
Learn practical web application penetration testing from an industry-ready perspective for web developers and junior testers, exploring vulnerabilities, root causes, exploitation, and mitigation while building secure coding and testing skills.
Engage in hands-on web application security testing by deploying a secure bank app with Docker, using Burp Suite to examine injections, authentication, authorization, and data validation.
Explore how software protects data by applying the CIA triad (confidentiality, integrity, and availability), balancing security with business continuity and usability.
Define software vulnerabilities as unexpected states that break confidentiality, integrity, or availability. Learn how exploits and payloads weaponize these flaws, and how fixes realign systems with expectations to reduce risk.
Explore a practical sql injection vulnerability in a simple flask app, showing how crafted input bypasses authentication and exposes admin data using a classic payload and sql querying.
Learn how IDOR (insecure direct object reference) enables broken access control by manipulating resource IDs in a web app, exposing unauthorized receipts and data through weak authorization checks.
Explore stored cross-site scripting (XSS) vulnerabilities in a simple guestbook, showing how user input stored on the server can inject HTML and JavaScript that executes in the DOM.
Understand how a network penetration test differs from vulnerability assessment by exploiting weaknesses, enumerating services with nmap, testing scope across IPs or subnets, and maximizing privileges via misconfigurations and vulnerabilities.
Explore practical web application penetration testing, focusing on HTTP, TLS, browser interactions, and proxies such as Burp Suite, while defining scope across production and black, gray, and white box approaches.
Analyze source code to uncover vulnerabilities, tracing data from sources like user input to sinks such as sql queries, and learn tainting and mitigation with prepared statements.
CWE, a Mitre-maintained catalog of software and hardware weaknesses, standardizes security flaws and includes descriptions, consequences, mitigations, with examples CW 611 and CW 89.
Explore the common vulnerability scoring system (CVSS) and how base, temporal, and environmental scores combine to prioritize security issues, enabling effective vulnerability management and communication.
Analyze CVE-2022-22965 through a hands-on Docker-based demo, compute CVSS 3.1 risk scores, and explore remote code execution via Spring data binding in a Tomcat war deployment.
Explore capture the flag challenges and categories like binary exploitation, reverse engineering, and web security, and learn how CTFs build hands-on security skills.
Explore how security integrates into every stage of the software development life cycle, from threat modeling and secure coding to testing, hardening, and decommissioning.
Explore web application penetration testing on the secure Bank, a dotnet cross-platform app with OWASP top ten vulnerabilities. Deploy, run reproducible proof-of-concept tests, and analyze transactions and admin features.
Set up a working http proxy to view, analyze, and modify browser traffic and attack vectors between the client and the web app, using Burp Suite, mitmproxy, and Kydo.
Explore the HTTP protocol by analyzing requests and responses, including get and post methods, headers like host and cookie, and status codes, using Burp Suite to intercept and modify traffic.
Explore Burp Suite extensions to extend testing capabilities with Java or Python extensions, installed from the Burp App Store, including auth analyzer and API access for HTTP, Repeater, and Decoder.
Mitmproxy is a free, open-source interactive HTTP proxy for debugging, testing, and penetration testing, enabling interception, inspection, modification, and replay of web traffic via a Python API.
Learn how to connect any browser to the Burp Suite proxy, configure the proxy settings, and install the Burp certificate to avoid TLS certificate errors and view https traffic.
Track testing coverage across pages, api endpoints, and parameters to quantify progress with a completion percentage and coordinate testing tasks.
Identify information disclosure across the UI, source code, and HTTP traffic, including errors, directory listings, and metadata, and explain how attackers map systems to plan exploits.
Identify how stack traces leak sensitive backend details during error handling, file uploads, and cookie manipulation, creating a medium security risk.
Discover how unmanaged errors expose backend flaws by examining json versus html responses, deserialization issues, and vulnerable endpoints such as get transactions and admin store download and upload store items.
Identify and mitigate injection vulnerabilities by understanding how untrusted input reaches interpreters or parsers, including Python commands and SQL queries, and test the secure bank app with special characters.
Explore how sqlmap automates sql injection exploitation, tests parameters with a session cookie for authenticated requests, and dumps data from the database.
Explore practical web application penetration testing with an in-depth sql injection code review, tracing how user input and session cookies inject queries in the transaction api.
Explains stored cross-site scripting in the transaction page, demonstrating unencoded user input displayed in the page and the need for proper output encoding using render for protection.
Identify a path traversal vulnerability in the profile image endpoint, test with Burp and dot-dot-slash payloads, and assess the impact of anonymous access exposing server files.
Demonstrate how a directory traversal can read arbitrary files, enumerate /proc to reveal environment variables and command lines, and uncover sensitive credentials from a running Linux process.
