Map how modern web applications are built, uncover their hidden endpoints, and exploit the most common web server weaknesses.

This module opens your web application testing journey by teaching you to walk through a target the way an attacker does, surfacing the hidden pages, directories, and files that ordinary users never see. You’ll then dig into the modern stacks that power today’s sites, understanding how frontend frameworks, APIs, and backend technologies each introduce their own attack surface. By the end, you’ll be running practical web server attacks and reading them through a pentester’s lens.

Walking An Application

Manually review a web application for security issues using only your browser's developer tools.

Content Discovery

Discover hidden web content using manual techniques, OSINT, and Gobuster enumeration.

Modern Web Stacks

Four web stacks, four CVEs: fingerprint MERN, Next.js, Django, and LAMP, then exploit each one.

Web Server Attacks - I

Enumerate and identify misconfigurations across Apache, Nginx, Node.js, and Python HTTP Server.

Web Server Attacks - II

Attack IIS through fingerprinting, tilde enumeration, WebDAV shell upload, and learn automation.

Lock in what you learned with a recap. Earn points and keep your streak.

Need to know

Networking

Learn about the OSI model and TCP/IP networking layers. Explore the different plaintext and secure networking protocols that we use every day.

Web Hacking

Learn about web applications, JavaScript, SQL and explore BurpSuite, a web application security testing platform.

Next steps

Burp Suite

Burp Suite is the industry standard tool for web application hacking, and is essential in any web penetration test.

Web Application Vulnerabilities I

Exploit five of the most impactful web vulnerabilities, from SQL injection to IDOR, and prove your skills in a hands-on challenge.

What are modules?

A learning pathway is made up of modules, and a module is made of bite-sized rooms (think of a room like a mini security lab).

Hierarchical diagram showing how learning pathways contain modules, which contain individual rooms.

Web Application Security Fundamentals

Walking An Application

Content Discovery

Modern Web Stacks

Web Server Attacks - I

Web Server Attacks - II

Topic Rewind Recap