Practical Web Application Penetration Testing

Practical Web Application
Penetration Testing

Secure your web application using automated tools
through Penetration Testing


Practical Web Application Penetration Testing

With increase in web application, the way of doing business has changed along with the way of sharing and accessing data. This has invited malicious attackers to intrude into the system and gain leverage. Therefore, Web Application Pentesting has become important to defend the application and network. This course will teach you how to analyze technical flaws, vulnerabilities and weakness. 




This Course Will Help You To

Build an end-to-end web application security model.
Test network and web application configuration for vulnerabilities.
Try automated web hacking techniques using tools like OWASP ZAP, WMAP, Acunetix, etc.

Who is it for?

Anybody who is interested in learning website & web application hacking / penetration testing.
Anybody who wants to learn how hackers hack websites.
Anybody who wants to learn how to secure websites & web applications from hacker.
Web developers to create secure web application & secure their existing ones.
Web admins to secure their websites.


Learn to assess web applications security by an attack’s simulation.

About the Course

icon box image


5 hours

icon box image



icon box image



Practical Web Application Penetration Testing

Exploitation of web application has become a trend for hackers leading to data breach. Understanding and analyzing the framework of a web application is important for developer and security analyst to defend it from attacks. This course is focused on the practical implementation of penetration testing. You’ll first learn how to set up a lab and install the required software to implement penetration testing on your machine.

This course will help you get acquainted infrastructure of a website, how does it work, what does it rely on, working of a web server, a database, and how all of these components work together to give us functioning websites. This course will help to launch attacks and test the security of websites and web applications just like black hat hackers do, not only that but you’ll be able to fix these vulnerabilities but also secure websites from them. After learning the basics, you will discover end-to-end implementation of tools such as OWASP ZAP, WMAP, Acunetix and Kali Linux.


Introduction to Web Pentesting

Watch Your First Video

Course Outline

Section 1: Introduction

1.1: Introduction


Section 2: Course Preparation: Lab Setup

2.1: Building a Lab: Concepts 

2.2: Building a Lab: Virtual Box 

2.3: Deploying a Kali Linux VM 

2.4: Deploying a Metasploitable VM 

2.5: Deploying a Windows VM 


Section 3: Useful Information Before We Start

3.1: Kali Linux Overview 

3.2: Introduction to Linux Commands 

3.3: Lab Environment Settings 

3.4: Websites 101 

3.5: Websites Hacking Introduction 

Section 4: Footprint and Reconnaissance

4.1: Information Gathering 

4.2: Discovery Tools 

4.3: DNS Reconnaissance 

4.4: Websites Hosted on the Same Server 

4.5: Subdomains 

4.6: Finding Files on Directories 

4.7: Analyzing Discovery Files 

4.8: Maltego (1 of 2) 

4.9: Maltego (2 of 2) 

Section 5: File Upload Vulnerability

5.1: Introduction to File Upload Vulnerabilities 

5.2: HTTPS Requests: Get & Post 

5.3: Using Burp as a Proxy Server 

5.4: Exploiting File Upload Vulnerability (1 of 2) 

5.5: Exploiting File Upload Vulnerability (2 of 2) 

5.6: File Upload Vulnerability Countermeasures


Section 6: Code Execution Vulnerabilities

6.1: Code Execution Vulnerabilities (1 of 2) 

6.2: Code Execution Vulnerabilities (2 of 2) 

6.3: Code Execution Vulnerability Countermeasures


Section 7: Local File Inclusion Vulnerabilities

7.1: Local File Inclusion Vulnerabilities 

7.2: Getting Shell from LFI Vulnerability (1 of 2) 

7.3: Getting Shell from LFI Vulnerability (2 of 2) 


Section 8: Remote File Inclusion Vulnerabilities

8.1: Remote File Inclusion Vulnerabilities (1 of 3) 

8.2: Remote File Inclusion Vulnerability (2 of 3) 

8.3: Remote File Inclusion Vulnerability (3 of 3) 

8.4: RFI Vulnerability Countermeasures

Section 9: Introduction to SQL Injection

9.1: Introduction to SQL Injection 

9.2: SQLi Severity


Section 10: SQLi on HTTP Post Requests

10.1: Finding SQLi on HTTPS Post Requests 

10.2: Bypassing Logins Using SQLi (1 of 2) 

