Practical Web Application Penetration Testing

No one wants to hire a Web Application Security consultant without experience, but it's difficult to gain experience unless you already work in the field or breach ethical boundaries. This is a challenge that many "green" Web Application Security professionals face. Born out of this need, Practical Security Services designed PWAPT to provide real world experience in a classroom environment, allowing for the growth required to enter the work force with confidence and competence. PWAPT was also designed to provide experienced Web Application Security consultants with a better defined testing methodology complimented by obscure vulnerability discovery techniques and "quality of life" tips and tricks to improve on a developed skill set. Regardless of skill level, PWAPT has something for everyone.

PWAPT provides comprehensive training on the latest open source tools and manual techniques for performing end-to-end web application penetration testing engagements. After a quick overview of the penetration testing methodology, the instructor will lead students through the process of testing and exploiting a target web application using the techniques and approaches developed from a career of real world application penetration testing experiences. Students will be introduced to the best tools currently available for the specific steps of the methodology, including Burp Suite Pro, and taught how to integrate these tools with manual testing techniques to maximize effectiveness. A major goal of this course is teaching students the glue that brings the tools and techniques together to successfully perform a web application penetration test from beginning to end, an oversight in most web application penetration testing courses. The end result is an individual with the confidence and skill set to conduct consultative web application penetration testing engagements.

The majority of the course will be spent performing an instructor led, hands-on web application penetration test against a target application built specifically for this class using a modern technology stack and including real vulnerabilities as encountered in the wild. No old-school vanilla PHP stuff here folks. Students won't be given overly simplistic steps to execute independently. Rather, at each stage of the test, the instructor will present the goals that each testing task is to accomplish and perform the penetration test in front of the class while students do it on their own machine. Primary emphasis of these instructor led exercises will be placed on how to integrate the tools with manual testing procedures to improve the overall work flow. This experience will help students gain the confidence and knowledge necessary to perform web application penetration tests as a Web Application Security professional.

PWAPT is a PortSwigger preferred Burp Suite Training course. PWAPT students will learn basic and advanced usage techniques for Burp Suite Pro, as well as discover obscure functionality hidden within the vast capabilities of the tool. Students will also receive a trial license for Burp Suite Pro to use during and after the course.


Day 1:

  • Methodology
  • Reconnaissance
  • Mapping
  • Content Discovery
  • Vulnerability Discovery

Day 2:

  • Vulnerability Discovery (cont.)

Day 3:

  • Vulnerability Discovery (cont.)
  • Exploitation
  • Web Services
  • Advanced Burp Usage

Note: The three day offering requires a minimum of 24 hours of classroom time in order to get through the core content. Be prepared for three full days of training with the potential for overtime in the evenings.

Skill Requirements

Students taking this course should have introductory knowledge of the OWASP Top 10 and a thorough understanding of the HTTP protocol. Students do not need to be comfortable finding or exploiting common web vulnerabilities, but a general understanding is ideal. However, understanding the HTTP protocol is vital. PWAPT does not cover basic HTTP, but will reference it repeatedly assuming students are familiar with the protocol. PWAPT may also do this with some vulnerabilities, but will discuss them in further detail at a later time during the class.

Knowledge of web technologies and programming constructs will also be helpful, but are not required. PWAPT uses code to explain and demonstrate some vulnerabilities, and in the 4-day format contains exercises where the instructor and students modify the application's source code to implement mitigating controls.

While this is not an advanced course, PWAPT will strive to cover advanced topics if the ability level of the student population allows. Please prepare yourselves for the above requirements if you do not already meet them coming into the course. Anyone looking to get into Web Application Security or hone their craft should be working on their software development skills. If not already doing so, this is a good time to get started.

Technical Requirements

  • Latest VMware Player, VMware Workstation, or VWware Fusion installed. Other virtualization software such as Parallels or VirtualBox will probably work if the attendee is familiar with its functionality. However, VMware Player should be prepared as a backup.
  • Ability to disable all security software on their laptop such as Antivirus and/or firewalls (Administrator).
  • At least twenty (20) GB of hard drive space.
  • At least four (4) GB of RAM.


  • "I just completed my first paid pen test as an after hours gig. Thanks to your class, I had a solid methodology to follow. I went down the list and it went better than I expected. I found stored XSS, IDOR, Session Fixation, insecure JWT storage, CSRF and more. I would have never been able to do this without you. Thank you so much. I can’t wait to take the class again!!"

    - Joe S. (PWAPT WorkshopCon, 2019)
  • "This is the most beneficial, real-world applicable course I have ever attended on web application penetration testing. In three days, Tim walked us through his expert methodology on assessing web applications and provided insight on the most recent vulnerabilities that are currently being found and how to test for them. Excellent course."

    - Steve D. (PWAPT Raleigh, 2019)
  • "I've been in IT for 24 years and have taken dozens and dozens of training classes. I've left most of those classes feeling like the value of the class for the cost wasn't worth it. That was completely the opposite for your class. I left wondering why it was so cheap. Without a doubt it was some of the best training I've received in my career."

    - Jeremy Archer (PWAPT Eau Claire, 2018)
  • "I've taken several different trainings/certifications to include: OSCP, eMAPT, ePPT, Sans (GCFE and GMOB); your training and method of instruction blew these away. You've given me the gift of knowledge and I greatly appreciate it!"

    - DJ Phishes (PWAPT Eau Claire, 2018)
  • "Thank you for an amazing class! Truly inspirational. I'm probably one of the newest from your Springfield class to the security world, but you were able to teach and present all of the information in a way that was not only at a level that could be easily understood, but was engaging and fun!"

    - Blaise Lacktis (PWAPT Springfield, 2019)

Stay In Touch and Be Notified
Service Announcements + Upcoming Seminars and Classes