O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Hacking Web Applications The Art of Hacking Series LiveLessons: Security Penetration Testing for Today's DevOps and Cloud Environments

Video Description

5+ Hours of Video Instruction



More than 5 hours of video instruction to help you perform ethical hacking, penetration testing, and security posture assessment through compromising, analyzing, and mitigating web application vulnerabilities.



Hacking Web Applications (The Art of Hacking Series) LiveLessons provides step-by-step, real-life scenarios for performing security assessments (penetration testing) through web application vulnerabilities.


This course shows you how to set up a penetration testing lab for web app pen testing where you will learn how to perform reconnaissance and profiling. After these initial steps, you will learn to exploit many vulnerabilities including authentication, session management, injection-based, cross-site scripting, cross-site request forgery, and cryptographic implementations. You will also learn how to assess and perform application programming interface (API) attacks, client-side attacks, and additional web application vulnerability attacks.


The primary objective of this course is not to perform malicious attacks, but rather to provide you with step-by-step guidance so you can learn ethical hacking, penetration testing, and security posture assessment as it pertains to web applications. Through the skills explored throughout the course lessons, you will learn the various concepts associated with many different leading-edge offensive security skills in the industry. The course is full of multimedia tutorials and hands-on demos that users can apply to real-world scenarios, and cyber security veteran Omar Santos provides critical information for anyone interested in pursuing an ethical hacking career or simply keeping abreast of evolving threats to keep the web applications of your or your clients’ networks secure from vulnerabilities.



Skill Level

  • Intermediate networking and basic hacking knowledge


Learn How To

  • Assess everything you need to know to perform ethical hacking and penetration testing on web applications
  • Understand web application protocols, HTTP Request/Response, session management and cookies, DevOps, cloud services, web application frameworks, and Docker containers to better assess web application vulnerabilities
  • Build your own web application lab for penetration testing
  • Profile and perform passive and active reconnaissance on web applications through several techniques and applications
  • Exploit authentication and session management responsibilities
  • Exploit and mitigate injection-based command, SQL, and XML vulnerabilities
  • Exploit and mitigate Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities
  • Exploit and mitigate cryptographic vulnerabilities
  • Understand and test APIs to mitigate web application attacks
  • Understand and mitigate client-side, HTML5, and AJAX vulnerabilities
  • Examine additional avenues where you can exploit (and protect) web application vulnerabilities


Who Should Take This Course

  • Any network and security professional who is starting a career in ethical hacking and penetration testing
  • Individuals preparing for the Offensive Security Certified Professional (OSCP), the Certified Ethical Hacker (CEH), CompTIA PenTest+, and any other ethical hacking certification
  • Any cybersecurity professional who wants to learn the skills required to become a professional ethical hacker and wants to learn more about web application hacking methodologies and attacks


Course Requirements

  • Requires basic knowledge of networking and cybersecurity concepts and technologies



Lesson descriptions


Lesson 1, “Introduction to Web Application Penetration Testing,” reviews ethical hacking and penetration testing basics before moving on to pen testing methodologies, surveying the evolution of web applications, and reviewing the programming languages you need to know to perform web application hacking.


Lesson 2, “Overview of Web Applications for Security Professionals,” reviews the different web application protocols before deep diving into HTTP Request/Response, session management, and cookies. The second half of this lesson looks at cloud services, web application frameworks, docker containers, and Kubernetes.


Lesson 3, “Build Your Own Web Application Lab,” covers how to build your own web application lab environment for penetration testing via Kali Linux. You will also learn about web app vulnerabilities and how to hack them using DVWA, WebGoat, Hackazon, and Web Security Dojo. The lesson concludes with a look at web application proxies, cyber ranges, and capture the flag events to enhance your web app hacking skills in a safe environment


Lesson 4, “Reconnaissance and Profiling Web Applications,” covers the basics of passive and active reconnaissance using search engines, public information, and a variety of other useful utilities. Next, you will also learn about CMS and framework identification before moving on to implementing web crawlers to perform directory brute force attacks. The lesson concludes with a look at how to implement a variety of web application scanners.


