← Academy Hub
🎯
Learning Track · 29 modules

Web Application Penetration Testing

From HTTP fundamentals to business-logic exploitation. The complete path.

Why this track

Web application penetration testing is the most-requested skill on every Indian VAPT engagement we run. From SQL injection to JWT confusion attacks to business-logic flaws — this track walks you through each vulnerability class as both an attacker and a defender. You will use Burp Suite the way professionals do, recognise OWASP Top 10 patterns in real apps, and learn the mindset that turns a checklist tester into a practitioner who finds the bugs the scanners miss.

What you will be able to do
  • Conduct a manual web application pentest from reconnaissance to reporting
  • Exploit and remediate every OWASP Top 10 (2021/2025) vulnerability class
  • Use Burp Suite Professional with custom extensions and intruder workflows
  • Identify business-logic flaws that automated scanners cannot detect
  • Write findings reports your auditor and engineering team can both action
Prerequisite: HTTP fundamentals are covered in Module 1. JavaScript and basic SQL helpful but not required.
29
Modules
35.3 h
Total time
29
Free modules
Quiz retries
Difficulty mix
Beginner · 3 Intermediate · 9 Advanced · 12 Expert · 5

Module sequence

M1
HTTP & Web Fundamentals
How HTTP actually works at the wire level — methods, status codes, headers, cookies, TLS. The foundation for every web-app attack pattern.
Beginner 60 min
M2
Web Enumeration & Recon
Subdomain enumeration, technology fingerprinting, directory brute-forcing, JavaScript bundle analysis, and Wayback reconnaissance.
Beginner 90 min
M3
GraphQL Security
Introspection, depth/complexity attacks, aliasing brute force, mutation safety, persisted queries, subscriptions.
Intermediate 90 min
M3
Authentication Attacks
Username enumeration, password spraying, credential stuffing, session attacks, JWT vulnerabilities, OAuth/SAML flaws, MFA bypasses.
Beginner 90 min
M4
SQL Injection in 2026
How SQLi works at the query level, UNION-based extraction, blind SQLi (boolean and time), out-of-band exfiltration, NoSQL injection, sqlmap practice.
Intermediate 120 min
M5
Cross-Site Scripting (XSS) in 2026
Reflected, stored, and DOM-based XSS in 2026. Filter bypasses, CSP deep-dive, and the real impact beyond alert(1). Pro module.
Intermediate 90 min
M6
IDOR & Authorization Bypass
Horizontal and vertical IDOR, mass assignment, multi-tenant boundary violations, GraphQL authorization. The highest-yield SaaS bug class. Pro module.
Intermediate 90 min
M7
Business Logic Flaws
Race conditions, workflow manipulation, price/quantity attacks, coupon abuse, TOCTOU. The findings scanners cannot find. Pro module.
Advanced 120 min
M8
API Security (OWASP API Top 10)
OWASP API Top 10 in practice, GraphQL testing, gRPC, SSRF, LLM-integrated API attacks. The 2026 API attack surface. Pro module.
Advanced 120 min
M9
Server-Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF) is a vulnerability where an attacker tricks a server into making HTTP requests on their behalf. In a cloud environment, SSRF frequently escalates from “interesting” to “full account compromise” via metadata service abuse. The core vulnerability An application takes a URL parameter, fetches it, and returns the response. Classic example: “Enter […]
Advanced 90 min
M10
XML External Entity Injection (XXE)
XML External Entity (XXE) injection exploits XML parsers that process references to external entities. A classic vulnerability in XML-consuming applications — SOAP services, document upload features, SAML, configuration parsers. Can lead to file disclosure, SSRF, DoS, and RCE. How XXE works XML supports external entities — references to external resources. When a parser fetches the […]
Advanced 90 min
M11
Cross-Site Request Forgery Deep Dive
Cross-Site Request Forgery (CSRF) tricks a user’s browser into submitting authenticated actions to a trusted site. Once ubiquitous, modern browsers and frameworks have made the baseline defence far stronger. But CSRF still appears — especially in legacy APIs and apps that mishandle authentication state. The core attack User is logged into bank.com (browser holds session […]
Intermediate 60 min
M12
File Upload Vulnerabilities
File upload features are everywhere — profile pictures, document uploads, attachments, imports. They’re also one of the most frequently-exploited vulnerability classes, capable of escalating from “user” to “RCE” in one click. This module covers the attack patterns and the layered defences. The attack surface Attacker uploads a file (malicious) Server saves file to disk Server […]
Intermediate 60 min
M13
JWT Attacks
JSON Web Tokens (JWT) have become the default authentication token format in modern APIs. They’re compact, stateless, and when implemented correctly, secure. When implemented poorly, they’re a source of authentication bypass and privilege escalation. This module covers JWT structure, common attacks, and the concrete defences. JWT structure header.payload.signature # Base64-decoded example: Header: {"alg":"HS256","typ":"JWT"} Payload: {"sub":"priya","role":"admin","exp":1700000000} […]
Advanced 90 min
M14
HTTP Request Smuggling
CL.TE / TE.CL / TE.TE, HTTP/2 downgrade smuggling, exploitation impacts, detection via timing, defenses.
Expert 120 min
M15
Insecure Deserialization
Java/.NET/Python/PHP/Ruby deserialization vulns, gadget chains, ysoserial, signed-data defense.
Expert 120 min
M16
Race Conditions in Web Apps
TOCTOU, single-packet attacks, where races hide, Burp testing, transactional + idempotency-key defenses.
Expert 120 min
M17
Prototype Pollution
JS prototype model, pollution sources, attack vectors (auth bypass, RCE chains), Object.create(null) defense.
Expert 120 min
M20
Server-Side Template Injection (SSTI)
Why this module exists. SSTI almost always becomes RCE. The bug looks innocent — user input ends up in a template — and the impact is full server takeover. Modern frameworks make it harder, but every Indian SaaS that does email templating, custom report rendering, or user-customisable dashboards is exposed. The bug class in one […]
Advanced 40
M21
NoSQL Injection
Why this module exists. Developers who learned about SQL injection often think NoSQL databases are safe by design. They aren’t — they have different injection patterns, often with even fewer guardrails. MongoDB powers half of Indian Node.js startups; nearly every one I’ve audited had at least one NoSQLi exposure. How NoSQL queries differ from SQL […]
Intermediate 30
M22
OAuth & SSO Authentication Flaws
Why this module exists. OAuth 2.0 and OIDC are the universal authentication layer of the modern web — and the most-misunderstood spec in the industry. The protocol is fine; the implementations are catastrophic. “Sign in with Google”, “Sign in with Apple”, “Sign in with Facebook” — every one of these has had account-takeover bugs in […]
Advanced 40
M24
WebSocket Security
Why this module exists. Real-time chat, live trading dashboards, multiplayer games, collaborative editors — all run on WebSockets. And every web pentester I know has found at least one critical WebSocket bug because developers treat the protocol as “HTTP-but-faster” without realising the security model is fundamentally different. How WebSockets differ from HTTP Single connection, bidirectional […]
Intermediate 30
M25
GraphQL Pentesting — Introspection, Authz, Query Abuse
Why GraphQL needs different testing GraphQL provides a single endpoint that responds to flexible query shapes. The implications: Introspection lets the attacker enumerate the entire schema with a single query. Each field can have its own authorization; missing authz on a single field exposes data. Query depth and breadth can be weaponised for resource exhaustion. […]
Advanced 35
M26
Smart Contract Pentest Fundamentals for Web Testers
What is different about smart contracts Immutable once deployed: no patch cycle (mostly). Find the bug, lose the funds. Public source code: bytecode is on-chain; usually source code published for verification. Direct financial exposure: vulnerabilities translate to ETH / tokens immediately. Gas economy: every operation costs; some attacks exploit gas pricing. Composability: contract A calls […]
Advanced 40
M26
Web Cache Poisoning & Deception
Why this module exists. James Kettle’s 2018 “Practical Web Cache Poisoning” Black Hat talk made cache poisoning the bug that goes from “weird HTTP behaviour” to “CDN-served XSS to every user in the country.” The bug class hasn’t gone away; if anything it’s gotten worse with the proliferation of CDNs and edge caching. The mental […]
Advanced 40
M27
WebSockets, SSE, WebRTC — Realtime Web Vulnerabilities
Why realtime channels need different testing Persistent connection rather than request-response. Often bypass HTTP-aware controls (rate limit, WAF rules). Authentication happens at connection-open; subsequent messages may not re-validate. Message framing varies; binary, JSON, custom protocols. The protocols Protocol Direction Use case WebSocket Bidirectional Chat, gaming, trading dashboards SSE (EventSource) Server → client Live notifications, dashboards […]
Advanced 30
M27
Session Management — Beyond Cookies
Why this module exists. Every web app makes session decisions in the first month of development that they regret 18 months later. The wrong choice between cookies and tokens, the wrong refresh strategy, the wrong idle timeout — each is technical debt that becomes a breach footnote. This module is the playbook for getting it […]
Intermediate 30
M28
Web Cache Attacks — Deception, Poisoning, Key Confusion
Why cache attacks are different Web applications use multiple cache layers: CDN edge cache, origin proxy cache, application cache. Each interprets URLs and headers slightly differently. The gap between interpretations is the attack surface. Web Cache Deception The attack: Authenticated user visits https://app.com/account/details.css. CDN sees “.css” suffix; caches the response as a static asset. Origin […]
Advanced 30
M29
Advanced JWT Attacks — Beyond Algorithm Confusion
Beyond alg=none and HS256 confusion Module SC-4 covered the classic algorithm-confusion attacks. This module covers the advanced variants. KID header injection # JWT header { "alg": "HS256", "typ": "JWT", "kid": "../../../etc/passwd" } # Application uses kid to look up the signing key. # If kid is unchecked, attacker can: # - Path-traverse to read arbitrary […]
Expert 30

