced Exploits
SSRF, XXE, HTTP Request Smuggling, Web Cache Poisoning, and Prototype Pollution.
API & Modern Stacks
REST/GraphQL exploitation, Rate limit bypasses, BOLA, and SPA testing.
Typical Lab Scenarios
Vulnerable Login
Exploit login forms with SQLi or authentication bypass techniques.
Session Hijacking
Steal session cookies via XSS and take over user accounts.
Shell Upload
Upload malicious PHP shells by bypassing file filter restrictions.
Key Considerations
- Tools: Burp Suite, OWASP ZAP, SQLmap, Gobuster, Hydra, wfuzz, Postman.
- Frameworks: OWASP Top 10, MITRE ATT&CK for Web.
- Certifications: Covers content for OSWE, CBBH, BSCP, CEH, CPTS, PNPT.