Library

Course: Web Hacking: Become a Professional Web Pentester

Web Hacking: Become a Professional Web Pentester

  • Life Time Access
  • Certificate on Completion
  • Access on Android and iOS App
About this Course

This course contains everything to start working as a web pentester. You will learn about exploitation techniques, hacking tools, methodologies, and the whole process of security assessments. It is absolutely hands-on, you will do all the attacks in your own penetration testing environment using the provided applications. The targets are real open-source software. You will have to work hard but at the end you will be able to do web security assessments on your own as a real ethical hacker

My name is Geri and I am the instructor of this course about web application hacking. If you are interested in hacking and IT security, then this is the perfect place to start. You might be a developer, an IT administrator, or basically anybody with an IT background. With this training you will get everything you need to start working as a professional web penetration tester. 

But why would you want to become one? First of all because it is lot's of fun. You can be in the position of an attacker trying to hack various system. Finding vulnerabilities exploiting them and taking over the system. You can find the true hacker in yourself. It is a very creative and exciting job.  

Also the security business is booming now. I get offers every day on LinkedIn, because there is a serious shortage of penetration testers. As companies figure out that they really have to care about security they face the problem that they cannot find people to do that. And it just keeps growing. And because of that you can earn pretty well even as a white hat ethical hacker, so there is no reason to go to the dark side. 

But why should you learn web hacking. Mostly because there is the biggest demand on the market. Wherever you go to work right now as a penetration tester, around 80 % of the projects are web hacking related. This usually because the awareness of web security was already established and because basically everything has a web interface from web application to embedded devices or IoT. Also because that is the fastest to learn. It is because web related technologies are usually text based and are easy to work with. So at the end of the day web pentesting is the fastest to learn and the most searched for so I think it is an obvious choice to start your carrier there. 

But who am I to teach that, you might ask. I work as a penetration tester in Germany. I am lucky to work with the extremely wide spectrum of technologies in my day job. 

I also talk on conferences, when I have the time (google my name).

And I have already made an online hacking course which has 20000+ students, and people seemed to like it. 

But most importantly I know how to become a penetration tester because I did it myself. I was a software quality engineer when I decided to change to pentesting. I did trainings read books to become one. But when I designed this ethical hacking course I tried to figure out what are the most important things you need, based on my own experience. I analysed what I needed the most to become a pentester and also what we are looking for, when we hire somebody in our team. And I put these topics in this course. So if you learn everything in this ethical hacking course, then I would be glad to work with you, because I would know that I can trust you with doing a web assessment.  

So how is this course looks like. It is absolutely hands on. We are gonna hack real open source applications where you can try every technique and attack yourself. So you will have to get your hands dirty. I will show you everything first and then you can keep experimenting and testing yourself. 

Of course this course is the essentials. I don't like the idea of people calling courses the "complete whatever". In IT generally there is no such thing as complete. There are new systems and technologies born everyday. You will have to learn forever and your knowledge will never be complete. But that is good for two reasons: 

It never gets boring, there will be always something interesting new thing to learn. 

You will be never without job. If you keep up with the developments there will be always something new to do. And as long as there are new systems people will keep screwing up and building insecure stuff. And that's what brings projects to us.

So I hope I piqued you attention, to learn web application hacking and becoming an ethical hacker. But if you don't believe me here is what my students say:

"The instruction is hitting some key elements to test for web apps and in the process providing some useful tips when using Burp." - Danny Rogers

"I watched first time all video - and didn't see 10% of the value LOL shame on me. But over now that am doing exercises i see how much and how powerful this course - thank you Geri!!" - ARturs Stays

"Dude you are awesome. Teach me!!!! Teach me!!!!!" - Rubem

"A very well developed and presented course." - Steve Hinesly

 So join now and let's get hacking.

Who this course is for:

  • Developers who want to secure their web applications
  • People who want to become penetration tester
  • Penetration testers who want extend their portfolio to web applications
  • Anybody who work in IT or studies it and is interested in web hacking
Basic knowledge
  • Students need to have IT background
  • Virtual machines are used in the course, a user level understanding of VMWare or Virtualbox is needed
What you will learn
  • Why hacking is fun
  • Understand web security problems and how to fix them
  • Find security vulnerabilities in web applications
  • Start working as a penetration tester for web applications
  • How traditional and modern web applications work
  • How the process of ethical hacking works
  • Get practical experience in exploiting web applications
  • How to do ethical hacking projects the right way
  • How professional penetration testing works
Curriculum
Number of Lectures: 53
Total Duration: 07:51:18
Warm up
  • Introduction  

    Introduction to the course.


  • Disclaimer  

    Computer hacking is a sensitive topic, so there is nothing without a disclaimer.

