Skip to content

Web Security Testing Study Plan

This page is updated based on jassics/security-study-plan/web-pentest-study-plan

This study plan is based on milestones. Check how much you can cover and close the checkboxes - the more you close, the better a candidate you are for the job role. Also, I assume you have already checked and are comfortable with the Common Security Skills study plan.

Web security testing (pentesting) is different from bug bounty hunting, red teaming, and vulnerability assessment - though excelling at any of those requires being good at pentesting first.

In short:

  1. Pentesters are offensive security folks who try to find as many security vulnerabilities as possible, assess the risk, and exploit as much as possible - playing as internal or external attackers for the organization.
  2. Red Teamers care less about finding all security gaps; their goal is to find one way in, exploit it, then escalate laterally to reach the juiciest data.
  3. Whether you join a bug bounty platform is entirely up to your preference and available time.

Read more about Pentesting vs Red Team.

It usually takes about 6 months to be good at the fundamentals and land an entry-level role. If you also test Android or iOS apps, read the Mobile Application Security Study Plan alongside this one.

ToC

  1. Pentesting Concepts - 6 weeks
  2. Tools of the Trade - 2 weeks
  3. Lab Practice - 8 weeks
  4. Books - 2-3 months
  5. Videos
  6. Courses - complete at least one course (1-2 months)
  7. Certifications
  8. Interview Questions

Pentesting Concepts

Duration: 6 weeks

Go at your own pace, but make sure you deeply understand HTTP security response headers, bruteforce, DoS, XSS, CSRF, injection, IDOR, JWT, and similar core concepts.

Week 1-2: Basics

  1. Understand various HTTP methods - PUT vs POST, UPDATE vs PATCH, leveraging OPTIONS
  2. Understand response status codes:
  3. What does a 200 mean when you tried something malicious?
  4. What can you infer from a 403?
  5. What does a 500 reveal, and why?
  6. Understand every status code a pentester would love to see.
  7. Understand HTTP headers well, especially response headers
  8. TCP three-way handshake
  9. How SSL/TLS works
  10. Basics of security terminologies
  11. Essential security concepts

Week 3-4: Security Concepts

Most of these are covered at the OWASP Cheat Sheet Series. Understand what each is, how it can be vulnerable, and how to exploit or mitigate it.

  1. How proper AuthN/AuthZ implementation contributes to robust security, and what an attacker can exploit
  2. How sessions and cookies can be vulnerable, bypassed, or exploited
  3. In-depth XSS
  4. REST concepts like CRUD
  5. Injection types, especially SQLi, RFI, LFI
  6. Mass assignment
  7. CSP concepts
  8. SSRF
  9. Automated bruteforce
  10. Credential stuffing
  11. JWT tokens
  12. Encoding, decoding, hashing basics
  13. Session fixation, session hijacking
  14. Third-party vulnerability checks and exploitation
  15. Black-box vs white-box testing
  16. SAST vs DAST
  17. CORS

Week 5-6: Advanced Security Skills

  1. Master the OWASP Web Security Testing Guide hands-on
  2. Learn how to leverage a vulnerability to achieve RCE
  3. Learn to test for OS command injection
  4. Understand what causes BOLA and BFLA, and get good at testing for them
  5. Weak cipher suites
  6. Advanced SQL injection
  7. XML injection, JSON injection
  8. SAML and LDAP injection
  9. NoSQL injection
  10. GraphQL injection
  11. XXE attacks
  12. Template injection
  13. Deserialization

Tools of the Trade

Duration: 2 weeks

Tools aren't everything, but they make you a more efficient pentester. Don't be a tool junkie - understand each tool's functionality and when to use it. Kali OS ships with almost everything you'll need; a few worth calling out explicitly:

Week 7-8: Essential Tools

  1. Kali Linux
  2. Burp Suite Pro or OWASP ZAP - your bread and butter
  3. Metasploit
  4. Nmap - you'll use it every time you start a pentest
  5. dirb
  6. Nikto
  7. Fierce
  8. dnsenum
  9. sqlmap
  10. Shodan
  11. BeEF
  12. Arachni
  13. Wireshark
  14. Hydra
  15. Cain and Abel
  16. w3af

Lab Practice

Duration: 8 weeks

Week 9-16: Hands-On Practice

  1. Kontra for OWASP Top 10 for Web
  2. Hack The Box
  3. TryHackMe
  4. OWASP WebGoat
  5. OWASP Juice Shop
  6. PentesterLab
  7. AttackDefense Lab - recommended, needs a paid subscription
  8. DVWA

Books

  1. The Web Application Hacker's Handbook - start here, or with the Web Security Academy
  2. OWASP Web Security Testing Guide - read this second
  3. The Hacker Playbook 3: Practical Guide To Penetration Testing
  4. Real World Bug Hunting
  5. Web Hacking 101 by Peter Yaworski

Videos

  1. Penetration Testing for Beginners
  2. Web Security Course - Playlist

Blogs / Other References

  1. Exploit-DB
  2. CVE
  3. Schneier on Security
  4. Krebs on Security

Courses

Choose lab-based courses to test how much you actually understand:

  1. Cybrary
  2. Pentester Academy - notably Python for Pentesters, JavaScript for Pentesters, Pentesting with Metasploit, WAP Challenges, Web Application Pentesting
  3. Introduction to Web Security from Stanford
  4. Pentesting for Beginners
  5. Pentesting from EdX
  6. Web Security Academy - you can skip the Web Application Hacker's Handbook if learning here
  7. Computer Systems Security from MIT
  8. pwn.guide

Certifications

Certifications get you an HR call, but real hands-on experience beats anything.

  1. CEH - not highly recommended, but a fine start if you're new
  2. eJPT
  3. eWPTXv2
  4. OSCP
  5. OSWE
  6. GPEN
  7. GWAPT

See the full list of cybersecurity certifications for more.

Networking Matters

Once you're on track and understand the fundamentals, it's time to:

  1. Make good LinkedIn contacts in the security domain
  2. Find a mentor
  3. Make connections through security conferences, online or offline
  4. Publish a few good hacking articles - basic concepts are fine, but publish
  5. Join webinars and conferences
  6. Help a beginner who's struggling

By the time you've worked through this checklist, you'll already be on your way to a strong start in a web security job role. All the best!

Whom to Follow on Twitter

  1. Dave Kennedy
  2. Kevin Mitnick
  3. The Hacker News (THN)
  4. PortSwigger
  5. Dark Reading
  6. Defcon
  7. Nullcon
  8. NahamSec
  9. TryHackMe
  10. HackerOne
  11. BugCrowd
  12. OWASP
  13. Troy Hunt
  14. Jason Haddix
  15. Parisa Tabriz
  16. Binni Shah
  17. Random Robbie
  18. TomNomNom
  19. Aditya Shende
  20. Infosec Community
  21. Hacking Articles
  22. Harsh Bothra

Interview Questions

Web Security interview questions are also maintained on GitHub, kept aligned with the wider cybersecurity-roadmap.

Practice next: jassics/security-study-plan for the latest updates to this plan.