Web Application Penetration Testing: How Do You Get Started? - Part 2

Beginner's guide to Web Application Penetration Testing


3 min read

The resources for learning the four fundamental skills were introduced in Part 1.

In this part, we'll focus on the following topics:

  1. OWASP Top 10

  2. OWASP Testing guide

  3. Web applications to perform testing

    1. DVWA - Damn Vulnerable Web Application (Server side - application)

    2. OWASP Juice Shop - (Client Side Application)

    3. OWASP crAPI and vAPI (API testing)

  4. Burp Suite's Learning Path

  5. Supplementary skills

OWASP Top 10

The Open Worldwide Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software.

The OWASP Top 10 is an excellent resource for learning about the most common vulnerabilities discovered in apps in recent years. The most recent report came out in 2021. Here is an excerpt from the main page.


Image Source: owasp.org/www-project-top-ten

To learn about the individual topics, such as "A01:2021-Broken Access Control," I highly recommend visiting the OWASP Top 10 project's website and reading about them. The guide has a description of the findings, example attack scenarios, and prevention methods.

Youtube Resource: A Starters Guide to Pentesting with OWASP

Another interesting resource about common vulnerabilities is: CWE Top 25 List

OWASP Testing guide

The testing approach can be adjusted with some hands-on experience; however, I recommend starting with the OWASP testing guide. The current release (version 4.2) is found here: https://owasp.org/www-project-web-security-testing-guide/v42/

Web applications to perform testing

  • DVWA - Damn Vulnerable Web Application:

    In Kali Linux OS, you can run the below commands to install, start and stop DVWA.

sudo apt install dvwa

A walkthrough from Hackersploit is available here: Ethical Hacking 101: Web App Penetration Testing - a full course for beginners

Burp Suite's Learning Path

The final, and by far the best, resource that is currently available to consolidate all the above topics into one course is the free training offered by Burp Suite.

The course contains a plethora of learning materials with labs and offers an integrated progress tracker on the platform.

Both the learning materials and the labs are found here: https://portswigger.net/web-security

Supplementary skills

Another important skill that should be prioritized is report writing. It is important to explain to an audience with different levels of understanding how the vulnerability could be exploited.

The final piece of the puzzle in learning about web application penetration testing is getting hands-on experience. A great place to do that is definitely through bug bounty programs. Many YouTube content creators, such as Nahamsec, post content tailored for bug bounty hunters, and it is very useful to learn from their testing methodologies.