fbpx
cybersecurity
education
€ EUR
  • $ USD
  • € EUR
  • Penetration Testing

30-Day Web Penetration Testing Crash Course

with Paula Januszkiewicz
Days
Hours
Min.
Sec.

Intensive Online Certification Program

  • Custom Web Penetration Testing website and scenarios developed by CQURE Team.
  • 30 PRE-RECORDED modules in 30 days, 30 minutes a day.
  • Exclusive CQURE Academy Membership platform.
  • You choose the time for study.
  • Official certificate after passing the final exam.
  • 12-month access to the recordings and extra materials.

PREORDER TODAY!

849

/ Lowest price within 30 days €519

About

This 30-day intensive course on Web Penetration Testing provides a deep dive into the techniques and tools used by cybersecurity professionals to identify and exploit vulnerabilities in web applications.

Designed for both beginners and those with some experience in the field, this unique course covers a wide range of topics, from the basics of web penetration testing to advanced attack techniques.

Each day focuses on a specific aspect of web security, ensuring a thorough understanding of the subject matter. 

 

This 30-day intensive course on Web Penetration Testing provides a deep dive into the techniques and tools used by cybersecurity professionals to identify and exploit vulnerabilities in web applications.

Designed for both beginners and those with some experience in the field, this unique course covers a wide range of topics, from the basics of web penetration testing to advanced attack techniques.

Each day focuses on a specific aspect of web security, ensuring a thorough understanding of the subject matter. 

 

Pricing Plan

Our pricing plan is designed to adjust to your specific needs and budget.

Apply now, lock your price, and pay later.

Formula of the course

  • Up-to-date content from the field
  • Custom website and scenarios
  • Flexible study
  • Materials
  • Exam & Certification
  • Social & Network

Up-to-date content from the field

We are a company that performs hundreds of custom penetration tests per year. We are definitely not just a training company.

Our Experts spend over 80% of their time working as penetration testers on client cases around the world. We split the rest of our time between research and teaching.

This allows us to stay up-to-date with security knowledge, skills, and tools that other training institutes lack in. We love to share our experience and knowledge. This is rare.

And we love geeky jokes ☺️

For example, to prove our speaking experience, Paula is widely recognized as the best speaker and expert at international security conferences. She os often a keynote speaker and her sessions are rated as the best sessions of the conference (NO, we did not ‘hack’ the results!). She trains the Team on how to speak and spread the message to be as effective in knowledge delivery as possible!

In short: you are in good hands!

Custom website and scenarios

This course is based on the Custom Web Penetration Testing website and scenarios developed by the CQURE Team.

The course requires the use of Docker, and our vulnerable application can be run on Docker both on Linux and Windows systems. For Windows, we use Docker for Windows. Our introductory lesson (Day 0) demonstrates how to set up the environment on a Windows system using Docker for Windows.

To practice with our vulnerable application, the course participant must start our vulnerable application in Docker by launching Docker and specifying which lesson they want to run. Depending on the selected day, our vulnerable application has different vulnerabilities implemented

 

Flexible study

It’s action-packed! You’ll need about 30 minutes of laser focus a day to go through the video in each of the 30 lessons in 30 days. We’re not fluffing around, you’ve been warned. 

While you can crush this course in 30 days, you can also take as much time as needed. You have total freedom at how organize your study time.

Materials

Each day comes with a video lesson and assessment. 

Initially, you’ll receive the link to our GitHub to download the repositories.

You’ll also get Docker login and password for the exercises.

 

Exam & Certification

You’ll receive an official certificate of completion after passing the final exam.  

Social & Network

You will be granted access to our closed Discord community server where you will be able to share your thoughts with other IT specialists.

Course syllabus

The 30-Day Web Penetration Testing Crash Course consists of 30 intensive modules.

Each day focuses on a specific aspect of web security, ensuring a thorough understanding of the subject matter. 

Learning outcomes:

  • Gain a comprehensive understanding of web penetration testing techniques and tools.
  • Develop the ability to identify and exploit various web application vulnerabilities.
  • Learn best practices for reporting vulnerabilities and improving web security.
  • Enhance problem-solving skills through practical exercises and case studies.
  • Day 0:

    • Day zero will be the start of your penetration testing journey. You will get a short course overview and a glimpse of why cybersecurity is crucial in today’s world. Moreover, our Experts will demonstrate examples of notable attacks and their consequences. Participants will also receive guidance on how to prepare their learning environment. 

  • DAY 1: What is Web Penetration Testing

    • During the first day, we will provide an overview of web penetration testing. You will have a chance to gain a deeper understanding of the most common vulnerabilities. You will also discover bugs and attacks. Moreover, we will delve into the importance of scope in cybersecurity.  

