•Web Application Vulnerabilities Primer
•(Beginner Level)
Total Duration: 6 Hours
Audience: Beginners with Minimal Web Pentesting Experience
Format: Theory + Hands-on Labs
Core Coverage: OWASP Top 10 (2025) + Practical Vulnerability Exploitation
Training Agenda (6 Hours Total)
•Session 1: Web Application Pentesting Foundations
•Theory
•What is Web Application Security?
•Role of a Web Pentester in an organization
•Understanding how modern web apps work:
•Client vs Server
•Requests, Responses, Sessions, Cookies
•Introduction to the Pentesting Lifecycle:
•Recon → Testing → Exploitation → Reporting
•Practical
•Walkthrough of the lab environment
•Burp Suite basics (Intercept, Repeater, Replaying Requests)
•Session 2: OWASP Top 10 (2025) – Big Picture +
•Pentester Mindset
•Theory
•What is OWASP and why Top 10 matters
•How attackers think vs how developers build
•Mapping OWASP risks to real-world breaches
•Activity
•Identifying attack surfaces in a sample application
•Pentester mindset exercise: “Where could this break?”
Session 3: Injection Vulnerabilities (SQLi, Command Injection, SSTI)
•SQL Injection
•Introduction to SQL Injection
•Why SQLi is still one of the most critical web vulnerabilities
•Types of SQL Injection:
•Authentication-based SQLi
•Union-based SQLi
•Error-based SQLi
•Database-specific SQLi (Oracle focus)
•Understanding how SQL queries get manipulated by attackers
•Labs
•SQL Injection vulnerability allowing login bypass
•SQL Injection attack to identify database type and version (Oracle)
•OS Command Injection
•Introduction to Command Injection
•Common injection points in web apps
•Labs
•OS Command Injection (simple case)
•Server-Side Template Injection (SSTI)
•Introduction to SSTI
•Template engines and how rendering works
•Identifying unsafe template usage
•Labs
•Basic Server-Side Template Injection
Session 4: Authentication + Access Control Failures
•Authentication Failures
•Introduction to Authentication vulnerabilities
•Weaknesses in login and multi-step verification flows
•Common failures:
•MFA/2FA bypass issues
•Broken reset mechanisms
•Session handling weaknesses
•Labs
•2FA simple bypass
•Password reset broken logic
•Access Control Failures
•Introduction to Broken Access Control
•Why authorization failures are the #1 OWASP risk
•Types of access control flaws:
•Missing role enforcement
•Direct access to admin endpoints
•URL-based privilege escalation
•Labs
•Unprotected admin functionality
•URL-based access control can be circumvented
•Session 5: Cross-Site Request Forgery (CSRF)
•CSRF Topic
•Introduction to CSRF
•How attackers abuse authenticated user sessions
•Understanding CSRF in state-changing requests
•Real-world CSRF bypass scenarios
•Labs
•CSRF vulnerability with no defenses
•CSRF where token validation depends on request method
•Session 6: Cross-Site Scripting (XSS)
•XSS Topic
•Introduction to XSS
•Why XSS is still a major client-side attack vector
•Types of XSS:
•Reflected XSS
•Stored XSS
•DOM-based XSS
•Understanding contexts:
•HTML context
•Attribute context
•JavaScript context
•Secure output encoding principles
•Labs
•Reflected XSS into HTML context with nothing encoded
•Stored XSS into HTML context with nothing encoded
•DOM XSS in document.write sink using location.search
Session 7: Path Traversal + File Upload Vulnerabilities
•Path Traversal
•Introduction to Path Traversal
•How file systems are exposed through web applications
•Common traversal patterns and restrictions
•Bypass techniques when filters are applied
•Real-world impact: reading sensitive server files
•Labs
•File path traversal (simple case)
•File path traversal with blocked sequences and absolute path bypass
•File Upload Vulnerabilities
•Introduction to File Upload Risks
•Why upload features are high-risk
•Common insecure validations:
•Extension checks
•Content-Type checks
•Labs
•Remote code execution via web shell upload
•Web shell upload via Content-Type restriction bypass
Session 8: Modern Client-Side + Business Logic Vulnerabilities
•Prototype Pollution
•Introduction to Prototype Pollution
•Why modern JavaScript applications are vulnerable
•Client-side pollution via unsafe object handling
•Labs
•Client-side prototype pollution via browser APIs
•Business Logic Vulnerabilities
•Introduction to Business Logic flaws
•Difference between technical bugs vs workflow abuse
•Examples of logic vulnerabilities:
•Trusting client-side controls
•Breaking application assumptions
•Why these are hard to detect automatically
•Labs
•Excessive trust in client-side controls
•Low-level logic flaw
•Lab Requirements
•Laptop with Admin Privileges
•Burp Suite Community Edition
•Browser (Chrome/Firefox)
•Practice Platform: PortSwigger Web Security Academy Labs ● Practice with avatao labs
