Web Security Testing Study Plan
This page is updated based on jassics/security-study-plan/web-pentest-study-plan
This study plan is based on milestones. Check how much you can cover and close the checkboxes - the more you close, the better a candidate you are for the job role. Also, I assume you have already checked and are comfortable with the Common Security Skills study plan.
Web security testing (pentesting) is different from bug bounty hunting, red teaming, and vulnerability assessment - though excelling at any of those requires being good at pentesting first.
In short:
- Pentesters are offensive security folks who try to find as many security vulnerabilities as possible, assess the risk, and exploit as much as possible - playing as internal or external attackers for the organization.
- Red Teamers care less about finding all security gaps; their goal is to find one way in, exploit it, then escalate laterally to reach the juiciest data.
- Whether you join a bug bounty platform is entirely up to your preference and available time.
Read more about Pentesting vs Red Team.
It usually takes about 6 months to be good at the fundamentals and land an entry-level role. If you also test Android or iOS apps, read the Mobile Application Security Study Plan alongside this one.
ToC
- Pentesting Concepts - 6 weeks
- Tools of the Trade - 2 weeks
- Lab Practice - 8 weeks
- Books - 2-3 months
- Videos
- Courses - complete at least one course (1-2 months)
- Certifications
- Interview Questions
Pentesting Concepts
Duration: 6 weeks
Go at your own pace, but make sure you deeply understand HTTP security response headers, bruteforce, DoS, XSS, CSRF, injection, IDOR, JWT, and similar core concepts.
Week 1-2: Basics
- Understand various HTTP methods - PUT vs POST, UPDATE vs PATCH, leveraging OPTIONS
- Understand response status codes:
- What does a 200 mean when you tried something malicious?
- What can you infer from a 403?
- What does a 500 reveal, and why?
- Understand every status code a pentester would love to see.
- Understand HTTP headers well, especially response headers
- TCP three-way handshake
- How SSL/TLS works
- Basics of security terminologies
- Essential security concepts
Week 3-4: Security Concepts
Most of these are covered at the OWASP Cheat Sheet Series. Understand what each is, how it can be vulnerable, and how to exploit or mitigate it.
- How proper AuthN/AuthZ implementation contributes to robust security, and what an attacker can exploit
- How sessions and cookies can be vulnerable, bypassed, or exploited
- In-depth XSS
- REST concepts like CRUD
- Injection types, especially SQLi, RFI, LFI
- Mass assignment
- CSP concepts
- SSRF
- Automated bruteforce
- Credential stuffing
- JWT tokens
- Encoding, decoding, hashing basics
- Session fixation, session hijacking
- Third-party vulnerability checks and exploitation
- Black-box vs white-box testing
- SAST vs DAST
- CORS
Week 5-6: Advanced Security Skills
- Master the OWASP Web Security Testing Guide hands-on
- Learn how to leverage a vulnerability to achieve RCE
- Learn to test for OS command injection
- Understand what causes BOLA and BFLA, and get good at testing for them
- Weak cipher suites
- Advanced SQL injection
- XML injection, JSON injection
- SAML and LDAP injection
- NoSQL injection
- GraphQL injection
- XXE attacks
- Template injection
- Deserialization
Tools of the Trade
Duration: 2 weeks
Tools aren't everything, but they make you a more efficient pentester. Don't be a tool junkie - understand each tool's functionality and when to use it. Kali OS ships with almost everything you'll need; a few worth calling out explicitly:
Week 7-8: Essential Tools
- Kali Linux
- Burp Suite Pro or OWASP ZAP - your bread and butter
- Metasploit
- Nmap - you'll use it every time you start a pentest
- dirb
- Nikto
- Fierce
- dnsenum
- sqlmap
- Shodan
- BeEF
- Arachni
- Wireshark
- Hydra
- Cain and Abel
- w3af
Lab Practice
Duration: 8 weeks
Week 9-16: Hands-On Practice
- Kontra for OWASP Top 10 for Web
- Hack The Box
- TryHackMe
- OWASP WebGoat
- OWASP Juice Shop
- PentesterLab
- AttackDefense Lab - recommended, needs a paid subscription
- DVWA
Books
- The Web Application Hacker's Handbook - start here, or with the Web Security Academy
- OWASP Web Security Testing Guide - read this second
- The Hacker Playbook 3: Practical Guide To Penetration Testing
- Real World Bug Hunting
- Web Hacking 101 by Peter Yaworski
Videos
Blogs / Other References
Courses
Choose lab-based courses to test how much you actually understand:
- Cybrary
- Pentester Academy - notably Python for Pentesters, JavaScript for Pentesters, Pentesting with Metasploit, WAP Challenges, Web Application Pentesting
- Introduction to Web Security from Stanford
- Pentesting for Beginners
- Pentesting from EdX
- Web Security Academy - you can skip the Web Application Hacker's Handbook if learning here
- Computer Systems Security from MIT
- pwn.guide
Certifications
Certifications get you an HR call, but real hands-on experience beats anything.
See the full list of cybersecurity certifications for more.
Networking Matters
Once you're on track and understand the fundamentals, it's time to:
- Make good LinkedIn contacts in the security domain
- Find a mentor
- Make connections through security conferences, online or offline
- Publish a few good hacking articles - basic concepts are fine, but publish
- Join webinars and conferences
- Help a beginner who's struggling
By the time you've worked through this checklist, you'll already be on your way to a strong start in a web security job role. All the best!
Whom to Follow on Twitter
- Dave Kennedy
- Kevin Mitnick
- The Hacker News (THN)
- PortSwigger
- Dark Reading
- Defcon
- Nullcon
- NahamSec
- TryHackMe
- HackerOne
- BugCrowd
- OWASP
- Troy Hunt
- Jason Haddix
- Parisa Tabriz
- Binni Shah
- Random Robbie
- TomNomNom
- Aditya Shende
- Infosec Community
- Hacking Articles
- Harsh Bothra
Interview Questions
Web Security interview questions are also maintained on GitHub, kept aligned with the wider cybersecurity-roadmap.
Practice next: jassics/security-study-plan for the latest updates to this plan.