  • DAY 2: WEB PROXY (Burp)

    • Day 2 of our course will focus on Burp Suite and its various functionalities, including proxy settings, request interception, and response analysis. We will explore how to set up and use Burp Suite to capture, modify, and analyze web traffic, allowing you to identify and exploit vulnerabilities in web applications.  

      By the end of this lesson, you will have a solid understanding of how to use Burp Suite’s features such as Repeater, Intruder, and Decoder to perform web penetration testing effectively. 

  • DAY 3: Overview of HTTP

    • This time, participants will have a chance to gain a deeper understanding of the HTTP protocol, its versions, and how it is used for communication between clients and servers. We will also explore the structure of HTTP requests and responses. Day 3 agenda will cover different HTTP methods, status codes, and the importance of HTTPS for secure communication. This foundational knowledge is crucial for identifying and exploiting web application vulnerabilities. 

  • DAY 4: Headers

    • Building on the knowledge from the previous day, Day 4 will provide an in-depth look on the role of HTTP headers in web communication. It will include analyzing and manipulating headers. Participants will learn about the most common security headers, including HSTS (HTTP Strict Transport Security), XFO (X-Frame-Options), XCTO (X-Content-Type-Options), and CSP (Content-Security-Policy). 

  • DAY 5: Web Application Architecture

    • Today, we will learn about the fundamental aspects of web application architecture and how to identify potential vulnerabilities. We will explore the journey of a web request from the moment a user types a website address in their browser to the point where the server processes and responds to that request. Our focus will include understanding IP and DNS protocols, examining different parts of web architecture, and distinguishing between client-side and server-side technologies. Additionally, we will cover essential security concepts, such as WAF bypassing and using tools like Testssl.sh to assess encryption vulnerabilities. 

  • DAY 6: Reflected Cross Site Scripting (XSS)

    • During Day 6, we will learn about Basic XSS (Cross-Site Scripting) attacks. It will include identifying and exploiting reflected XSS vulnerabilities. Later on, you will discover how an xss vulnerability can be used by an attacker. We will also cover insecure headers and the importance of proper sanitization.

  • DAY 7: Stored XSS and DOM-Based XSS

    • During Day 7 of this course, we will focus on stored XSS and DOM-based XSS vulnerabilities. Differences between stored and DOM-based XSS will be explained. You will also find out how to detect and exploit stored XSS and DOM based XSS vulnerabilities. Learners will be able to master new techniques through real-world examples and practical exercises.

  • DAY 8: Cross-Origin Resource Sharing (CORS)

    • The main focus of Day 8 will be the Same Origin Policy, a security mechanism built in browsers that restricts scripts loaded by one origin from accessing the data of another origin and Cross-Origin Resource Sharing which is a mechanism that enhances the Same Origin Policy. We will provide a comprehensive overview of CORS policies, including Basic Concept of CORS, basic CORS and API Null Origin CORS. At the end, we will also dive deep into the topic of exploiting misconfigured CORS. To illustrate this topic in an easy-to-follow way, we will include real-life examples.

  • DAY 9: Session Management

    • On Day 9, we will begin with an analysis of what a web session is. Later on, we will provide an overview of session management mechanisms.  We will also review typical vulnerabilities related to session management. During this module, get ready to deepen your knowledge of basic reconnaissance, session fixation attacks and insecure local storage.

  • DAY 10: Content Discovery

    • What are the proven techniques for discovering hidden content and functionalities? You will find them our during Day 10 of our course. To provide you with a better understanding of this topic, we will focus on hostname resolution, discovering assets, and discovering subdomains. This module will also cover tools and methods for content enumeration.

  • DAY 11: Authentication and Authorization

    • Authorization and authentication are sometimes used interchangeably; however, they are two different processes and have different purposes. Both are very important for security. On Day 11, we will focus on exploring the mechanisms of authentication and authorization in depth. We will also uncover common vulnerabilities and exploitation techniques related to them.

  • DAY 12: Insecure Direct Object Reference (IDOR

    • On Day 12 of our course, we will focus on Insecure Direct Object Reference (IDOR) and Business Logic Attacks. These vulnerabilities can lead to severe security breaches, including unauthorized access to user or application data. We will also identify IDOR vulnerabilities. Later on, participants will understand in what ways these vulnerabilities can expose sensitive information and allow attackers to manipulate application logic to their advantage. Moreover, this lesson will cover Parameter Tampering and Negative Value techniques.

  • DAY 13: Carriage Return Line Feed (CRLF) Injection

    • On Day 13, we will dive deep into the topic of Header Injection. In this module, we will also explore CRLF (Carriage Return Line Feed) Injection. Participants will also learn more about response splitting. Moreover, we will focus on exploiting CRLF for web attacks.

