Network & Security


Web Application Hacking & Penetration Testing

Learn how to hack web applications and exploit OWASP top 10 security vulnerabilities.

3.75 (55 reviews)


2 hours


May 2021

Last Update
Regular Price

What you will learn

Learn web application security vulnerabilities

Exploit Injection - SQL Injection, Command injection

Broken Authentication and Session Management

Sensitive Data Exposure

XML External Entities (XXE) attack

Broken Access Control/Insecure Direct Object References

Security Misconfiguration

Cross-Site Scripting (XSS) - Persistent XSS, Reflected XSS, Cross Site Request Forgery (CSRF)

Insecure Deserialization

Using Components with Known Vulnerabilities

Insuffcient Logging and Monitoring

Bonus Section - Unvalidated Redirects and Forwards


If you are looking for a course that provides good coverage of the important top 10 security vulnerabilities in Web Applications in a short and concise way then you have come to the right place !!  This course is relevant whether you are looking for application that are deployed on cloud or physical servers and VM's since the web application vulnerabilities don't magically disappear just because the application is deployed on the cloud.

This course is focused on practical learning and applying your knowledge. To achieve that the course includes tutorial on how to install Xampp server and vulnerable applications on your machine so that you can practice what you are learning rather than just watch the tutorials.

There are many courses which mainly focus on how to exploit the vulnerabilities of physical servers but with the cloud being the preferred way nowadays to deploy application and also with advances made in securing physical servers learning those techniques may not prove to be very advantageous. 

This course covers the below OWASP top 10 web application security risks -

1. Injection - SQL Injection, Command Injection

2. Broken Authentication

3. Sensitive Data Exposure

4. XML External Entities (XXE)

5. Broken Access Control

6. Security Misconfiguration

7. Cross-Site Scripting (XSS)

8. Insecure Deserialization

9. Using Components with Known Vulnerabilities

10. Insuffcient Logging and Monitoring

This course is for educational purposes only.


Web Application Hacking & Penetration Testing
Web Application Hacking & Penetration Testing
Web Application Hacking & Penetration Testing
Web Application Hacking & Penetration Testing





Install XAMPP

Install DVWA and Mutillidae

Install Burp Suite and Capture traffic

Information Gathering

Website information and technologies used

Web application subdomains

Finding other web applications installed on server

Injection vulnerability

Injection, Real breaches

SQL injection - Get database, tables and users credentials

SQL injection - ByPass checks on login page at low and medium secure levels

Command injection vulnerability

Broken Authentication vulnerability

Broken Authentication and Real Breaches

Logging as Admin by manipulating cookies

Username Harvesting

Sensitive Data Exposure

Sensitive Data Exposure - Real Breaches

Paths Exposed by Robots file and Accounts Exposed

Sensitive Information Disclosure

XML External Entities (XXE) vulnerability

XML External Entities (XXE) Flaw and Real Breaches

XXE Vulnerability Demonstration

Broken Access Control Vulnerability

Broken Access Control and Real Breaches

Insecure Direct Object Reference (IDOR)

Local File Inclusion Flaw

Remote File Inclusion Flaw

Security Misconfiguration

Security Misconfiguration - Real Breaches

Directory Browsing Issue

Unrestricted File Upload Issue

Cross-Site Scripting (XSS) & Cross Site Request Forgery (CSRF)

XSS Flaw and Real Breaches

Persistent and Reflected XSS Demonstration

Cross Site Request Forgery (CSRF) Demonstration

Insecure Deserialization

Insecure Deserialization Vulnerability

Using Components with Known Vulnerabilities

Using Components with Known Vulnerabilities

Insufficient Logging & Monitoring

Insufficient Logging & Monitoring

Bonus Section

Unvalidated Redirects and Forwards


John3 June 2021

Super generic information provided which is available from wiki. Not enough details and explanations. Less practice.


Udemy ID


Course created date


Course Indexed date
Course Submitted by