🎯 Goal
Understand how web applications work, how they break, and how to test them. This is the core of bug bounty hunting, web penetration testing, and securing modern applications.
🔑 Key Skills to Learn
- HTTP/HTTPS Deep Dive: Methods (GET, POST, PUT, DELETE), headers (Cookie, User-Agent, CORS), status codes, caching.
- Browser Developer Tools: Inspect element, Network tab, Console, Storage (cookies, local storage).
- Input Validation & Injection Attacks: SQL injection (SQLi), Cross-Site Scripting (XSS), Command Injection, LDAP Injection.
- Authentication & Session Flaws: Broken authentication, session fixation, JWT weaknesses, OAuth misconfigurations.
- Access Control Issues: IDOR (Insecure Direct Object References), privilege escalation, CORS misconfigurations.
- Cross-Site Request Forgery (CSRF): How it works and protections (CSRF tokens, SameSite cookies).
- Server-Side Request Forgery (SSRF): Exploiting server-side requests to internal services.
- File Upload Vulnerabilities: Unrestricted file upload, bypassing filters, RCE via uploads.
- OWASP Top 10 (Full List): Apply every item in practical scenarios.
- API Security Testing: REST, GraphQL, common API vulnerabilities (JWT flaws, mass assignment, rate limiting).
- Burp Suite Basics: Proxy, Repeater, Intruder, extensions.
🛠️ Essential Tools & Technologies
| Tool | Purpose |
|---|---|
| Burp Suite Community Edition | Intercepting proxy, request manipulation, automation. |
| OWASP ZAP | Open-source intercepting proxy and scanner. |
| Ffuf / GoBuster | Fast web fuzzer for directories, subdomains, parameters. |
| SQLmap | Automated SQL injection detection and exploitation. |
| Nuclei | Template-based vulnerability scanner for known patterns. |
| Postman / Insomnia | API testing clients. |
| Browser DevTools | Built-in network and debugger panels. |
| HackBar (browser extension) | Quick encoding, payload generation (Burp's Repeater can also do this). |
📖 Free Learning Resources
- PortSwigger Web Security Academy – The gold standard: free, in-depth labs for every OWASP category. Link
- OWASP Top 10 – Reference documentation. Link
- Bugcrowd University – Free content on common vulnerability classes and report writing. Link
- Hacker101 – Free video lessons and CTF challenges. Link
- TryHackMe – Web Fundamentals Path – Rooms: "OWASP Top 10", "Web Hacking", "Burp Suite". Link
- API Security Fundamentals (APISec University) – Free course on API security testing. Link
- Google Gruyere – A deliberately vulnerable web app with tutorials. Link
🔗 Roadmap Placement
- Prerequisites: Core Security Concepts, Linux, Networking. You need to understand HTTP, Linux terminal, and basic security principles.
- Directly Enables: Bug Bounty hunting, Web Application Penetration Testing, and parts of Red Teaming (initial access via web exploitation). It also helps Blue Teamers recognize web-based attacks in logs.
- Next Step: Within the Offensive path, you can move to Advanced Web Exploitation & Bug Bounty Methodology, or to Red Teaming / Internal Penetration Testing.