My Top Web App Penetration Testing Training Resources

Photo by Cookie the Pom on Unsplash

I put together a list of training resources I used when I was just getting started learning appsec testing (still learning). If you feel lost, hopeless, and uncomfortable you aren’t alone. That’s how I felt too, but now I have scored a few CVE’s myself. Eat, sleep, hack, repeat.

• The Web Application Hackers Handbook 2nd Edition: Even though this book is severely dated, it’s co-authored by the Portswigger, who created Burp Suite! It builds the foundational knowledge you need to get started.
• Stanford CS 253 Web Security: Take a Stanford course without the high tuition cost, no seriously! It’s an introductory course on web application security for computer science students. I learned a ton watching the lectures. https://web.stanford.edu/class/cs253/
• Web Security Academy: This training is completely free and will walk you through the OWASP top vulnerabilities, how to use Burp Suite, and more. PortSwigger (creators of Burp) constantly update the training with new content https://portswigger.net/web-security
• OWASP Top 10: Foundational changemakers to a safer, more secure internet, focusing on web application security and safe coding practices. Read and understand the top 10 security vulnerabilities that are currently plaguing the world of web applications https://owasp.org/www-project-top-ten/
• Kontra: This is a really good interactive web app/api training for developers and it is self-contained, not requiring Burp, and provides a walk-through including, remediation steps. https://application.security/free/owasp-top-10
• Virtual Machines: There are a few classics when it comes to intentional vulnerable web applications, DVWA, BWAPP, Multilldae 2, and Web Goat they are all compiled onto one freely downloadable VM now! https://www.vulnhub.com/entry/hackable-secret-hacker-vulnerable-web-application-server,411/
• Juice Shop: Juice shop is another OWASP gem, it’s a sophisticated vulnerable web application that deserves its own bullet point. The vulnerable VMs are great for starting out, the Juice Shop web app is the next level. When you are comfortable with your methodology give it a try! https://owasp.org/www-project-juice-shop/
• No Starch: What’s a blog post on infosec resources and not referencing No Starch Press? All their books are fantastic, but a few I’ve read have helped my understanding and methodology. Tangled Web by Michal Zalewski; Real-World Bug Hunting by Peter Yaworski; Web Security for Developers by Malcolm McDonald
• OWASP Checklist: Here is a fantastic checklist that I have used on every web application engagement and will continue to do so. It outlines what you should be looking for at a minimum. Read through it to understand what you should look for. https://github.com/tanprathan/OWASP-Testing-Checklist
• eWPT & eWPTXv2: eLearn Security has two web application courses paired with their own certification. The content is really good and comes with lab access. The eWPT is starting to show it’s age and needs a refresh. eLearn Security prices are pretty steep, but if you can get your company to pay for it, I would highly recommend checking them out. They often have sales on courses, especially around the holidays.