Website Hacking / Penetration Testing & Bug Bounty Hunting
4.5 (7,821 ratings)
Course Ratings are calculated from individual students’ ratings and a variety of other signals, like age of rating and reliability, to ensure that they reflect course quality fairly and accurately.
58,342 students enrolled

Website Hacking / Penetration Testing & Bug Bounty Hunting

Become a bug bounty hunter! Hack websites & web applications like black hat hackers and secure them like experts.
Bestseller
4.5 (7,821 ratings)
Course Ratings are calculated from individual students’ ratings and a variety of other signals, like age of rating and reliability, to ensure that they reflect course quality fairly and accurately.
58,340 students enrolled
Last updated 5/2020
English
English [Auto], French [Auto], 8 more
  • German [Auto]
  • Indonesian [Auto]
  • Italian [Auto]
  • Polish [Auto]
  • Portuguese [Auto]
  • Romanian [Auto]
  • Spanish [Auto]
  • Thai [Auto]
Current price: $132.99 Original price: $189.99 Discount: 30% off
5 hours left at this price!
30-Day Money-Back Guarantee
This course includes
  • 9 hours on-demand video
  • 1 article
  • 9 downloadable resources
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
Training 5 or more people?

Get your team access to 4,000+ top Udemy courses anytime, anywhere.

Try Udemy for Business
What you'll learn
  • 90+ Videos to take you from a beginner to advanced in website hacking.
  • Create a hacking lab & needed software (on Windows, OS X and Linux).
  • Become a bug bounty hunters & discover bug bounty bugs!
  • Discover, exploit and mitigate a number of dangerous web vulnerabilities.
  • Exploit these vulnerabilities to hack into web servers.
  • Bypass security & advanced exploitation of these vulnerabilities.
  • Advanced post exploitation - hack other websites on the same server, dump the database, privilege escalation....etc
  • Bypass security & filters.
  • Intercept requests using a proxy.
  • Adopt SQL queries to discover and exploit SQL injections in secure pages.
  • Gain full control over target server using SQL injections.
  • Discover & exploit blind SQL injections.
  • Install Kali Linux - a penetration testing operating system.
  • Learn linux commands and how to interact with the terminal.
  • Learn linux basics.
  • Understand how websites & web applications work.
  • Understand how browsers communicate with websites.
  • Gather sensitive information about websites.
  • Discover servers, technologies & services used on target website.
  • Discover emails & sensitive data associated with a specific website.
  • Find all subdomains associated with a website.
  • Discover unpublished directories & files associated with a target website.
  • Find all websites hosted on the same server as the target website.
  • Discover, exploit and fix file upload vulnerabilities.
  • Exploit advanced file upload vulnerabilities & gain full control over the target website.
  • Discover, exploit and fix code execution vulnerabilities.
  • Exploit advanced code execution vulnerabilities & gain full control over the target website.
  • Discover, exploit & fix local file inclusion vulnerabilities.
  • Exploit local file inclusion vulnerabilities to to get a shell.
  • Exploit advanced local file inclusion vulnerabilities & gain full control over the target website.
  • Exploit advanced remote file inclusion vulnerabilities & gain full control over the target website.
  • Discover, fix, and exploit SQL injection vulnerabilities.
  • Bypass login forms and login as admin using SQL injections.
  • Writing SQL queries to find databases, tables and sensitive data such as usernames ad passwords using SQL injections
  • Bypass filtering, and login as admin without password using SQL injections.
  • Bypass filtering and security measurements.
  • Read / Write files to the server using SQL injections.
  • Patch SQL injections quickly.
  • Learn the right way to write SQL queries to prevent SQL injections.
  • Discover basic & advanced reflected XSS vulnerabilities.
  • Discover basic & advanced stored XSS vulnerabilities.
  • How to use BeEF framwork.
  • Hook users to BeEF using reflected & XSS vulnerabilities.
  • Steal credentials from hooked targets.
  • Run javascript code on hooked targets.
  • Create undetectable backdoors.
  • Hack computers using XSS vulnerabilities.
  • Fix XSS vulnerabilities & protect yourself from them as a user.
  • What do we mean by brute force & wordlist attacks.
  • Create a wordlist or a dictionary.
  • Launch a wordlist attack and guess admin's password.
  • Discover all of the above vulnerabilities automatically using a web proxy.
  • Run system commands on the target webserver.
  • Access the file system (navigate between directories, read/write files).
  • Download, upload files.
  • Bypass security measurements.
  • Access all websites on the same webserver.
  • Connect to the database and execute SQL queries or download the whole database to the local machine.
  • Discover, exploit and mitigate CSRF vulnerabilities.
Requirements
  • Basic IT Skills.
  • No Linux, programming or hacking knowledge required.
  • Computer with a minimum of 4GB ram/memory.
  • Operating System: Windows / OS X / Linux.
Description

Note: The contents of this course are not covered in any of my other courses except for some basics. Although website hacking is covered in one of my other courses, that course only covers the basics where this course dives much deeper in this topic covering more techniques, more vulnerabilities, advanced exploitation, advanced post exploitation, bypassing security and more!

