web-pentest.md

learning web application penetration testing without any books or ebooks: Beginner Level: Subject: Introduction to Web Application Security Time needed to complete subject: 1 week Time needed per day: 2 hours Reading: • OWASP Top 10: https://owasp.org/Top10/ • Web Application Security Basics: https://www.imperva.com/learn/application-security/web-application-security/ Watching: • Introduction to Web Application Security: https://www.youtube.com/watch?v=UgNjYV0Nf1Q • Understanding OWASP Top 10: https://www.youtube.com/watch?v=5c7oJLDZzj4 Exercising: • Complete the OWASP Top 10 Vulnerable Web Application Project: https://owasp.org/www-project-juice-shop/ Intermediate Level: Subject: Web Application Scanning and Enumeration Time needed to complete subject: 2 weeks Time needed per day: 2 hours Reading: • Web Application Scanning: https://www.acunetix.com/blog/web-security-zone/web-application-scanning/ • Enumeration Techniques in Web Application Penetration Testing: https://blog.eccouncil.org/enumeration-techniques-in-web-application-penetration-testing/ Watching: • Introduction to Web Application Scanning with Burp Suite: https://www.youtube.com/watch?v=sfpLKOAKqzw • Web Application Enumeration with OWASP Amass: https://www.youtube.com/watch?v=9npvucJlLr0 Exercising: • Scan a vulnerable web application with Burp Suite or OWASP ZAP • Enumerate a target web application with OWASP Amass or similar tool Advanced Level: Subject: Exploiting Web Application Vulnerabilities Time needed to complete subject: 3 weeks Time needed per day: 2 hours Reading: • Exploiting Web Application Vulnerabilities: https://www.offensive-security.com/metasploit-unleashed/exploiting-web-applications/ • Client-Side Attacks and Web Application Security: https://portswigger.net/web-security/web-application-penetration-testing/client-side-attacks Watching: • Advanced Web Application Exploitation: https://www.youtube.com/watch?v=0dFQKuGxS8o • Cross-Site Scripting (XSS) Exploitation: https://www.youtube.com/watch?v=UY6C5W6U8CA Exercising: • Exploit a vulnerable web application using SQL injection or Cross-Site Scripting (XSS) • Perform a client-side attack such as CSRF or clickjacking Watching:

1. Web Application Hacker's Handbook series by PortSwigger: https://www.youtube.com/watch?v=2Z5eEvPm2e4&list=PLy4B3YRu5dseS65x6RxbRZzS8SOk6Uk48
2. Burp Suite Tutorials by Pentester Academy: https://www.youtube.com/watch?v=sMvZMvxQjKk&list=PL9f6DIO3l4vkkpKADn0Oh1J_rR0R8C5pJ Exercising:
3. PortSwigger's Web Security Academy labs: https://portswigger.net/web-security/all-labs
4. OWASP Juice Shop: https://owasp.org/www-project-juice-shop/ Note: Please note that this is an advanced level course and requires prior knowledge of web application security concepts and penetration testing. It is highly recommended to complete the Beginner and Intermediate level courses in this field before proceeding with this advanced curriculum.  Expert Level: Subject: Advanced Web Application Penetration Testing Techniques Time needed to complete subject: 4 weeks Time needed per day: 2 hours Reading: • Advanced Web Application Penetration Testing: https://resources.infosecinstitute.com/category/certifications-training/penetration-testing/advanced-web-application-penetration-testing/ • Bypassing Client-Side Controls: https://medium.com/bugbountywriteup/bypassing-client-side-controls-1a2b126a7ebe Watching: • Advanced Web Application Testing Techniques: https://www.youtube.com/watch?v=JdqyxGZsY2Y • Bypassing Client-Side Controls with Burp Suite: https://www.youtube.com/watch?v=2lZFdAEBnJY Exercising: • Perform an advanced web application attack such as XML External Entity (XXE) injection or Server-Side Request Forgery (SSRF) • Bypass client-side controls using Burp Suite or similar tool. • OWASP Testing Guide: https://owasp.org/www-pdf-archive/OWASP_Testing_Guide_v4.pdf • PortSwigger Web Security Academy: https://portswigger.net/web-security • HackerOne Hacker101: https://www.hacker101.com/ • Web Application Hacker's Handbook by Dafydd Stuttard and Marcus Pinto (optional, recommended) Watching: • Web Application Hacker's Handbook LiveLessons by Dafydd Stuttard and Marcus Pinto: https://www.oreilly.com/library/view/web-application-hackers/9780134807122/ • Pentester Academy: https://www.pentesteracademy.com/ • Bugcrowd University: https://www.bugcrowd.com/hackers/bugcrowd-university/ Exercising: • OWASP WebGoat: https://owasp.org/www-project-webgoat/ • PortSwigger Web Security Academy labs: https://portswigger.net/web-security/all-labs • HackTheBox: https://www.hackthebox.eu/ • TryHackMe: https://tryhackme.com/ Note: It's important to use these resources ethically and legally. Do not perform penetration testing on any system or application without permission from the owner.