  • DAY 14: SQL Injection Basics

    • This module serves as an introduction to SQL and database concepts. On Day 14, we will focus on SQL injection attacks. It is one of the most popular types of injection attacks and can have very serious consequences, especially if the attacker dumps all data, including password hashes, personal data, or client lists. Thus, testing web applications for SQL injection vulnerabilities is a very important part of each web application penetration test. We will go through the topics of Basic SQLi, SQL Login Bypass, and SQLi with Data.

  • DAY 15: Automated SQL Injection (SQLi) attacks

    • we’ll focus on the automation of SQL injection attacks. We will also cover advanced SQLi exploitation. After completing this module, you will deepen your understanding of Login Bypass (Manual Tampering) and Automated SQLi, SQLi with sqlmap, and RCE Steps.

  • DAY 16: Template Injection

    • Although using a template engine allows us to dynamically create webpages relatively easily, it is worth noting that there are some vulnerabilities related to template engines. Today, we will focus on template injection vulnerabilities. Throughout this module, you will discover effective ways of identifying them. Later on, we will also cover exploitation techniques and tools.

  • DAY 17: Other Injections

    • In the previous days, we have successfully injected JavaScript code and performed attacks such as SQL injection and template injection. On Day 17, we will focus on two other injections that should be known to each web application penetration tester: OS command injection and CSS injection. We will provide an overview of both attacks and include techniques for detecting and exploiting injections

  • DAY 18: Insecure Deserialization

    • On day 18, we will talk about insecure deserialization. This vulnerability can have various serious consequences, including data leakage, unauthorized file deletion, and remote command execution on the web server. During this lesson, we will discuss data type manipulation (type juggling), insecure functions RCE (Remote Command Execution), poorly written code, and insecure file operations. 
      Participants will also learn more about performing a PHP deserialization attack on a web application.

  • DAY 19: Local and Remote File Inclusion (LFI/RFI)

    • On Day 19, we will demonstrate two vulnerabilities that can result in an attacker being able to read files from server or even execute malicious code on it that can lead to taking a full control over the server. These two vulnerabilities are LFI (Local File Inclusion) and RFI (Remote File Inclusion). During this module, you will discover how to identify and exploit them. We will cover Local File Inclusion, Filter bypassing $IFS, Log File Inclusion, and Remote File Inclusion.

  • DAY 20: Path Traversal Attacks

    • During today’s lesson, we will cover Path Traversal attack, which is also known as Directory Traversal. This attack has been known for many years and yet some web applications are still vulnerable to it. Firstly, we will show you how to identify and exploit Path Traversal vulnerability. Secondly, we will focus on Path Traversal attacks against JSON web tokens.

  • DAY 21: Insecure File Upload

    • On Day 21 of our course, we will focus on vulnerabilities related to file upload functionality. During this module, we will identify insecure file upload mechanisms. Moreover, we will be exploiting them. Get ready to learn more about Insecure File Upload, Bypassing File Extension Filtering, Bypassing File Content Filtering, and Vulnerable ExifTool.

  • DAY 22: Attacking Content Security Policy (CSP)

    • During today’s lesson, you will gain a deeper understanding of Content Security Policy (CSP). You will discover how Content Security Policy can prevent XSS attacks. Moreover, we will focus on how to attack hardened CSP and how to detect CSP leaks. We will also cover techniques for bypassing and exploiting CSP.

  • DAY 23: Server-Side Request Forgery (SSRF)

    • Today’s lesson will cover ServerSide Request Forgery (SSRF) vulnerability. SSRF vulnerability can have serious consequences as it may lead to sensitive information disclosure, unauthorized actions, and even Remote Code Execution. We will guide you on detecting SSRF vulnerabilities and exploiting them. Additionally, you will learn techniques to bypass SSRF filters.

  • DAY 24: Open Redirection and Acting on Behalf of an Application

    • In this lesson, we’ll explore various forms of open redirection, including classic methods, Meta Refresh, and DOM-based techniques. We’ll also delve into how these vulnerabilities can be exploited for more severe attacks like Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), and Server-Side Request Forgery (SSRF). Additionally, we’ll discuss the risks of internal secret key leakage and file upload-based redirections, providing a comprehensive understanding of the threats and mitigation strategies. We will also cover techniques for leveraging application behavior.

  • DAY 25: Attacking APIs

    • During Day 25, we will cover several crucial topics to enhance our understanding and skills in attacking REST APIs. At first, we will focus on basic reconnaissance methods, essential for identifying vulnerabilities and misconfigurations in API endpoints. Later on, we will examine the most common flaws found in REST APIs, enabling us to recognize and exploit these weaknesses effectively.

