Simply the most practical and up to date course on
Web Application Penetration Testing


Benefits of the WAPT course:

  • Up to date and Extremely practical
  • Makes you a proficient, professional pentester
  • Study online at your own pace
  • Life-time access to course material
  • Prove your skills obtaining the 100% practical eWPT certification
  • 1500+ interactive slides
  • 13 learning modules
  • 5 hours of video training
  • OWASP TOP 10 2013 and beyond
  • Over 40 lab scenarios
  • User isolated access to labs
  • Detailed PDF lab manuals
  • Advanced XSS & SQL injection
  • All new HTML5 attack vectors
  • Web services testing
  • Best defensive practices
  • Open source and commercial tools


Dear Reader,

Penetration Testing is about checking IT Systems or applications to find vulnerabilities , which could be used from intruders to steal data or do some real damage. This is what you can learn in our Penetration Testing courses.

As you probably know, web applications standards and technologies have evolved drastically over the last few years, and so have the possible attacks. This brand new course, Web Application Penetration Testing, is filled with all this new information, covers the latest attack scenarios and ensures you are up to date with web application security.

This course is very practical and hands on. No boring theory but practical stuff you can directly try in our Coliseum lab. Yes, you also get lab access with it, so you can directly try out the things you've learned and do your own trial and error. All with our guidance to speed things up and make it easy for you to follow. The lab is yours, and yours only. This means no other student has access to the same files, folders and software you are working on. If things are happening in the lab, it is because you did something right. If you screw things up in the lab, it is also because of you. But don?t worry, you can, at any time, press the "reset" button, and all will be back to normal.


advanced XSS and SQLi, RFI, LFI, OWASP Top 10 2013....

So in short, you will learn how to penetest web applications, explained in detail and directly tested and tried from you in the lab. The explanations come in an easy to understand format and include videos, to make things even easier to understand. The training is based on the latest developments and attack scenarios.

You might ask yourself: "Will I have the time and be able to follow every lesson?" The good news is, that you decide the speed at which you're learning, the whole course is completely self-paced. Some things you might already be familiar with, so you can go through them a bit faster. Other stuff will be pretty new and exciting, so you can spend more time on it. You can learn 12 hours per day, or only 3 hours on the weekends, it?s completely up to you. And yes, you do have life-time access to all the training material.



Excited already?

Ok, now one of the best things about this new course: You will not just learn how to discover and exploit vulnerabilities, but also learn how to play for the defense side. After taking the course you will know how to protect web applications, so that intruders won't find ways in. In case you are a web developer that should come in very handy, as your apps will be regarded as being highly secure. If you are a pentester doing jobs for companies, you can now offer the testing AND the fixing! If you work as IT staff in a company, you can also fix holes in your company?s web apps instead of just doing the testing.


We know, all this is pretty exciting stuff. But what's it all worth without a proper certification? After all you want to prove to existing or future employers what you can do. And, especially all you freelancers out there, you want to include some proof in your proposals to companies, to make your offer stand out from the competition, right? That is exactly the reason why we included the eWPT certification with this course.


After you went through the training material and completed some or all of the over 40 lab scenarios, once you feel confident that you are ready to rumble, you can take our exam. As you might already know, our exams are not just highly regarded worldwide, but are like our training courses also very hands-on and practical. Whoever passes the exam and gets eWPT certified, truly knows how to do Web Application Penetration Testing. That's why so many companies and individuals trust us. Find out more about our eWPT Certification...or register now





Incredibly In Depth, And Practical


The Web Application Penetration Testing Course is divided in thirteen (13) modules , comprised of Flash slides, video material and integrated with practical exercises in the Coliseum lab. The first module provides an introduction to web applications, protocols and latest W3C standards. The second module contains important and valuable information for the career of a penetration tester: pre-engagement documentation, the most used methodologies and extremely useful tips on how to create a report that stands out.

The course is designed to make you a Professional, not just a technician.

Web Application Security is a highly technical and fascinating discipline. Every web application is different and during the training course the student will learn how to perform a thorough manual penetration test.

The penetration testing process starts with coverage of advanced Information gathering / OSINT techniques and the use of Burp Suite to perform a functional analysis of the target.

Burp Suite will be used throughout the course, at different stages of the penetration test process. Whether you are a penetration tester or a web developer, by mastering this tool, you will be in full control of the web application and its communication with the server.

