Web Penetration Testing & Bug Bounty Hunting

AVG Duration18h


This practical learning path will guide you through how to find vulnerabilities and bugs in websites and web applications through web penetration testing. If you're looking to get involved in ethical hacking, you're in the right place!

We are going to learn how to find vulnerabilities, how hackers carry out attacks, and how you can protect yourself against attacks, or make money as a bug bounty hunter. This is a very hands-on learning path and all the concepts we cover will be accompanied by real-world demos which you can follow along with.

Learning Objectives

  • Carry out penetration testing on websites and web apps
  • Learn how to use Burpsuite
  • Understand how to make money legitimately from bug bounties
  • Learn the fundamentals of cyber security
  • Set up and learn how to use Kali Linux
  • Learn how to enhance web security and API security

Intended Audience

This learning path is intended for anyone who wants to learn about web penetration testing, Burpsuite, and/or how to make money legitimately through ethical hacking.


You don't need any prior knowledge of web penetration testing to take this learning path, but any previous programming experience would be beneficial.


Your certificate for this learning path

Training Content

Course - Beginner - 7m
Learning Path Introduction
The course briefly introduces the learning path and what you can expect to get out of it.
Course - Beginner - 1h 39m
Setting Up Kali Linux
This course explains how to set up Kali Linux as part of the Web Penetration Testing & Bug Bounty learning path.
Course - Beginner - 1h 16m
Introduction to Kali Linux
This course provides an overview of Kali Linux and Linux in general, and some of their main components and features.
Course - Intermediate - 58m
Crash Course in HTML
This crash course in HTML starts off with some basic questions such as "What is a website?" and "How do websites work?" before moving on to look at the fundamentals of HTML.
Course - Intermediate - 1h 34m
A Practical Introduction to HTML Injection
This course explores HTML injection, stored HTML injection, and other types of attacks in order to begin carrying out some web pen testing in a practical way.
Course - Intermediate - 26m
A Practical Intro to PHP Injections
This course builds upon our bWAPP app to run you through how to carry out PHP Injections as well as look at upload vulnerabilities.
Course - Intermediate - 35m
Command Injection & SSI
In this course, we continue working on bWAPP and we're going to use it to learn about some new attacks, namely command injection and SSI vulnerabilities.
Course - Intermediate - 24m
Introduction to Directory Traversal
In this course, you will learn how you can view unauthorized files and folders using a technique known as directory traversal and learn how to automize the process with a tool called dotdotpwn.
Course - Intermediate - 27m
Introduction to Cross-Site Scripting Attacks
This course covers cross-site scripting (XSS) attacks, including reflected XSS, reflected AJAX XSS, and stored XSS.
Course - Intermediate - 48m
Cross-Site Request Forgery (CSRF)
This course talks about Cross-Site Request Forgery (CSRF) and covers how to install a vulnerable machine called Metasploitable and how to start using it.
Course - Intermediate - 21m
Brute Force Attacks
This course covers brute force attacks as well as the features of Burpsuite as well.
Course - Intermediate - 41m
SQL Crash Course
Get a crash course in SQL and learn some of the most common and dangerous vulnerabilities that you will come across when web pentesting or bug bounty hunting.
Course - Intermediate - 31m
Introduction to SQL Injection
This course covers how to find vulnerabilities, how to inject comments using said vulnerabilities, and other techniques that allow you to penetrate SQL databases.
Course - Intermediate - 34m
SQLi GET Requests
In this course, we're going to continue learning about SQL Injections, focusing on GET SQL Injections.
Course - Intermediate - 50m
Advanced SQLi
This course provides you with a deep dive into SQL Injections, covering some of the more advanced techniques.
Course - Intermediate - 2h 6m
Web Penetration Testing with Juice Shop
This course puts into practice a lot of the concepts we've covered so far. We'll be using a vulnerable website called Juice Shop to solve a variety of challenges.
Course - Intermediate - 50m
Introduction to Server-Side Request Forgery
In this course, we're going to take a look at the Introduction to Server-Side Request Forgery (SSRF) vulnerability and learn what it is and how we can exploit it.
Course - Intermediate - 32m
Information Gathering
Learn about the information gathering techniques that you can carry out as reconnaissance on the website you're planning to attack.
Course - Intermediate - 3h
API Pentesting
This course focuses on API Security and explains the kinds of vulnerabilities that we can find inside APIs, how to exploit them, and how to secure them as well.
Course - Intermediate - 10m
How to Make Money Legally with Web Pentesting
This course covers some additional resources that you can use to improve your web penetration testing and bug bounty skills, and how you can make money from them through legitimate means.
About the Author
Learning paths3

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.