Web pentesting

Web Application Penetration Testing Study Plan

A milestone-based roadmap for web application pentesting fundamentals, tools, labs, reading, courses, certifications, and career networking.

Use this after Common Security Skills. Close as many checklist items as possible. Strong fundamentals and hands-on practice matter most for entry-level web security roles.

Expected pace

6 months

Fundamentals to entry-level readiness.

Role clarity

Pentesters find security vulnerabilities, assess risk, and exploit where possible as internal or external attackers.

Red teamers focus on one way in, then lateral movement and high-value data access.

Vulnerability assessment is not pentesting, but VAPT skills are common in pentester jobs.

Bug bounty is optional and depends on preference and time.

Pentesters vs Red Team Mobile Application Security Study Plan

Pentesting Concepts Tools of Trade Lab Practices Books Videos Blogs and Other References Courses Certifications Networking Matters Whom to Follow on Twitter

Section 1

Pentesting Concepts

6 weeks

Understand web and security fundamentals deeply: HTTP, headers, status codes, authentication, authorization, XSS, CSRF, injection, IDOR, JWT, and more.

Week 1-2: Basics

HTTP methods, PUT vs POST, UPDATE vs PATCH, and OPTIONS method HTTP response status codes

Analyze what 200 means after malicious input.

Understand what to do after 403.

Try to trigger 500 and understand what it can reveal.

Learn status codes pentesters want to see.

HTTP headers, especially response headers

TCP 3-way handshake

How SSL works

Cybersecurity terminologies Essential security concepts

Week 3-4: Security Concepts

Use OWASP Cheat Sheet Series to learn what each issue is, why it happens, how to exploit it, and how to mitigate it.

OWASP Cheat Sheet Series

Authentication and authorization implementation, bypass, and exploitation.

Session and cookie vulnerabilities, bypasses, and exploitation.

In-depth XSS.

REST concepts like CRUD.

Injection types, especially SQLi, RFI, and LFI.

Mass assignment.

CSP concepts.

SSRF.

Automated bruteforce.

Credential stuffing.

JWT tokens.

Encoding, decoding, and hashing basics.

Session fixation and session hijacking.

Third-party vulnerability checks and exploitation.

Black-box and white-box testing scope.

SAST vs DAST.

CORS.

Week 5-6: Advanced Security Skill Sets

OWASP Testing Guide hands-on practice.

Leverage vulnerability chains to achieve RCE.

Test for OS command injection.

Understand BOLA and BFLA causes and testing.

Weak cipher suites.

Advanced SQL injection.

XML injection and JSON injection.

SAML and LDAP injection.

NoSQL injection.

GraphQL injection.

XXE attacks.

Template injection.

Deserialization.

Section 2

Tools of Trade

2 weeks

Tools make pentesters efficient, but do not become tool-only. Learn each tool deeply: purpose, features, when to use it, and how it works.

Week 7-8: Essential Tools

Kali Linux

Burp Suite Pro or OWASP ZAP

Metasploit

nmap

dirb

nikto

fierce

dnsenum

sqlmap

Shodan

BeeF

Arachni

Wireshark

hydra

Cain and Abel

w3af

Section 3

Lab Practices

8 weeks

Hands-on practice is the core of web pentest readiness. Use lab platforms and vulnerable apps repeatedly.

Week 9-16: Hands-on Practice

Kontra OWASP Top 10 for Web Hack The Box TryHackMe OWASP WebGoat OWASP Juice Shop PentesterLab AttackDefense LabRecommended, paid subscription DVWA

Section 4

Books

2-3 months

Read 1-2 books. Start with Web Application Hacker's Handbook or Web Security Academy, then OWASP testing guidance.

The Web Application Hacker's HandbookRead first or use Web Security Academy OWASP Web Security Testing GuideRead second The Hacker Playbook 3 Real World Bug Hunting Web Hacking 101 by Peter Yaworski

Section 5

Videos

Use video material to reinforce pentesting fundamentals and web security workflow.

Penetration Testing for Beginners Web Security Course Playlist

Section 6

Blogs and Other References

Track vulnerability databases, security research, and industry reporting.

Exploit Database CVE Schneier on Security Krebs on Security

Section 7

Courses

1-2 months

Choose lab-based free or paid courses to speed up learning and test practical understanding.

Cybrary OWASP courses Pentester AcademyPython, JavaScript, Metasploit, WAP, web app pentesting Introduction to Web Security from Stanford Pentesting for Beginners Pentesting from EdX Web Security AcademyCan replace Web Application Hacker's Handbook reading Computer Systems Security from MIT pwn.guide

Section 8

Certifications

Certifications can help with HR calls, but hands-on experience can beat anything.

CEHNot highly recommended, but okay if fully new eJPT eWPTXv2 OSCP OSWE GPEN GWAPT Other cybersecurity certifications

Section 9

Networking Matters

Build security community presence while learning. Connections, writing, and helping beginners improve your own understanding.

Make good LinkedIn contacts from security domain.

Find a mentor.

Make connections through online and offline security conferences.

Publish hacking articles, even basic concepts. Medium works.

Join webinars and conferences.

Help someone who is still a beginner.

Section 10

Whom to Follow on Twitter

Security professionals share useful tools, research, writeups, and field notes here.