Demonstrates testing for XML external entity (XXE) flaws in a file upload by using a doctype payload to read server files like /etc/passwd, with mitigations to disable DTD processing.
An SSRF vulnerability enables the server to fetch a crafted image URL, potentially exposing internal store API data via the profile image update flow.
Explore command injection in admin API, discover a cmd parameter that enables remote code execution, and learn to fuzz inputs with burp intruder and faf to identify vulnerabilities.
During transaction creation, the autocomplete uses the /api/search/find user endpoint to enumerate emails by an empty term, revealing user data, with low to medium risk.
Identify an insecure password update vulnerability in authentication, showing how omitting the old password allows password changes and enables CSRF and XSS exploits.
Exposes a weak password policy in user registration, with client-side validation and passwords stored in clear text; recommends reporting to clients and enforcing server-side checks, longer passwords, and password managers.
Explore authorization, including roles, permissions, and access control logic, and identify vertical and horizontal privilege escalation that enable unauthorized data or functionality access in web apps.
Identify insecure direct object reference (idor) as an authorization flaw by altering user identifiers in funds and profile image endpoints to access other users' data, using Burp Suite.
Idor vulnerabilities that enumerate transaction ids and read other users' data through endpoints like transaction details and store history, exploiting a session cookie that reveals the user's email.
Demonstrates horizontal privilege escalation by manipulating the sender ID and session cookie to trigger transactions and purchases on behalf of other users, exposing critical API design flaws.
explore vertical privilege escalation by exploiting an admin register endpoint and session cookie manipulation to access admin functions, highlighting client-side cookie manipulation and insecure password update risks.
Identify a vertical privilege escalation vulnerability via mass assignment in the API registration, where setting a user right value during signup grants admin access and cookie privileges.
Analyze insecure session cookies with a structure exposing a base64 email and user rights, enabling tampering and bypass of access checks. Implement pseudo random IDs and integrity protection.
Test concurrent sessions by logging into the same account from multiple browsers to verify whether the application allows simultaneous logins, and document evidence with screenshots for low-risk reporting.
Explore json web tokens (jwt) as a session management mechanism, including header, payload, and signature structure, bearer authorization, and common integrity attacks.
Explore how an unverified JWT allows a user to become admin by tampering the token payload: decode, modify the payload, re-encode, and refresh to access admin data.
Explore how a weak signing key enables tampered jwt tokens, showing offline brute-force cracking of hmac sha-256, payload tampering to gain admin access.
Showcases a JWT algorithm confusion attack in a docker lab, exploiting RSA 256 and HS256 by using a public key as a symmetric key, with mitigations.
Explore session management and cookies in web apps, focusing on integrity, http only, secure, same-site attributes, cross-site request forgery, logout issues, and session fixation testing.
Learn how business logic vulnerabilities arise from banking and e-commerce contexts, and how domain constraints and improper implementations can bypass security rules beyond technical flaws.
Examine race conditions in store purchases, showing how parallel requests can bypass balance checks and allow multiple items to be bought without proper atomicity.
Validate user input with security checks and constraints to filter invalid data, prevent injection and business logic vulnerabilities, and prefer allow lists over deny lists.
Examine the malicious file upload vulnerability by testing the upload endpoint, antivirus/EDR checks, path traversal, and how uploads are saved to disk.
Explore how arbitrary file upload introduces risk through file metadata, content type, and path traversal, enabling extension manipulation and potential script execution in PHP environments.
Demonstrates how a return URL in a logout flow enables an open redirect via the location header, and emphasizes whitelist validation to restrict redirects to trusted domains.
This course has been developed with a clear objective: show in practice what it means to perform a Web Application Penetration Test (WAPT), exactly as it would happen with a real client in a typical week of work. This approach will allow you to quickly reach the experience level of a junior penetration tester.
Consider these questions:
Are you interested in working in the security industry?
Do you want to learn how to test the security of a Web Application?
Do you like hands-on, practice-based learning?
If you answered yes to these questions, then this course is for you.
In this course, we will show how to test the security of Secure Bank, a home banking application designed as a training ground for penetration testers and web developers. During the test we will find 40+ security issues belonging to the following categories:
- Information Disclosure
- Injection Vulnerabilities
- Authentication
- Authorization
- Session Management
- Business Logic Vulnerabilities
- Data Validation Vulnerabilities
- Cryptography
- Insecure Configuration
For each security issue we will show how to find the vulnerable behavior, how to exploit it and finally how to explain it using written Proof of Concepts (PoCs) to the final client. At the end of the course you will see 40 different PoCs for 40 different vulnerabilities. This should give you a very good intuition on WAPT testing, something that will help you to get started in the industry or to simply refine your skills in case you need to.