Web Application Penetration Testing: How Do You Get Started? - Part 1

Photo by fabio on Unsplash

Web Application Penetration Testing: How Do You Get Started? - Part 1

Beginner's guide to Web Application Penetration Testing


2 min read

Websites play a significant role in the internet as we know it. If the internet-facing websites are not routinely patched, they are extremely vulnerable to cyberattacks and a lucrative target for hackers.

The demand for skilled web application penetration testers is on the rise, as per the report here:

“The US Bureau of Labor Statistics (BLS) projects 35 percent job growth for information security analysts, including penetration testers, between 2021 and 2031.” - Coursera

The good news is that most of the information you need to learn and become a web application pentester is available for free, thanks to the awesome people who make this content.

I’ve put together a list of free courses that anyone can follow to learn and practice the necessary skills.

Broadly speaking, there are four main categories of foundational skills.

  1. Network fundamentals

  2. Linux and using the command line

  3. Security fundamentals

  4. Programming

Network fundamentals:

Understanding some of the fundamental ideas, such as "What is the Internet?" and how it functions, is very valuable.

Resource: https://youtu.be/zN8YNNHcaZc

Understanding of the OSI model and how we can visualize the traffic through Wireshark

Resource: https://youtu.be/XgOF6GhiMuM

Linux and using the command line:

It is helpful to learn how to use a Linux operating system, especially one like Kali Linux which is custom-made for penetration testing. This video from The Cyber Mentor is well-designed and also goes over the basics of shell scripting.

Resource: https://youtu.be/lZAoFs75_cs

Security fundamentals

Understanding some of the industry's core concepts, such as the CIA Triad (Confidentiality, Integrity, and Availability), threat modeling, cryptography, and reverse engineering, is essential for developing a comprehensive understanding of this field.

Professor Messer’s updated course on security+ is very useful.

Resource: https://youtube.com/playlist?list=PLG49S3nxzAnkL2ulFS3132mOVKuzzBxA8


Python is currently the most versatile programming language, and it is quickly becoming one of the most valuable skills in IT security. The ability to automate tasks increases an individual's productivity level and significantly increases their chances of landing a job. Companies such as Google already require security engineers to go through rounds of coding interviews.

There are numerous Python coding tutorials available, but I also recommend learning Python in the context of networking and cybersecurity.
Resource: https://youtu.be/FGdiSJakIS4

In Part 2, I will go over more tailored courses to learn about topics such as OWASP Top 10 and hacking vulnerable servers such as DVWA and OWASP Juice Shop.