On-Demand: Web Application Security: Beginner Edition Bootcamp

A beginner-friendly introduction to the Open Web Application Security Project® (OWASP) Top 10 vulnerabilities, where you will build a solid foundation in pentesting modern web applications with different attack tools.

Recordings of this bootcamp are now available as part of our annual subscription. Subscribe to enjoy:
  • Access to all on-demand bootcamps and relevant labs, including this one
  • 2000+ hands-on labs covering another 130+ subtopics
Write your awesome label here.

What You'll Learn

Web application security is as old as the web. However, today, almost all WebApps have transitioned into the cloud. This bootcamp lets you practice attacks on real-world web applications and teaches the subtle differences between pentesting traditional and cloud-based applications.

Throughout the 4 sessions, you will learn WebApp basics, OWASP Top 10 vulnerabilities and more, all via hands-on practice in our labs. End the bootcamp with skills that are immediately usable in real-life engagements!
  • 12+ Hours of Live Session Recordings

  • Over 50 Lab Exercises

Bootcamp Syllabus

Module I: Modern Web Applications and Protocol Basics

Learn the building blocks of web applications and how everything works behind the scenes including HTTP Methods, web design patterns, client and server-side components. Understand modern deployment architectures such as single-page applications, microservices and serverless architecture.
  • Client-side Languages and Concepts
  • Server-side Concepts
  • Web Servers
  • Web Communication - HTTP verbs
  • HTTP request methods
  • HTTP response codes
  • HTTP headers and security
  • HTTP access control
  • HTTP authentication
  • HTTP cookies
  • Data Storage - Database Servers
  • SQL 
  • NoSQL
  • Web Application Architecture
  • Monolithic architecture
  • Single page applications
  • Microservices 
  • Serverless architecture 

Module II: Reconnaissance Basics

Learn how to perform reconnaissance on a network, identify live hosts, and fingerprint the services running on machines.
  • Domain Reconnaissance
  • Whois lookup
  • DNS reconnaissance
  • Network Scanning and Live Host Identification
  • Open Ports and Running Services
  • Identifying Architectures, Operating Systems and Frameworks
  • Spidering/Crawling Websites
  • Performing Directory Enumeration
  • Discovering Protected Resources

Module III: Tools of the Trade

Learn how to use popular open source tools for reconnaissance, observing, mangling data, and automation of attacks.
  • Enumerating Common/Framework-specific Directories
  • DIRB
  • DirBuster
  • Burp Suite
  • OpenDoor
  • Crawling Web Pages
  • ZAP
  • HTTrack
  • Burp Suite
  • Identifying Web Application Vulnerabilities with Scanners
  • Nikto
  • OpenVAS
  • Wapiti
  • Vega
  • XSS Scanner
  • XSSer
  • Attacking Database Servers
  • sqlmap
  • jSQL

Module IV: OWASP Top 10

Familiarize yourself with the OWASP Top 10 which are the most common vulnerabilities attackers are exploiting today. Learn everything with practical hands-on labs using both manual methods and tool based automation where applicable.
  • A1 Injection Attacks
  • SQL Injection
  • NOSQL Injection
  • OS Command Injection
  • Code Injection
  • A2 Broken Authentication
  • Weak Credentials
  • Default Credentials
  • SQL Injection
  • Cookie Manipulation
  • Parameter Tampering
  • A3 Sensitive Data Exposure
  • Plain Text Transmission (HTTP/FTP/SMTP)
  • Presence of .git Directory
  • Presence of Debugging Utilities
  • Installation Files/README
  • Backup Directory/Log Directories
  • Lack of Custom Error Pages
  • A4 XML External Entity
  • Classic XXE
  • Error Based XXE
  • Blind XXE
  • A5 Broken Access Control
  • Path Traversal
  • Remote File Inclusion
  • Insecure Direct Object Reference
  • Client-Side Checks
  • Missing/Improper Functional Level Access Control
  • Missing HTTP Method-specific Access Control on Resources
  • CORS Misconfiguration
  • A6 Security Misconfigurations
  • Management Applications with Weak/Default Credentials
  • Directory Listing Enabled
  • Disabled Security Features
  • Poor Error Handling
  • A7 Cross-Site Scripting
  • Reflected Cross-Site Scripting
  • Stored Cross-Site Scripting
  • DOM Based Cross-Site Scripting
  • A8 Insecure Deserialization
  • Remote Code Execution
  • Denial of Service
  • A9 Using Components with Known Vulnerabilities
  • A10 Insufficient Logging & Monitoring

Module V: Real World Attacks

Perform case study on popular real-world attacks, understand the root cause of the vulnerability, and how the attackers exploited it.
  • Case Study
  • Laravel Unserialize RCE (CVE-2018-15133)
  • Rails DoubleTap RCE (CVE-2019-5418, CVE-2019-5420)
  • Jquery-File-Upload (CVE-2018-9206)
  • Drupalgeddon2 (CVE-2018-7600)


1. A basic knowledge of computers and networking
2. Familiarity with the Linux operating system

Accessible via our AttackDefense lab platform

Upon logging in to the AttackDefense lab platform, annual subscribers will be able to access recordings of all our on-demand bootcamps and associated labs.

Subscribe to access bootcamp recordings and more!

  • Bootcamp recordings for select topics, accessible anytime

Follow along with instructors as they walk you through both theory and practice! With bootcamp recordings at your fingertips, master in-demand topics at your own pace, without time zone concerns. Take your time to go through our massive content library – you'll need it!
  • Access 135+ topics

Expand your horizons beyond bootcamps with 2000+ hands-on labs and 1500+ video courses! Our annual subscription grants you access to a massive content library – perfect for self-paced learning on an ongoing basis. View our entire list of topics here.
  • Browser-based platform; no VPN needed 

Learning with us is simple. Our labs are completely browser-based and include access to a Terminal/GUI-based Kali, Ubuntu or other operating systems, with the necessary tools and scripts pre-installed. All you need is an internet connection to get started!
  • Real-world scenarios

Our lab scenarios are based on real-world circumstances as much as possible. With realistic scenarios, students are prepared for actual pentesting and Red Team engagements.
  • Earn verifiable badges

Complete challenges to earn badges. Verified by Accredible, badges declare your skill in specific topics and are easily shared on social media to help your profile stand out!
Meet the instructor

Jeswin Mathai

He has published his work at DEFCON China, RootCon, Blackhat Arsenal, and Demo labs (DEFCON). He has also been a co-trainer in classroom trainings conducted at HITB, RootCon, OWASP NZ Day. He has a Bachelor degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals, conducted awareness workshops for government institutions. His area of interest includes Malware Analysis and Reverse Engineering, Cryptography, WiFi security, and Web Application Security.
Jeswin Mathai - Instructor

Get informed about future bootcamps!

Thank you!
Thank you!
Created with