Welcome to my this comprehensive course on Website penetration testing. In this course you'll learn website / web applications hacking & Bug Bounty hunting! This course assumes you have NO prior knowledge in hacking, and by the end of it you'll be at a high level, being able to hack & discover bugs in websites like black-hat hackers and secure them like security experts!

This course is highly practical but it won't neglect the theory, first you'll learn how to install the needed software (on Windows, Linux and Mac OS X) and then we'll start with websites basics, the different components that make a website, the technologies used, and then we'll dive into website hacking straight away. From here onwards you'll learn everything by example, by discovering vulnerabilities and exploiting them to hack into websites, so we'll never have any dry boring theoretical lectures.

Before jumping into hacking, you'll first learn how to gather comprehensive information about the target website, then the course is divided into a number of sections, each section covers how to discover, exploit and mitigate a common web application vulnerability, for each vulnerability you will first learn the basic exploitation, then you will learn advanced techniques to bypass security, escalate your privileges, access the database, and even use the hacked websites to hack into other websites on the same server.

All of the vulnerabilities covered here are very common in bug bounty programs, and most of them are part of the OWASP top 10.

You will learn how and why these vulnerabilities are exploitable, how to fix them and what are the right practices to avoid causing them.


Here's a more detailed breakdown of the course content:

1. Information Gathering - In this section you'll learn how to gather information about a target website, you'll learn how to discover its DNS information, the services used, subdomains, un-published directories, sensitive files, user emails, websites on the same server and even the hosting provider. This information is crucial as it increases the chances of being able to successfully gain access to the target website.

2. Discovery, Exploitation & Mitigation - In this section you will learn how to discover, exploit and mitigate a large number of vulnerabilities, this section is divided into a number of sub-sections, each covering a specific vulnerability, firstly you will learn what is that vulnerability and what does it allow us to do, then you will learn how to exploit this vulnerability and bypass security, and finally we will analyse the code causing this vulnerability and see how to fix it, the following vulnerabilities are covered in the course:

  • File upload -  This vulnerability allow attackers to upload executable files on the target web server, exploiting these vulnerabilities properly gives you full control over the target website.

  • Code ExecutionThis vulnerability allow users to execute system code on the target web server, this can be used to execute malicious code and get a reverse shell access which gives the attacker full control over the target web server.

  • Local File InclusionThis vulnerability can be used to read any file on the target server, so it can be exploited to read sensitive files, we will not stop at that though, you will learn two methods to exploit this vulnerability to get a reverse shell connection which gives you full control over the target web server.

  • Remote File InclusionThis vulnerability can be used to load remote files, exploiting this vulnerability properly gives you full control over the target web server.

  • SQL Injection -  This is one of the most dangerous vulnerabilities, it is everywhere and can be exploited to do all of the things the above vulnerabilities allow us to do and more, so it allows you to login as admin without knowing the password, access the database and get all data stored there such as usernames, passwords, credit cards ....etc, read/write files and even get a reverse shell access which gives you full control over the target server!

  • Cross Site Scripting (XSS) - This vulnerability can be used to inject javascript code in vulnerable pages, we won't stop at that, you will learn how to steal credentials from users (such as facebook or youtube passwords) and even gain full access to their computer.

  • Insecure Session Management - In this section you will learn how to exploit insecure session management in web applications and login to other user accounts without knowing their password, you'll also learn how to discover and exploit CSRF (Cross Site Request Forgery) vulnerabilities to force users to change their password, or submit any request you want.

  • Brute Force & Dictionary Attacks - In this section you will learn what are these attacks, the difference between them and how to launch them, in successful cases you will be able to guess the password for a target user.