Related tracks

🧠
Track
Attacker Mindset — Web
Why each web vuln class exists — trust boundaries, grammar confusion, authorization drift. Mindset first, tools second.
🔌
Track
API Security Deep Dive
OWASP API Top 10, JWT/OAuth, GraphQL, rate limiting, gateways and zero-trust at scale.
Track
DevSecOps
Security in the SDLC. SAST/DAST/SCA, IaC, CI/CD hardening, software supply chain.

Common questions about this track

What tool stack do you teach? +

Burp Suite (Community is fine for most of the track; Pro for chained exploitation), browser dev tools, sqlmap, ffuf for content discovery, and a custom collection of payload patterns. Methodology is tool-agnostic.

Do I need to set up a vulnerable lab? +

We point you to free vulnerable labs (DVWA, Juice Shop, PortSwigger Academy) and provide methodology that works against any target. Production-class skills come from production-class methodology, not "try harder" labs.

Is this enough to pass OSCP? +

It is the web component. OSCP also expects network and AD exploitation; pair this track with the Active Directory track and the hacking-tools track for full OSCP-equivalent prep.

Can I use this professionally in India? +

Yes. Indian VAPT work is dominated by web application testing. Practitioners who finish this track are immediately employable; experienced engineers gain a structural framework for findings they have been intuiting.

Ready to start?

Begin with Module 1. Work through at your own pace. Free modules require no signup — everything else unlocks with a free RingSafe Academy account.

Start Module 1 → View pricing tiers 🗺️ Explore Skill Map