Name: Introduction to Web Application Penetration Testing
Rating: 3.7 (17 reviews)

Udemy Business

Teach on Udemy

Turn what you know into an opportunity and reach millions around the world.

Learn More

Your cart is empty.

Keep shopping

Created byAlameen Karim Merali

Last updated 11/2024

English

What you'll learn

Using Generative AI to get predictions for Penetration Tests
Using reconnaissance tools to gather information on the vulnerable endpoint
Manually assessing a web application without automatic penetration testing tools
Using automatic penetration testing tools
Building Exploits for Web Applications
Understanding False Negatives when using automated penetration testing tools

Course content

4 sections • 39 lectures • 9h 51m total length

Personal Introduction1:22
In this part of the course, I introduce myself and tell you what the course is basically about. Stay tuned to the course introduction where I cover everything about the course in general.
Introduction to the course9:04
This will be the introduction to the course itself and a review of all the syllabus which we will be learning throughout this course.

Installing Kali Linux46:56
In this lesson, we learn how to setup and configure Kali Linux, which will be our penetration testing distribution. We will learn to install drivers in old and obsolete computers as well.
Installing OWASP ZAP4:37
In this part of the course, we perform the second prerequisite of the course that involves the installation of OWASP ZAP Vulnerability Scanner
Configuring Burpsuite5:24
In this video, we configure burpsuite which is a necessary tool used for our upcoming Bug Bounties that we will be performing.
Websites we will use4:01
In this part of the course, I explain some of the websites that we will use to perform automatic penetration testing that will be helpful for our future Bug Bounties.
Installing and Configuring ngrok20:42
In this video, we install and configure ngrok http tunnel which will be useful for future Bug Bounty Projects that we will perform.
Installing Wappalyzer3:42
In this video, we install an extension for Firefox for checking Web Application Technologies which will be necessary for performing our Bug Bounty Hunting.
Using Nikto to find Vulnerabilities14:56
In this video, You'll learn how to use the Nikto Vulnerability Scanner to automatically scan and discover vulnerabilities on Web Application Systems.
Finding Vulnerable Web Application Ports using Network Mapper11:23
In this video, You'll learn how to use nmap to find vulnerable web application ports. While we won't be using nmap at all in the upcoming parts of the course, it's important to understand why you'd need to use this tool as a penetration tester.
Using GoBuster6:57
In this video, I show you how to use the GoBuster Tool for Directory Enumeration using SecLists. This tool itself is similiar to fuff and dirbuster as well. While we will be using fuff in other parts of the course, it's important to understand how to use GoBuster.
Installing GoBuster7:57
In this prerequisite, you'll learn how to install and setup GoBuster and SecLists. While we won't be using GoBuster in our Pentesting Work, it is necessary to understand it's importance and why you should have it for other future Penetration Testing work. Please check the video "Using GoBuster" for more information on this.