10.3: Bypassing Logins Using SQLi (2 of 2) 

10.4: SQLi Login Bypass Countermeasures

Section 11: SQLi on HTTPS Get Requests

11.1: Finding SQLi on HTTPS Get Requests 

11.2: Reading Database Information 

11.3: Finding Database Tables 

11.4: Extracting Sensitive Information From Databases

Section 12: Advanced SQLi

12.1: Exploiting Blind SQLi 

12.2: Advanced Techniques to Find SQLi Vulnerabilities 

12.3: Advanced Techniquest to Extract Passwords using SQLi 

12.4: Bypassing Security to Access All Records 

12.5: Bypassing Filters 

12.6: SQLi Countermeasures 

12.7: Read/Write Files on the Server using SQLi 

12.8: Getting Reverse Shell and Full Control on a Webserver 

12.9: sqlmap 

12.10: Getting Shell Using sqlmap 

12.11: More SQLi Countermeasures 

Section 13: Cross Site Scripting (XSS)

13.1: Introduction to XSS 

13.2: Reflected XSS (1 of 3) 

13.3: Reflected XSS (2 of 3) 

13.4: Reflected XSS (3 of 3) 

13.5: Stored XSS (1 of 2) 

13.6: Stored XSS (2 of 2) 

13.7: DOM Based XSS 

Section 14: BeEF Framework

14.1: Exploiting XSS using BeEF 

14.2: Hooking Victims to BeEF Using Stored XSS 

14.3: Interacting with BeEF Victims 

14.4: Running Basic Commands on Victms 

14.5: Stealing Credentials from a Fake Login Prompt 

14.6: Installing Veil 

14.7: Veil Overview and Basic Payloads 

14.8: Generating a Backdoor 

14.9: Listenning to Incomming Connections 

14.10: Basic Backdoor Delivery Method 

14.11: BeEF Gaining Full Control Over a Windows Target 

14.12: XSS Vulnerability Countermeasures 

Section 15: Cross Site Request Forgery (CSRF)

15.1: Manipulate Cookies to Get Admin Access 

15.2: Discovering CSRF Vulnerabilities 

15.3: Exploiting CSRF (1 of 2) 

15.4: Exploiting CSRF (2 of 2) 

15.5: CSRF Vulnerability Countermeasures

Section 16: Password Attacks

16.1: Brute Force and Dictionary Attacks 

16.2: Creating a Wordlist 

16.3: Launching a Wordlist Attack with Hydra (1 of 2) 

16.4: Launching a Wordlist Attack with Hydra (2 of 2)

Section 17: Advanced Web Hacking and Automation

17.1: OWASP ZAP (1 of 2) 

17.2: OWASP ZAP (2 of 2) 

17.3: Samurai Framework & w3af console 

17.4: Acunetix 

17.4: WMAP 

17.5: CMSmap 

17.6: WebGoat and XML Injection

Section 18: Conclusion

18.1: Conclusion

Luciano Ferrari

Know Your Author

Luciano Ferrari is an information security leader and IoT hacking expert. He holds multiple security certifications, including CISSP, CISM, CRISC, and PCIP, and has worked at Fortune 500 companies in both technical and leadership roles. He drives progress at his own company, LufSec, where he works on security-related issues and projects.

Luciano has conducted hundreds of IT security audits and penetration tests, including audits and tests on IoT devices for cable companies. He has also leveraged his IT security expertise in manufacturing, semiconductor, financial, and educational institutions. With his background in electronics and microelectronics, his distinct specialization is definitely on hardware hacking. Luciano is passionate about sharing his knowledge with others and teaching.

His other areas of expertise include IT infrastructure, networking, penetration testing, risk, vulnerability, and threat management. In private, he enjoys researching new technologies and participating at security conferences and in bug bounty programs.


learn python
[spb_gopricing pricing_table=”code-red_5_5ee3b9e94420e” width=”1/1″ el_position=”first last”]

Customers Who Loved Our Courses


Practical Web Application Penetration Testing


Practical examples and detailed explanations.




These videos are very interesting. especially,I like section that XSS using BeEF. 




Everything. This is the exact type of course I was hoping for when I subscribed to the service.




Broad coverage of many of the knowledge domains relating to web application penetration testing.




It was extremely informative and covered a lot of ground.