Lesson 5, “Authentication and Session Management Vulnerabilities,” explores web application authentication scheme and session management mechanisms, their related vulnerabilities, and how to exploit and mitigate them.


Lesson 6, “Exploiting Injection-Based Vulnerabilities,” covers how to exploit command, SQL, and XML injection-based vulnerabilities, as well as how to mitigate them.


Lesson 7, “Cross-Site Scripting (XSS) and Cross-Site Request Forgery Vulnerabilities,” reviews Reflected, Stored, and DOM-based XSS vulnerabilities as well as CSRF vulnerabilities. The lesson moves on with a look at evading web application security controls before concluding with details on how to mitigate the XSS and CSRF vulnerabilities covered earlier in the lesson.


Lesson 8, “Exploiting Weak Cryptographic Implementations,” reviews the basics of cryptography, encryption, and hashing protocols before moving on to how identify common flaws in data storage and transmission. Armed with these fundamentals, you will learn how to identify, exploit, and mitigate crypto-based attacks and vulnerabilities.


Lesson 9, “Attacking Application Programming Interfaces (APIs),” provides you with an understand of APIs as well as a look at some tools used to test APIs in pen testing.


Lesson 10, “Client-side Attacks,” reviews client-side code and storage before exploring how to identify and mitigate HTML5, AJAX, and other client-side implementation vulnerabilities.


Lesson 11, “Additional Web Application Security Vulnerabilities and Attacks,” concludes the course with a review of some common web application security flaws including insecure direct object references, path traversal, and information disclosure. You will also learn the basics of web application fuzzing.


About Pearson Video Training


Pearson publishes expert-led video tutorials covering a wide selection of technology topics designed to teach you the skills you need to succeed. These professional and personal technology videos feature world-leading author instructors published by your trusted technology brands: Addison-Wesley, Cisco Press, Pearson IT Certification, Prentice Hall, Sams, and Que. Topics include: IT Certification, Network Security, Cisco Technology, Programming, Web Development, Mobile Development, and more.