    Everything in this course is my private opinion and product. My employer has no connection to it.

  • Methodology  

    Introduction to the methodology of security assessments and what is covered by this course.

  • Course Outline  
Environment setup
  • In this section  

    Introduces the contents of this section.

  • Download resources  

    Download all the resources for the rest of the course.

  • Setting up the target  

    We will setup the target server, which we will attack in the following sections.

  • Setting up Kali  

    We will install Kali linux, which we will use throughout the course.

  • Setting up the Burp Suite  

    We will install the newest Burp Suite in our Kali.

Web 101
  • Web 101 - In this section  
  • How HTTP works  

    You will learn about the HTTP protocol, which is in the core of the web. You will be able to understand HTTP communication.

  • Static HTML  

    Starting from the basics of web sites you will learn how HTML works.

  • PHP and friends  

    We will write a simple PHP page to understand how that and similar technologies work.

  • Modern MVC frameworks  

    We will write a simple MVC application in python with Django, to get a general understanding about modern web frameworks.

  • Javascript  

    We will write Javascript to understand its concept.

Application discovery
  • Manual discovery  

    How to map the application manually.

  • Automated discovery  

    We will learn about tools, which can help you in the discovery process.

Attacking session management
  • Session management intro  

    Introduction to how session management works in web applications.

  • Session fixation  

    You will learn about session fixation vulnerabilities and how to exploit them.

  • Weak logout  

    You will learn about why logout is critical in session management.

  • Same origin policy  

    You will learn about the Same Origin Policy, which is one of the most important security measures of browsers. Understanding how it works is necessary to be able to attack it.

  • CSRF  

    Cross-site request forgery is one of the most important vulnerabilities in web applications. You will learn about it everything you need to know in this lecture.

  • Securing the session  

    You will learn, what to recommend to your customers when they suffer from session management problems.

Attacking authentication
  • SSL/TLS  

    The corner stone of today's encryption is SSL/TLS, we will learn everything you need to know about it.

  • Authentication bypass  

    We are going to try some authentication bypass attacks.

  • Unauthenticated URL access  

    Getting access to the application in the most simple way, and it surprisingly works.

  • Password quality  

    We need to talk about password quality because it is still a problem.

  • Password brute force  

    You will learn how to do password brute force attacks against web applications.

  • Default accounts  

    Defaults were always the friend of attackers, you will learn why.

  • Weak password recovery  

    There are various ways to recover passwords. Not all of them are secure. You will see here why.

  • Mitigations  

    We will learn how to prevent authentication problems.

Attacking authorization
  • Authorization Intro  

    Typical error is to find feature, authorization is not implemented correctly.


  • Manipulating variables  

    Trusting the client side is always a problem. We will learn how to exploit this trust in web applications.

  • Client side authentication  

    Again, never trust the client, especially with authentication.

  • Attacking Authorisation - Mitigations  

    We will learn how to prevent authorization problems.

Attacking the client
  • Reflected XSS  

    Silver bullet of web applications. In this lecture you will learn how to exploit reflected cross-site scripting vulnerabilities.

  • Stored XSS  

    Golden bullet (if there is anything like that) of web applications.

  • HTTP header injection  

    We will learn how HTTP headers can be used in attacks.

  • Malicious URL redirection  

    Redirects are innocent, right? We will learn here why they aren't.

  • Exploiting wrong content-type  

    Various attacks are possible if the content type is wrong. We will experiment with these.

  • Attacking the client - Mitigations  

    Fortunately for the world there are new security protections against various attacks. We will learn about some of them in this lecture.

Server side injections
  • Malicious file upload  

    File upload is always interesting. Many things can go wrong, which we will learn how to exploit.

  • LFI and RFI  

    Local and Remote File Inclusion can give you code execution on the server. We will learn how.

  • OS command injection  

    Applications sometimes allow code execution in the OS if we can find it. We will find it.

  • SQL injection  

    This vulnerability exists since decades and it doesn't want to go away. We will learn how it works and how to exploit it.

  • UNION Select Attack  

    UNION Select is a special case of SQL injection which can be really useful when extracting data.

  • Blind SQL injection  

    Exploiting blind SQL injection vulnerabilities is difficult, but we will learn how to do it.

  • Automating SQLi testing  

    SQL injections can be time consuming. We will learn how to save some time using tools and automation.

  • Server side injections - Mitigations  
The rest
  • Reporting  

    Quality report is a very important thing if you are doing this professionally. I will give you some tips about how to make a good report.

  • Checklist  

    In this lecture we will learn about how to use my checklist in security assessments.

  • Checklist download  
  • What's next  

    We will talk about what you should do to after this course.

Reviews (0)