  • DAY 26: XML External Entity (XXE) Attacks

    • On Day 26 of our course, we will dive into the critical topic of XXE vulnerabilities, which stands for XML External Entities. This vulnerability is related to XML (Extensible Markup Language). We will learn how to detect and exploit these vulnerabilities, which can compromise data security and system integrity.  By the end of this module, you will gain a solid understanding of how to identify XXE flaws and protect web applications against these threats.

  • DAY 27: JSON Web Tokens (JWT)

    • During this module, we will focus on JSON Web Tokens. JWTs are used for both authorization and information exchange.  Such tokens are widely used across many websites, so it is worth identifying and understanding the vulnerabilities related to them. On Day 27 of our course, you will learn how to perform reconnaissance, attack JWTs, recover the public key, and crack HSA256 keys.

  • DAY 28: How to Report Vulnerabilities

    • During Day 28, you will learn how to effectively report vulnerabilities discovered during penetration testing. This includes understanding the structure of a comprehensive vulnerability report, assessing vulnerability severity levels, and using the Common Vulnerability Scoring System (CVSS) to quantify the impact of discovered vulnerabilities. Participants will discover best practices for writing and submitting vulnerability reports

  • DAY 29: How to Improve Your Skills

    • The knowledge you gained during this course provides insight into web application security and penetration testing methods for web applications. However, you should constantly improve your skills to deal with new vulnerabilities and exploitation techniques that do not yet exist but will be discovered in the future. During this lesson, we will cover resources and techniques for continuous learning and skill enhancement, including: 1. What is important in becoming a good penetration tester, 2. Why you should keep learning and which sources you should pay attention to, 3. How to practice and test your skills, 4. Your Toolbox, 5. How to develop your career as a penetration tester.

  • DAY 30: Summary and Case Study

    • In this module, we will review key concepts and techniques included in this course. Get ready for real-world case study and a discussion concerning web penetration testing.

For whom is this course?

This 30-day online course is ideal for cybersecurity professionals, developers, and anyone interested in web security. By the end of this course, participants will be well-equipped to conduct thorough web penetration tests and contribute to the security of web applications. 

To gain the most benefit from this course, as a prerequisite you’ll need to be able to:

  • Install Docker.
  • Download the repositories from GitHub.
  • Log in to Docker.
  • Install Burp.
  • Launch our vulnerable application with the sample lesson.

*NOTE: while all of the instructions are based on Docker for Windows, you’ll also be able to work from a Mac or Linux machine with a respective Docker.

Why invest?
How to persuade your manager that this course is meaningful?

Investing in knowledge is one of the most worthy investment not only for us, but also for our environment. Learning new skills and insights in terms of cybersecurity may benefit with gaining awareness and as a result, may prevent falling a victim to cyber threats in the future.

Protects the Company

You will be the valuable element in regards to company’s safety – knowing about potential threats and ways of avoiding them may be incredibly useful in a daily company life.

Improves Employees skills

Not only your company will gain a specialist in terms of cybersecurity, but also you will unlock the door for expanding your skills horizon even further.

Boosts customer confidence

Completed course with personal certification may be the perfect advantage when it comes to business.

Helps comply with regulations

Knowledge is power—it helps navigate through complex regulatory landscapes. Keeping up-to-date with the latest cybersecurity regulations and standards ensures your company remains compliant, thus avoiding costly penalties and reputational damage.

Saves money in the long run

Who would have want to pay regularly for help in case of emergency data leakage in a company? It’s much better to educate the employees and prevent any cybersecurity risks.

Prepares for emerging threats

After our course, you will be educated in the possible threats and you will identify any suspicious activity online with ease.

Buy now and learn from the best!

  • 30 lessons.
  • Custom Web Penetration Testing website and scenarios developed by the CQURE Team.
  • Delivered to you via our closed CQURE Academy Membership platform. 
  • You choose the time for study – we recommend you follow the 30-day routine for the best (and fastest) results. 
  • Each day comes with a video lesson, assessment, and exercise. 
  • You’ll also get access to a closed Discord group where you can share your challenges and upgrade your network. 
  • You’ll receive an official certificate of completion after passing the final exam. 
  • All the video recordings and materials are yours to keep for a full 12 months from the start of the program. 

Your Expert

This course is delivered by one of the greatest, world-renowned Cybersecurity Expert with practical knowledge from tons of successful projects, many years of real-world experience, great teaching skills and no mercy for misconfigurations or insecure solutions.

Paula

Januszkiewicz

Founder & CEO, Microsoft Regional Director, MVP, MCT

Paula is a world-class Cybersecurity Expert with over 19 years of experience in the field. She is often a top-rated speaker at the world biggest conferences as her unique stage presence is always well-received among diverse audiences. To top it all, she has the access to the source code of Windows!

How can we help you?

Suggested searches

    Search history

      Popular searches:

      Not sure what course to look for?

      Mobile Newsletter Form