Table of Contents

  1. Introduction
    1. Hacking Web Applications The Art of Hacking Series LiveLessons: Security Penetration Testing for Today's DevOps and Cloud Environments: Introduction 00:01:46
  2. Lesson 1: Introduction to Web Application Penetration Testing
    1. Learning objectives 00:00:45
    2. 1.1 Understanding Ethical Hacking and Penetration Testing 00:03:10
    3. 1.2 Surveying Web Application Penetration Testing Methodologies 00:05:34
    4. 1.3 Understanding the Need for Web Application Penetration Testing 00:04:29
    5. 1.4 Exploring How Web Applications Have Evolved Over Time 00:05:51
    6. 1.5 Exploring What Programming Languages You Should Know 00:03:58
  3. Lesson 2: Overview of Web Applications for Security Professionals
    1. Learning objectives 00:00:48
    2. 2.1 Understanding the Web Application Protocols 00:11:18
    3. 2.2 Exploring the HTTP Request and Response 00:05:06
    4. 2.3 Surveying Session Management and Cookies 00:08:37
    5. 2.4 Introducing DevOps 00:03:09
    6. 2.5 Exploring Cloud Services 00:06:38
    7. 2.6 Exploring Web Application Frameworks 00:04:43
    8. 2.7 Surveying Docker Containers 00:06:28
    9. 2.8 Introducing Kubernetes 00:03:31
  4. Lesson 3: Build Your Own Web Application Lab
    1. Learning objectives 00:00:51
    2. 3.1 Exploring Kali Linux 00:14:35
    3. 3.2 Introducing Vulnerable Applications 00:01:16
    4. 3.3 Surveying DVWA 00:02:09
    5. 3.4 Surveying WebGoat 00:02:25
    6. 3.5 Surveying Hackazon 00:02:12
    7. 3.6 Exploring the Web Security Dojo 00:02:40
    8. 3.7 Understanding Web Application Proxies 00:03:30
    9. 3.8 Understanding Cyber Ranges and Capture the Flag Events 00:02:25
  5. Lesson 4: Reconnaissance and Profiling Web Applications
    1. Learning objectives 00:00:56
    2. 4.1 Understanding Passive vs. Active Reconnaissance 00:02:55
    3. 4.2 Using Search Engines and Public Information 00:03:50
    4. 4.3 Exploring Shodan, Maltego, Recon-NG, SpiderFoot, and TheHarvester 00:10:58
    5. 4.4 Exploring CMS and Framework Identification 00:03:36
    6. 4.5 Surveying Web Crawlers and Directory Brute Force 00:03:35
    7. 4.6 Understanding How Web Application Scanners Work 00:01:26
    8. 4.7 Introducing Nikto 00:02:41
    9. 4.8 Introducing the Burp Suite 00:16:41
    10. 4.9 Introducing OWASP Zed Application Proxy (ZAP) 00:03:44
    11. 4.10 Introducing OpenVAS 00:10:03
  6. Lesson 5: Authentication and Session Management Vulnerabilities
    1. Learning objectives 00:00:29
    2. 5.1 Understanding Authentication Schemes in Web Applications and Related Vulnerabilities 00:17:51
    3. 5.2 Exploring Session Management Mechanisms and Related Vulnerabilities 00:09:40
  7. Lesson 6: Exploiting Injection-Based Vulnerabilities
    1. Learning objectives 00:00:36
    2. 6.1 Understanding Command Injection 00:01:31
    3. 6.2 Exploiting Command Injection Vulnerabilities 00:02:41
    4. 6.3 Understanding SQL Injection 00:04:59
    5. 6.4 Exploiting SQL Injection Vulnerabilities 00:17:57
    6. 6.5 Understanding XML Injection 00:01:01
    7. 6.6 Exploiting XML Injection Vulnerabilities 00:02:28
    8. 6.7 Mitigating Injection Vulnerabilities 00:02:06
  8. Lesson 7: Cross-Site Scripting (XSS) and Cross-Site Request Forgery Vulnerabilities
    1. Learning objectives 00:00:47
    2. 7.1 Introducing XSS 00:01:11
    3. 7.2 Exploiting Reflected XSS Vulnerabilities 00:01:57
    4. 7.3 Exploiting Stored XSS Vulnerabilities 00:02:44
    5. 7.4 Exploiting DOM-based XSS Vulnerabilities 00:02:22
    6. 7.5 Understanding Cross-Site Request Forgery (CSRF) 00:00:56
    7. 7.6 Exploiting CSRF Vulnerabilities 00:01:57
    8. 7.7 Evading Web Application Security Controls 00:04:06
    9. 7.8 Mitigating XSS and CSRF Vulnerabilities 00:05:15
  9. Lesson 8: Exploiting Weak Cryptographic Implementations
    1. Learning objectives 00:00:40
    2. 8.1 Introducing Cryptography, Encryption, and Hashing Protocols 00:18:04
    3. 8.2 Identifying Common Flaws in Data Storage and Transmission 00:06:22
    4. 8.3 Surveying Examples of Crypto-based Attacks and Vulnerabilities 00:03:54
    5. 8.4 Mitigating Flaws in Cryptographic Implementations 00:02:45
  10. Lesson 9: Attacking Application Programming Interfaces (APIs)
    1. Learning objectives 00:00:22
    2. 9.1 Understanding the APIs 00:02:07
    3. 9.2 Exploring the Tools Used to Test the APIs 00:05:15
  11. Lesson 10: Client-side Attacks
    1. Learning objectives 00:00:27
    2. 10.1 Surveying the Client-side Code and Storage 00:04:22
    3. 10.2 Understanding HTML5 Implementations 00:06:43
    4. 10.3 Understanding AJAX Implementations 00:01:55
    5. 10.4 Mitigating AJAX, HTML5, and Client-side Vulnerabilities 00:01:34
  12. Lesson 11: Additional Web Application Security Vulnerabilities and Attacks
    1. Learning objectives 00:00:36
    2. 11.1 Understanding the Other Common Security Flaws in Web Applications 00:02:56
    3. 11.2 Exploiting Insecure Direct Object References and Path Traversal 00:07:02
    4. 11.3 Surveying Information Disclosure Vulnerabilities 00:01:08
    5. 11.4 Fuzzing Web Applications 00:08:12
  13. Summary
    1. Summary 00:01:09