Web App Penetration Testing Course

Web App Penetration Testing Course

Web applications play a vital role in every modern organization. But, if your organization does not properly test and secure its web apps, adversaries can compromise these applications, damage business functionality, and steal data. Unfortunately, many organizations operate under the mistaken impression that a web application security scanner will reliably discover flaws in their systems.

With this course I aim to help students move beyond push-button scanning to professional, thorough, high-value web application penetration testing.

I am sharing this course because I believe knowledge should be free or at least affordable. You should not have to get a loan on your house to get the seven thousand dollars it took to get the knowledge from this course.

This was a six day course. Which I have the audio and study material too. It is insane to cram all this information into a six day course and think that all the information has been retained.

So what we are going to do is turn this into a six week course. I will share one section a week. I would advise you to open the study material and then play the .MP3 audio files and follow along on your study material which comes in .PDF format.

Week 1: Introduction and Information Gathering


  • Overview of the web from a penetration tester’s perspective
  • Exploring the various servers and clients
  • Discussion of the various web architectures
  • Discovering how session state works
  • Discussion of the different types of vulnerabilities
  • WHOIS and DNS reconnaissance
  • The HTTP protocol
  • WebSocket
  • Secure Sockets Layer (SSL) configurations and weaknesses
  • Heartbleed exploitation
  • Utilizing the Burp Suite in web app penetration testing
  • Week 1: Study Material Download

Week 2: Configuration, Identity, and Authentication Testing


  • Scanning with Nmap
  • Discovering the infrastructure within the application
  • Identifying the machines and operating systems
  • Exploring virtual hosting and its impact on testing
  • Learning methods to identify load balancers
  • Software configuration discovery
  • Learning tools to spider a website
  • Brute forcing unlinked files and directories
  • Discovering and exploiting Shellshock
  • Web authentication
  • Username harvesting and password guessing
  • Fuzzing
  • Burp Intruder
  • Week 2: Study Material Download

Week 3: Injection


  • Session tracking
  • Authentication bypass flaws
  • Mutillidae
  • Command Injection
  • Directory traversal
  • Local File Inclusion (LFI)
  • Remote File Inclusion (RFI)
  • SQL injection
  • Blind SQL injection
  • Error-based SQL injection
  • Exploiting SQL injection
  • SQL injection tools
  • Sqlmap
  • Week 3: Study Material

Week 4: XXE and XSS


  • XML External Entity (XXE)
  • Cross-Site Scripting (XSS)
  • Browser Exploitation Framework (BeEF)
  • AJAX
  • XML and JSON
  • Document Object Model (DOM)
  • Logic attacks
  • API attacks
  • Data attacks
  • Week 4: Study Material

Week 5: CSRF, Logic Flaws and Advanced Tools

  • Cross-Site Request Forgery (CSRF)
  • Python for web app penetration testing
  • WPScan
  • w3af
  • Metasploit for web penetration testers
  • Leveraging attacks to gain access to the system
  • How to pivot our attacks through a web application
  • Exploiting applications to steal cookies
  • Executing commands through web application vulnerabilities
  • When tools fail
  • Week 5: Study Material

Week 6: Capture the Flag


I like the idea of a free or at least affordable coarse, I have spent the last few years programming to prevent penetration, i think the if you know how to get in you can prevent it from happening in the first place. My thoughts are that is the whole point of penetration testing, thanks for the coarse @MoNsTeR.


Wow thank you @MoNsTeR .
This is great course material, its the same course material taught to government agency’s.

1 Like

Thanks @MoNsTeR for the amazing courses that you share with us .


Good work buddy keep it up!! btw why don’t you upload your courses on a torrent site so that people can download those courses at a high speed as FTP servers are damn slow regardless of your internet speed. Using torrent will save everyone’s time too :smiley:

1 Like

You are absolutely right @GSG

Yes, this exact course is taught to high level united states government agency’s such as DHS, FBI, DOD etc. In-fact you must have Sans Certification to contract for the United States Government. @MoUsE

You are welcome @cavaN I love giving back to the community when I can. It helps me progress.

@D4rkhunt3r I was actually thinking of doing that. I had one going awhile back. I might start doing it again.

1 Like

I have 2 web servers, I would be willing to allow up to 10 GB of space to host the files on if needed

1 Like

Yes that would be great. Will be waiting for the torrent links to hit up :smiley:

Great! @GSG I will let you know when I need it thanks.

For everyone following along. I have added week 2 to the course material.


Thank you @MoNsTeR I will be going to look at it now.

1 Like

Thank you. God bless you tender heart.

1 Like

Welcome to the community @Rapell You are welcome, it is my pleasure sharing.

Hi @MoNsTeR, Next week material please

Also can you provide me the free download link of offensive security AWAE Course

1 Like

I have add week 3 to the course.

I will look into for you.

Hello @MoNsTeR, any updates related to AWAE Course

Hey @MoNsTeR can we get Week 4,5 and 6 .
thanks for these materials . this is gold.
completed upto 3 weeks and im following this. need to continue. so please upload week 4,5, and 6 files.

Well we have made it to the halfway point. I have uploaded week 4 course material. Enjoy!

I could not find it. I asked around in IRC and nothing as of yet.

You are welcome. It is some of the best knowledge you can get in my opinion, regarding Web App Pen-Testing. I will continue updating until week 6. So 2 weeks left.

Thank you so much! This is absolutely wonderful information and it costs so much to take a course. I am in school at the moment and took a class on penetration testing, which the instructor was certified on at the above institute. So this is just a gift that I can’t thank you enough on!