Web Application Security essentials for beginner

This blog post will guide an individual to learn web security from scratch. Starting from knowing the web technology to standard tools for VAPT, necessary resources with description.


2021-07-28 3 min read

Hello There!!

Welcome to another blog post!

If you are a beginner and want to build your career in Cybersecurity, I would recommend reading my previous blog which outlines what you need to kick off a career in Cybersecurity.

Coming to the web!

The web has changed everything for everyone, especially for businesses. Everything has moved from offline to online mode.

Who had thought that we can get food delivered to our doorstep by just clicking some buttons, right?

With the increased demand and usage of web applications, the attacks on the web also have inclined.

In today's era, DATA is the most important thing, there is no doubt about that.

Businesses need to make sure to secure customer's data by implementing advanced security controls on the products available online.

In short, with the increase of web business & web attacks, the demand for Cybersecurity professionals also boosted.

There are multiple domains in Cybersecurity such as Web Security, Mobile Security, Network Security, Security Audit and, etc.

In this blog, we will discuss the ingredients you need to understand to step in to Web Application Security.

1. Understand the technologies behind the web.

The first and most important step is to learn about web technology. It could be PHP, .net or any other server-side scripting language. Getting a good grip over any language will be an advantage to understand and find any vulnerabilities. Web applications are hosted on the server and only be accessed via a network. It is necessary to have good networking knowledge.

Resource: https://www.w3schools.com/whatis/

For Cybersecurity fundamentals, we already have a course for you which is FREE now. You can start learning by pressing the button below.

2. Learn basics of Web security

Subscribe to any online free/paid course on web vulnerability assessment and penetration testing to learn fundamentals.

The following book is one of the best to clear fundamentals.

Resources: https://www.amazon.in/Web-Application-Hackers-Handbook-Exploiting-ebook/dp/B005LVQA9S

3. Manually explore the site with all access roles available.

While starting up the assessment, most of the individuals were confused about where to start. Exploring web site as a user and other access roles will help you to get a clear idea about the features & functions of the target website.

4. Use an automated scanner or open-source tools to discover more information.

Even when you are starting up, automated scanners are great tools to learn about vulnerability. It shows a detailed analysis and recommendation of the vulnerability. Also, using open-source tools provides hidden directories, domains and other important information.

Most of the automated scanners are commercial tools but you can avail trial version and scan a website.

Resources: https://owasp.org/www-community/VulnerabilityScanningTools

5. Learn OWASP top 10 vulnerabilities.

Every professional is following this OWASP standard. It is a recognized standard across the globe. Understanding and performing assessment based on OWASP is a must. OWASP does provide the best information and works as an overall guide for web security testing.

Resources: https://owasp.org/www-project-top-ten/

6. Install the vulnerable application on your system and perform the assessment.

Every beginner starts with a vulnerable application. There are hundreds of applications available to learn and improve your skills.

Some of these applications are BWAPP, DVWA, XVWA, OWASP Mutillidae II, etc.

If you don't want to install any vulnerable system then you can go for intentionally vulnerable applications here: http://www.vulnweb.com/

7. Play CTF & bug bounty.

Another practical learning is to actively participate in CTFs.

Top CTF/learning platforms:






8. Read blogs about the latest vulnerabilities

Keep yourself updated with the latest vulnerabilities, data breaches and other cybersecurity-related news.




9. Read HackerOne & other bug reports.

One of the best ways to improve is to learn from the best hackers. Reading Hackerone disclosure reports gives a good idea of how to perform security checks.



10. Learn report drafting.

Apart from technical assessment, it is essential to draft a report the way the customer understands. The report should be comprehensive and contain vulnerability name, details, PoC, category, remediation, etc.



Additional Resources:



Once one gets started, the only way to become professional is to practice, practice and practice. Practice will make it perfect.

Along with that, security is a continuous thing, it is not a plug and play where you fix a vulnerability and it becomes un-hackable.

To be better at it, keep yourself updated with the latest news, cover as much technology as you can. Get hands-on with commercial tools and open-source tools.

That is all! Thanks for reading.

If you want to learn web application security from scratch to an advanced level. We do provide a course on Web Application Security. You can check that out here.

Start the free course now!

Entry Level Course combining all concepts above 

You can go for the course listed on our website as well. It is an beginner-level course(CCSA) where you can learn Cybersecurity from scratch. It is a FREE course for now and will be FREE forever!




© copyrighted 2021. All Rights Reserved.