3. Post ExploitationIn this section you will learn what can you do with the access you gained by exploiting the above vulnerabilities, you will learn how to convert reverse shell access to a Weevely access and vice versa, you will learn how to execute system commands on the target server, navigate between directories, access other websites on the same server, upload/download files, access the database and even download the whole database to your local machine. You will also learn how to bypass security and do all of that even if you did not have enough permissions! 

With this course you get 24/7 support, so if you have any questions you can post them in the Q&A section and we'll respond to you within 15 hours.


Notes:

  • This course is created for educational purposes only and all the attacks are launched in my own lab or against systems that I have permission to test.

  • This course is totally a product of Zaid Sabih & zSecurity, no other organization is associated with it or a certification exam. Although, you will receive a Course Completion Certification from Udemy, apart from that NO OTHER ORGANIZATION IS INVOLVED.

Who this course is for:
  • Anybody interested in learning website & web application hacking / penetration testing.
  • Anybody interested in becoming a bug bounty hunter.
  • Anybody interested website hacking.
  • Anybody interested in learning how to secure websites & web applications from hacker.
  • Web developers so they can create secure web application & secure their existing ones.
  • Web admins so they can secure their websites.
Course content
Expand all 94 lectures 09:15:15
+ Course Introduction
1 lecture 02:13

Hello & welcome to this course, this lecture will give you an overview of the structure of the course, and what you'll learn in it.

Preview 02:13
+ Preparation - Creating a Penetration Testing Lab
4 lectures 26:33

In this course, we will be using a number of operating systems, Kali for hacking and 2 others as target machines, in this section you will learn how to install all of these machines as virtual machines inside your current operating system, this allows us to use all of the machines at the same time, it also completely isolates these machines from your main machine therefore your main machine will not be affected if anything goes wrong.

Everything shown here will work on Windows, Linux and OS X.

Lab Overview & Needed Software
07:48

This lecture will give you an overview of the software you need for this course,  how to install it, and how to install Kali Linux as a virtual machine inside any operating system, whether it is Windows, Linux or OS X.

Installing Kali 2020 As a Virtual Machine Using a Ready Image
11:13

In this lecture you will learn how to install a vulnerable operating system (Metasploitable) as a virtual machine so we can use it to practice penetration testing in future lectures.

Installing Metasploitable As a Virtual Machine
04:10

In this lecture you will learn how to set up a windows virtual machine so that we can try and hack into it to practice penetration testing.

Installing Windows As a Virtual Machine
03:22
+ Preparation - Linux Basics
3 lectures 22:08

In this lecture we will have a basic look on Kali linux just to get you comfortable with using it.

You will learn how to use its main applications, browse files, connect to the internet ....etc.

Basic Overview Of Kali Linux
05:10

In this lecture you will learn how to interact with the linux terminal and run linux commands.

The Linux Terminal & Basic Linux Commands
11:21

In this lecture you will learn how to configure the network settings for the lab machines and how to access the websites that we will try to hack from the Kali machine.

Configuring Metasploitable & Lab Network Settings
05:37
+ Website Basics
2 lectures 09:44

Before diving into website hacking you need to now some basics about websites, this lecture will explain to you what is a website, what it contains, technologies used in it and how all of these components interact with each other.

What is a Website?
04:13

In this lecture you will learn the various methods and approaches that can be used to hack into a website.

How To Hack a Website ?
05:31
+ Information Gathering
9 lectures 54:09

In this lecture you will learn how to gather information about the website/ domain name owner, server IP address, hosting company and more.

Gathering Information Using Whois Lookup
04:41

In this lecture we will use Netcraft to discover the technologies used on the target website, such as the web server used, installed web applications and more!

Discovering Technologies Used On The Website
06:04

This lecture will teach you how to gather detailed DNS information about the target website such as it DNS records, resources it shares with other websites and more!

Gathering Comprehensive DNS Information
10:23

This lecture will show you how to discover websites on the same server as your target website, this is very useful as these websites can be used to gain access to your target website.

Discovering Websites On The Same Server
03:43

In this lecture we will use a tool called knock to discover subdomains on the target website, this is useful as these subdomains could contain beta web applications, private web applications or login pages.

Discovering Subdomains
05:05

In this lecture you will learn how to use a tool called dirb to discover files on the target website, this can be helpful as it might reveal files that contain sensitive data.

Discovering Sensitive Files
07:25

In this lecture we will analyse the files we discovered in the previous lecture and see the information they contain.

Analysing Discovered Files
04:17

Maltego is a great information gathering tool that can be used to gather information just about anything (people, websites, computers, servers ...etc).

In this lecture we will have an overview on the tool and some basic use, you will learn how to discover domains, websites, servers and emails associated with your target.

Maltego - Discovering Servers, Domains & Files
07:42

In this lecture we will dive deeper into Maltego, you will learn how to discover more info about the target such as admin's email, hosting company, servers and lay out this information nicely.

Preview 04:49
+ File Upload Vulnerabilities
6 lectures 32:59

File upload vulnerabilities allow attackers to upload files on the web server.

This lecture will introduce you to these vulnerabilities and teach you how to discover and exploit them to gain full control over the target server.

How To Discover & Exploit Basic File Upload Vulnerabilities to Hack Websites
06:43

In this lecture you will learn more about how websites work, how the browser communicate with web server, http request types, and how to use this method of communication to discover and exploit advanced vulnerabilities.

HTTP Requests - GET & POST
04:12

In this lecture you will learn how to use Burp Suit to intercept GET & POST requests and modify them.

This can be useful in so many cases, to discover vulnerabilities, bypass filters.....etc

Intercepting HTTP Requests
06:44

Now that we know how to intercept HTTP requests, in this lecture you will learn how to exploit a more secure file upload vulnerability and gain full control over the target web server.

Exploiting Advanced File Upload Vulnerabilities To Hack Websites
04:37

In this lecture we will have a look on an even more secure upload page, you'll learn how to use Burp Suite to intercept the upload request and exploit the upload functionality to gain full control over the target web server.

Preview 04:22

In this lecture we shall have a look on the code causing the above vulnerabilities, you will learn why the above vulnerabilities are exploitable and how to fix these pages to prevent file upload vulnerabilities.

[Security] Fixing File Upload Vulnerabilities
06:21
+ Code Execution Vulnerabilities
3 lectures 19:18

Code execution vulnerabilities allow attackers to run system commands on the web server.

This lecture will introduce you to these vulnerabilities and teach you how to discover and exploit them to get a reverse shell and hack websites.

How To Discover & Exploit Basic Code Execution Vulnerabilities To Hack Websites
07:25

This lecture will teach you how to exploit more secure code execution vulnerabilities to get a reverse shell and gain full control over the target server.

Exploiting Advanced Code Execution Vulnerabilities
06:06

In this lecture we shall have a look on the code causing the above vulnerabilities, you will learn why the above vulnerabilities are exploitable and how to fix these pages to prevent code execution vulnerabilities.

[Security] - Fixing Code Execution Vulnerabilities
05:47
+ Local File Inclusion Vulnerabilities (LFI)
3 lectures 23:36

Local File Inclusion vulnerabilities or (LFI) allow hackers to read local files on the server that they are not supposed to read.

This lecture will introduce you to these vulnerabilities and teach you how to discover and exploit them to read any file on the target server.

What are they? And How To Discover & Exploit Them
05:49

In this lecture you will learn how to exploit local file inclusion to get reverse shell and gain full control over the target web server.

Preview 07:10

Here you will learn another method to use a local file inclusion vulnerability to get a reverse shell and gain full control over the target web server.

Gaining Shell Access From LFI Vulnerabilities - Method 2
10:37
+ Remote File Inclusion Vulnerabilities (RFI)
4 lectures 18:13

This lecture will teach you how to configure php setting to allow remote file inclusion, so we can practice a remote file inclusion vulnerability in the next lecture.

Remote File Inclusion Vulnerabilities - Configuring PHP Settings
03:46

Remote File Inclusion vulnerabilities (RFI) allow hackers to include remote files.

This lecture will introduce you to these vulnerabilities and teach you how to discover and exploit them to get a reverse shell and gain full control over the target server.

Remote File Inclusion Vulnerabilities - Discovery & Exploitation
05:44

This lecture will teach you how to exploit more secure remote file inclusion vulnerabilities to get a reverse shell and gain full control over the target server.

Exploiting Advanced Remote File Inclusion Vulnerabilities To Hack Websites
02:49

In this lecture we shall have a look on the code causing the above vulnerabilities (Both local and remote file inclusion), you will learn why the above vulnerabilities are exploitable, how to fix them and secure pages from them.

[Security] Fixing File Inclusion Vulnerabilities
05:54
+ SQL Injection Vulnerabilities
2 lectures 08:41

This lecture will explain what is SQL and what is it used for, this is important to understand before we dive into sql injection vulnerabilities.

What is SQL?
05:48

This lecture highlights why SQL injections are considered one of the most dangerous vulnerabilities.

Dangers of SQL Injections
02:53