Websites play a significant role in the internet as we know it. If the internet-facing websites are not routinely patched, they are extremely vulnerable to cyberattacks and a lucrative target for hackers.
The demand for skilled web application penetration testers is on the rise, as per the report here:
“The US Bureau of Labor Statistics (BLS) projects 35 percent job growth for information security analysts, including penetration testers, between 2021 and 2031.” - Coursera
The good news is that most of the information you need to learn and become a web application pentester is available for free, thanks to the awesome people who make this content.
I’ve put together a list of free courses that anyone can follow to learn and practice the necessary skills.
Broadly speaking, there are four main categories of foundational skills.
Network fundamentals
Linux and using the command line
Security fundamentals
Programming
Network fundamentals:
Understanding some of the fundamental ideas, such as "What is the Internet?" and how it functions, is very valuable.
Resource: https://youtu.be/zN8YNNHcaZc
Understanding of the OSI model and how we can visualize the traffic through Wireshark
Resource: https://youtu.be/XgOF6GhiMuM
Linux and using the command line:
It is helpful to learn how to use a Linux operating system, especially one like Kali Linux which is custom-made for penetration testing. This video from The Cyber Mentor is well-designed and also goes over the basics of shell scripting.
Resource: https://youtu.be/lZAoFs75_cs
Security fundamentals
Understanding some of the industry's core concepts, such as the CIA Triad (Confidentiality, Integrity, and Availability), threat modeling, cryptography, and reverse engineering, is essential for developing a comprehensive understanding of this field.
Professor Messer’s updated course on security+ is very useful.
Resource: https://youtube.com/playlist?list=PLG49S3nxzAnkL2ulFS3132mOVKuzzBxA8
Programming
Python is currently the most versatile programming language, and it is quickly becoming one of the most valuable skills in IT security. The ability to automate tasks increases an individual's productivity level and significantly increases their chances of landing a job. Companies such as Google already require security engineers to go through rounds of coding interviews.
There are numerous Python coding tutorials available, but I also recommend learning Python in the context of networking and cybersecurity.
Resource: https://youtu.be/FGdiSJakIS4
In Part 2, I will go over more tailored courses to learn about topics such as OWASP Top 10 and hacking vulnerable servers such as DVWA and OWASP Juice Shop.