Understanding Bug Bounties and HackerOne6:45
In this video, I explain the basics of performing Bug Bounties before we jump into doing any bounties and performing penetration tests.
Exploiting Remote Code Execution Vulnerability (Automatic and AI)34:03
In this video, we attempt to perform an exploit on a real vulnerable target to try obtain Remote Code Execution through the help of Artificial Intelligence and the OWASP ZAP Automatic Pentesting Tool.
Exploiting SQL Injection Vulnerability (Automatic)10:31
In this video, I exploit two CTFs from PortSwigger that are vulnerable to SQLi. One of them using manual exploitation and another one using automatic pentesting tool. Please keep in mind that the purpose of the video was to show that the database server is exploitable and therefore, I didn't pull out any information or dump tables from the databases.
Exploiting Subdomain Takeover Vulnerability (Automatic)47:09
In this video, I use a combination of different automatic penetration testing tools to attempt to find a Subdomain Takeover on a real Bug Bounty Target.
Exploiting Privacy Violation Vulnerability (Automatic)19:59
In this video, we use a tool called TruffleHog to approach a real-life VDP Target from HackerOne.
Using Nuclei Verbose Mode to find Vulnerable Endpoints (Automatic)12:32
In this video, I show you how to use Nuclei in Verbose Mode to enhance Web Application Penetration Testing and Scanning Results using the automated tool.
Using Katana to find Vulnerable Endpoints (Automatic)6:06
In this lesson, we use Katana, an automatic Website Crawling and Spidering Tool to find Vulnerable Endpoints within a Web Application System.
Exploit to bypass Error 403 (Automatic)12:20
In this lesson, I use a GitHub Automated Tool to attempt to bypass 403 Access Denied on a site vulnerable to Local File Inclusion. Please check the video on LFI below before watching this video.
Exploiting Missing SRI Vulnerability (Automatic)6:59
In this video, I exploit a Missing SRI Vulnerability on a real bug bounty target and test for the Missing SRI Vulnerability, which eventually is present.
Using OWASP ZAP for Auto-Manual Vulnerability Detection (Automatic)10:25
In this video, I explain how to use the manual exploration technique for automated vulnerability detection on the Web Application System using the OWASP ZAP Utility.
Exploiting Open Redirect Vulnerability (Automatic)8:08
In this video, I approach a real bug bounty target and exploit an Open Redirect Vulnerability
Exploiting Account Takeover Vulnerability (Manual)11:56
In this video, I exploit an account takeover vulnerability in a real bug bounty target. In this vulnerability, both email and OTP have been bypassed.
Exploiting Stored XSS Vulnerability (Manual)15:57
In this part of the course, I explain and exploit a potential Stored XSS Vulnerability using a PDF Document.
Exploiting OTP Overflow (Manual)8:13
In this video, I approach a real world target with an OTP Overflow Attack for a Bug Bounty Hunting.
Exploiting Insecure Direct Object Reference (Manual)25:24
In this lesson, I explain how to exploit the IDOR Vulnerability with an additional CTF from PortSwigger Academy on IDOR Vulnerability that we will walk through as well.
Exploiting XSS Vulnerability (Manual)15:24
In this video, I present to you some Capture The Flag Games that can be used to help teach you and guide you to understanding XSS Vulnerabilities so you can be able to perform exploits later in real-world scenarios when it comes to live Bug Hunting.
Advanced Google Hacking Techniques (Auto-Manual)7:12
In this video, I explain how to advance your Google Hacking Skills to approach real-world Bug Bounty Scenarios for Manually Finding Potentially and possibly Vulnerable Endpoints on different Web Application Systems from Google alone.
Exploiting Local File Inclusion and Directory Transversal (Manual)25:41
In this part of the course, I show you how to exploit LFI and Directory Transversal Vulnerability. This part of the course incorporates the use of a CTF to help in understanding the vulnerability.
Exploiting Remote File Inclusion (Manual)17:11
In this lesson, we go through a CFT from PortSwigger Academy on performing Penetration Tests to gain Remote Code Execution through a Remote File Inclusion Vulnerability (Upload Functionality); I even further explain that the real-life concept applies the same to as what you've learned in Lesson 14 of this course.
Exploiting Cross Site Request Forgery (Manual)15:45
In this video, I use a PortSwigger CTF to exploit a CSRF Scenario and showcase a real-world scenario of how to use a CSRF HTML Script in a false-positive scenario gotten by the OWASP ZAP Vulnerability Scanner and explain why automated pentesting shouldn't be relied upon.
Exploiting Server Side Request Forgery (Manual)24:25
In this lesson, I show you how to exploit a SSRF Vulnerability from a CTF on the PortSwigger Academy. In addition, I show a different way to approach SSRF in a real world scenario as well.
Advanced GitHub Hacking Techniques (Manual)9:35
In this video, I show you how to use GitHub as a Hacking Advantage to collect sensitive information. The dorks were used on a real VDP target for HackerOne.
Bypassing Web Application Firewalls (Manual)25:24
In this video, I show how to bypass Web Application Firewalls in the scenario whereby I used encoded payloads on two different Web Applications with two different Firewalls. In the first one, I bypassed using a Base64 Encoded Payload to test for XSS and on the second one, I used a payload to bypass and test for SQL Injection.
Exploiting Cross Origin Resource Sharing Vulnerability (Manual)19:56
In this lesson, I will show you how to exploit CORS Vulnerability from a PortSwigger CTF. You can check the resources section for a HTML Document that you can use with a script to send the API Key back through a tunneled ngrok server.
Exploiting Clickjacking Vulnerability (Manual)32:08
In this last lesson, I show you how to exploit Clickjacking Vulnerability from a PortSwigger CTF after attempting to exploit on a permitted website by it's owners (KT and Brenton), which appeared to be a false positive from the OWASP ZAP Utility due to the WAF protecting the page and the implementation of code they have put on the page to protect the site from sensitive actions created by the clickjacking vulnerability.

Requirements

HTML
PHP
Python
Bash Scripting
JavaScript

Description

In this course, you’ll learn the basics of performing basic penetration tests on web applications manually and using automated penetration testing tools with the help of different Artificial Intelligence that exist out there. We will compare the differences and answers given by three different AI’s including ChatGPT, PenTestGPT and WhiteRabbitNeo AI and see the negative sides of using AI as a whole when performing these penetration tests. We will perform some manual tests without using automated tools to better understand how vulnerabilities can be exploited without getting any false negatives that are present when using AI and automation for penetration tests; I will also disclose a duplicate report that I obtained permission for to disclose to the public which I was allowed to disclose, so you have an idea on how to write reports to HackerOne and other Web Application Penetration Testing Bug Bounties and Vulnerability Disclosure Programs.

NOTE: Some of these penetration tests are performed against CTFs (Capture The Flag) Trainings such as the PortSwigger Academy. However, majority of them are performed against real life web applications.

Please note that this course is for educational purposes only. This course is intended to teach people to perform ethical hacking and contains highly sophisticated cybersecurity techniques which can be used by anyone. Do not use anything taught in this course illegally, I will not be responsible for any damage or harm caused to a system from what you learn and apply from this course. This course is for people who want to become Bug Bounty Hunters and White Hat Hackers to prepare and refresh them for a better world of security and help in mitigating cyber risks.

Who this course is for:

Advanced Learners on Web Application Penetration Testing
Beginner Learners on Web Application Penetration Testing

What you'll learn

Explore related topics

Course content

Introduction2 lectures • 10min

Prerequisites10 lectures • 2hr 7min

Bug Bounty Hunting25 lectures • 7hr 9min

Report Writing, Conclusion and Exam2 lectures • 25min

Requirements

Description

Who this course is for: