
learn web penetration testing and bug bounty hunting from scratch. identify misconfigurations, bugs, and vulnerabilities in websites, and report them to owners for rewards.
Install Kali Linux as a virtual machine to learn the tools used in bug bounty hunting. Skip this section if you already have Kali Linux.
Discover how virtual machines enable you to run Linux, Windows, and other operating systems for safe, recoverable testing in this course, using VirtualBox to create and rebuild environments.
Install VirtualBox on Windows and set up the extension pack, resolve the Visual C++ runtime, and configure a virtual network to connect host and guest machines for testing.
Discover how to download and set up Kali Linux for penetration testing, compare major Linux distributions, and configure a VirtualBox lab with 64-bit support.
Troubleshoot linux installation issues on Windows by checking free space, enabling virtualization, and BIOS or Hyper-V settings, then choose VirtualBox, VMware, or ISO bare-metal installation.
Solve linux installation issues on macs by using UTM instead of VirtualBox, with Intel vs M1 differences, installing Kali Linux from ISO, and configuring storage, memory, and EFI settings.
Explore Kali Linux fundamentals: navigate the desktop and terminal, adjust display resolution and keyboard settings, understand root versus user access, manage files, ensure internet connectivity, and begin mastering Linux commands.
Navigate the Linux terminal by using pwd, ls, and cd to locate positions and move between directories; create folders with mkdir and files with touch, while exploring the file system.
Explore root privileges and permissions in Linux using Kali as an example, and learn how the root user can delete, modify, or access files with sudo or sudo su.
Learn linux package managers and use apt to install, search, update, and upgrade tools in Kali Linux, with examples like Wireshark and bettercap.
Learn to use the nano text editor in Linux to view, edit, and save files, explore permissions, and compare nano with cat and vim across distributions.
Explore what an EBR website is, how websites work, and learn HDMI fundamentals to support bug bounty hunting in web penetration testing.
Understand what a website is by exploring hosting, IP addresses, and domain basics. Learn how DNS maps domains to public and local IPs, supporting web testing and bug bounty work.
Explore the fundamentals of HTML, a markup language, and learn to read, write, view source, and inspect HTML using editors and browser tools.
Learn HTML basics by declaring doctype, using opening and closing tags, exploring head and body, metadata, and the role of title and utf-8 in web pages.
Explore html fundamentals by examining elements and attributes, from head and body to headers (h1–h3), paragraphs, and breaks, plus class attributes and self-closing tags like br.
Learn to build links with href and target attributes, structure forms with divs, labels, and text or password inputs, use placeholders, and inspect elements for basic pentesting demonstrations.
Learn how to use text areas, images, and basic form elements in HTML, including setting attributes like width and height, and how headers and footers organize page structure.
Explore stored html injection by testing via Burp Suite, intercepting GET and POST requests, and injecting iframes to reveal vulnerable pages and user data.
Explore how HDMI injection form vulnerabilities can capture usernames and passwords through a demo login form, and how ethical testing and bug bounty reporting address these issues.
Learn to discover hidden web pages with DirBuster for directory brute forcing using wordlists. Use Burp Suite to collect interactions, monitor results, and adjust threads for faster testing.
Continue building the same app as we begin the php injection topic, highlighting the severity of this vulnerability and why it's essential to learn now.
Demonstrate PHP injection via Burp Suite, intercept and modify requests, execute PHP code on the server, reveal sensitive files like /etc/passwd and /etc/shadow, and spawn a shell to explore system.
Learn new techniques and attacks as we continue this section, focusing on command execution and SSI vulnerabilities.
Master os command injection by triggering server-side commands, observing DNS lookups, and testing request parameters with piping and semicolon bypass to obtain a shell.
Use Commix to automate command injection testing and speed up vulnerability discovery, leveraging cookies, Burp Suite data, and in-application inputs to obtain a shell when possible.
Learn about SSI injection, a server side includes vulnerability, by examining how include and execute directives work in SSI and how an attacker can run commands on the server.
Master how to test SSI injection against filters and firewalls by tweaking parameters and comments, using trial and error to reveal what gets blocked or allowed.
Explore directory traversal basics to discover files and folders, and see how these findings can lead to bug bounty submissions.
Expose how directory traversal attacks reveal server files and folders by manipulating url parameters, using Burp Suite with a proxy to intercept requests, and exploring web server directories.
Practice directory traversal to access hidden files on a web server, using dot-dot-slash sequences to locate files and folders, and explore vulnerabilities discussed for next lecture.
Optimize directory traversal testing with the dotdotpwn tool by fuzzing against a host, using HTTP payloads, the SSL option, and a depth of six to reveal vulnerabilities efficiently.
Explore cross-site scripting vulnerabilities in web penetration testing and learn how bug bounty rewards incentivize researchers to uncover them.
Explore reflected ajax xss by testing an ajax json search input that echoes user input in the response. Use Burp Suite proxy to intercept requests, injecting scripts to trigger alerts.
learn how insecure direct object references expose broken access control through user input manipulation, enabling unauthorized secret changes and price tampering in real web app scenarios.
Explore the pacifica dot net lab to study how transcripts reveal other users' chats and passwords. Identify broken access control via transcript endpoints and parameter manipulation that expose unrelated chats.
Explore cross site request forgery (CSRF), install and set up the vulnerable machine for hands-on practice, and begin testing as you progress to more machines later.
Log in to Metasploitable and fix a misconfigured DVWA database, then explore multiple vulnerable apps like Mutillidae, DVWA, and Juice Shop to practice bug bounty testing.
Learn how cookies and session data can be forged to impersonate other users by tampering with values like the UI ID, using browser dev tools to inspect storage and cookies.
Explore cross-site request forgery (CSRF) by forging requests, observe cookie-based admin impersonation, and practice with Burp Suite and DVWA to analyze password changes and user registrations.
This lecture demonstrates a simple csrf attack using burp suite, showing how a crafted link and the repeater tool change password parameters and test admin user scenarios.
Welcome to The Complete Web Penetration Testing & Bug Bounty Course
In this course we are going to start from scratch and learn how to find vulnerabilities & bugs in Websites and Web Applications. Of course we will learn this to notify the related authorities to make internet a safer place and start making money out of this process. We are going to learn how hackers find vulnerabilities, how hackers do their attacks and also how to protect ourselves against these attacks and submit these bugs to the related developers. We will never neglect theory but we will do hands-on experience practices all the time during the course. You will be hacking into vulnerable systems throughout the course.
This training is brought to you by Codestars by Rob Percival (+1.000.000 students) and Atil Samancioglu (+280.000 students). Atil teaches cyber security & programming in Udemy for more than 5 years and he also teaches mobile development in Bogazici University. If you are looking forward to be a part of the cyber security environment then you found the right course and right instructor!
You can see some of the topics that we are going to cover throughout the course below:
Web Application Pentesting
Burpsuite
Kali Linux
HTML
bWapp
Juice Shop
Owasp Top 10
Owasp API Top 10
Mutillidae
DVWA
XSS
XXE
SQL Injection
HTML Injection
PHP Injection
Shell Methods
File Vulnerabilities
Nikto
Commix
Dotdotpwn
Wafw00f
Directory Traversal
Brute Force
Bug Bounty
API Pentesting
Content
This training is perfect for people who want to be an Ethical Hacker and a Bug Bounty Hunter. We are going to start from scratch and make our way up to all details. We are going to cover Kali Linux, Burpsuite, HTML, XSS, SQL, PHP Injection and so much more. All curriculum is designed to make you comfortable during the process.
Warning: This course aims to teach people how to become ethical hackers and cyber security specialists. All students must use the related information within legal boundaries as mentioned in the course to make internet a safer place.