Course Details!


Web applications play a vital role in every modern organization. But, if your organization does not properly test and secure its web apps, adversaries can compromise these applications, damage business functionality, and steal data.
Unfortunately, many organizations operate under the mistaken impression that a web application security scanner will reliably discover flaws in their systems.
Customers expect web applications to provide significant functionality and data access.
Even beyond the importance of customer-facing web applications, internal web applications increasingly represent the most commonly used business tools within any organization.
Unfortunately, there is no "patch Tuesday" for custom web applications, so major industry studies find that web application flaws play a major role in significant breaches and intrusions.
Adversaries increasingly focus on these high-value targets either by directly abusing public-facing applications or by focusing on web apps as targets after an initial break-in.Modern cyber defense requires a realistic and thorough understanding of web application security issues.
Anyone can learn to sling a few web hacks, but effective web application penetration testing requires something deeper.

What Will I Learn?

  • You Will Learn:
  • To apply a repeatable methodology to deliver high-value penetration tests.
  • How to discover and exploit key web application flaws.
  • How to explain the potential impact of web application vulnerabilities.
  • The importance of web application security to an overall security posture.
  • How to wield key web application attack tools more efficiently.
  • How to write web application penetration test reports.
  • Apply OWASP's methodology to your web application penetration tests to ensure they are consistent, reproducible, rigorous, and under quality control.
  • Analyze the results from automated web testing tools to validate findings, determine their business impact, and eliminate false positives.
  • Manually discover key web application flaws.
  • Use Python to create testing and exploitation scripts during a penetration test.
  • Discover and exploit SQL Injection flaws to determine true risk to the victim organization.
  • Understand and exploit insecure deserialization vulnerabilities with ysoserial and similar tools.
  • Create configurations and test payloads within other web attacks.
  • Fuzz potential inputs for injection attacks.
  • Explain the impact of exploitation of web application flaws.
  • Analyze traffic between the client and the server application using tools such as the Zed Attack Proxy and BurpSuite Pro to find security issues within the client-side application code.
  • Manually discover and exploit Cross-Site Request Forgery (CSRF) attacks.
  • Use the Browser Exploitation Framework (BeEF) to hook victim browsers, attack client software and the network, and evaluate the potential impact that XSS flaws have within an application.
  • Perform two complete web penetration tests, one during the five days of course instruction, and the other during the Capture the Flag exercise.


  • Certificate Of Attendance from IT-Gate Academy


  • Why Is Web Pen testing Require?
  • Importance of Web App Pen testing
  • Vulnerability Scanning or Pen testing
  • What Is A Vulnerability?
  • How Vulnerability Occurs?
  • Types of Vulnerabilities
  • History of Vulnerabilities
  • Exploitation of Vulnerabilities

WEB Basics

  • Protocols of Web
  • HTML
  • PHP Basics
  • JS Basics
  • Types of Wen Pen-Test (External Internal)

Tools of Web Pen testing:

  • Burp suite
  • Zap Proxy
  • Dirbuster
  • Dirb
  • Dir Search
  • theHarvester
  • Dig
  • Host
  • Nslookup
  • Recon-ng
  • Metasploit Fundamentals
  • SQLMap
  • JSQL
  • SQLNinja
  • Nikto
  • Whatweb
  • Dmitry
  • Who is
  • Hackrawler

Port Scanning Tools

  • Nmap
  • Netcat
  • Socat
  • Zenmap
  • Advanced Port Scanner

Database Management

  • SQL
  • PHPMyAdmin

System Administration

  • Bash Scripting (Basics)
  • Batch Scripting (Basics)

Bash Scripting ( Building Pentesting Tools )

  • Practical Tools
  • Error Handling

Advanced web hacking

  • DNS Information Gathering
  • Subdomains Gathering
  • Endpoint Gathering
  • Compare hand The Application
  • Understanding the Application Logic
  • Source Code Reviewing
  • Fuzzing the Web App Directories and Files
  • Subdomain Monitoring
  • LinkedIn Discovery
  • GitHub Discovery
  • Port Scanning
  • Identifying the Application
  • Knowing the WAF Parameter Fuzzing
  • Google Hacking
  • Knowing the HTTP Headers Used
  • Some Methodologies

Anonymous Pen tester

  • Proxy
  • VPN
  • TOR
  • Proxy chains
  • Tails OS

Practical Web Pen testing

  • Logical Vulnerabilities
  • IDOR
  • Broken Authentication
  • Business Logic
  • Attacking Other Application Logics

Technical Vulnerabilities

  • OS Command Injection
  • XSS
  • SQL injection
  • Open Redirect
  • XXE
  • CSRF
  • SSRF
  • HTML Injection
  • LFI
  • LFD
  • RFI
  • File Upload
  • Exploitation through Error Message
  • HTTP Parameter Pollution
  • Cookie Injection (Session Hijacking)
  • Cookie Injection (Session Hijacking)
  • Cache Deception
  • Cache Poisoning
  • HTTP Request Smuggling Attacks


  • Sub domain Take Over
  • Information Disclosure
  • Web Pen testing & Bug hunting Methodologies

Web Pen testing Approach (Before Testing):

  • Planning Phase
  • Known Your Scope
  • Availability of Documentation to Testers
  • Determining the Success Criteria
  • Reviewing the Test Result from the Previous Training
  • Understanding & Comprehend the Environment

Attacks / Execution Phase (During Testing}:

  • Ensure To Make the Test In Different User Roles
  • Awareness on How To Handel A Post Exploitation
  • Generation of Test Reports

Post Execution Phase (After Testing):

  • Suggest Remediation
  • Retest Vulnerabilities

Web Pen testing in real Lives

  • Bug Hunting In Real Life
  • Reporting
  • Vulnerability Escalation
  • Social Engineering Concepts