Armed with this basic information the student can start delving into the OWASP TOP 10 2013 vulnerabilities and much much more. With the new advancement in the field and the increasing complexity of the attacks, mastering the OWASP TOP 10 is not enough anymore.

Modules 4 and 5 are dedicated to the vulnerabilities among the most known in the web application security field: XSS and SQL injections.

The student will first comprehend all the theoretical aspects related to these vulnerabilities. Then he will learn all the offensive and defensive techniques in practice through a number of vulnerable web applications to launch on the fly in our Coliseum Labs.

At the end of these two modules the student will know how to find and exploit SQL injections in MS SQL Server, MySQL and all the other major DBMS through a number of different techniques.

Session security, Authentication weaknesses and Flash exploits are the subject of the next three modules with a great deal of practical sessions and video material.

HTML5 and new frontiers is the module that finally gives penetration testers and web developers the right skills to test and protect web application from a number of new and unknown to many attack vectors.

Cross-Origin Resource Sharing, Cross window messaging, Web Sockets and many other new programming paradigms will be dissected under the security point of view and many exercises will be given to be taken in Coliseum.

In Module 10 : Common Vulnerabilities you will find many vulnerabilities with a serious impact on the security of web applications that often go unnoticed: LFI/RFI, Path traversal, HTTP Response splitting and many more.

An entire module is dedicated to Web services testing with thorough coverage of WSDL/SOAP web services and related security issues.



XPath injection will be covered in depth in Module 12 with many real world examples on which to practice in the Coliseum.

Last module has almost 2 hours of video training on the best Vulnerability Assessment and Exploitation tools such as w3af, Netsparker, Acunetix WVS, BeeF and others.

Enroll now


Get A Free Module And Experience This Course Directly



Domenico Quaranta has joined eLearnSecurity since day 0 where now serves as CTO and Tech lead of all the R&D projects.
In 2010 Domenico has put to life the Coliseum Framework, considered the most innovative virtual lab in the world on web application security. The Coliseum today allows free 100% practical training through the HACK.ME project of which Domenico is Tech lead.

Domenico has authored all the new materials appearing in WAPT course and the over 30 new labs in the Coliseum.

Armando Romeo is the Founder of eLearnSecurity and Lead author of the Web Application Penetration Testing course.

Prior to founding eLearnSecurity, Armando had founded the Hackers Center Security research group with which has published over one hundred security advisories on open-source and commercial web applications.
Armando holds a Master's Degree in Computer Engineering from the University of Pisa.





Become EWPT with eLearnSecurity's Web Application Penetration Testing certification


Why should I get certified?

The eWPT is a highly respected certification on Web Application Penetration testing because 100% practical and issued by leading IT Security training company.

Professional penetration testers are a critical component of any company's IT security plan. By auditing systems and helping their company find and fix weaknesses before hackers find them, professional penetration testers help safeguard billions of dollars worth of sensitive systems and data every day.


With eLearnSecurity you can be...Certified AND Proficient in The Real World!



When you enroll in our WAPT course you...
  • Get eWPT Exam voucher included!
  • Redeem it within 180 days
  • Have up to 14 days to provide deliverables


Web Application Penetration testing has become a complex and necessary discipline in any Penetration testing engagement. Our 100% practical eWPT exam covers:

  • Advanced Web Applications testing
  • Reporting skill
  • Business-aware remediation plans


For the IT security professional seeking to keep his or her skills sharp, current and up-to-date with this perpetually evolving arena, eLearnSecurity's eWPT certification delivers the best value in theory, methodology and practice.


A Professional Penetration Course Engineered to Keep Your Skills Relevant and Your Company Safe


eLearnSecurity's eWPT certification is the most practical AND professionally oriented certification you can obtain in web application penetration testing. Here are some of the ways eLearnSecurity Web application Penetration Tester (eWPT) certification is different from conventional certifications:

  • Instead of putting you through a series of multiple-choice questions, you are expected to perform an actual penetration test on a real world company's web application hosted in our labs. This penetration test is very challenging.
    Beware: this is not a catch the flag scenario! As in a real penetration test eLearnSecurity requires that you find and exploit all of the vulnerabilities
  • Not only do you have to try different methodologies to conduct a thorough penetration test, you will also be asked to write a complete report as part of your evaluation. These are the same kinds of reports that will make you a valuable asset in the corporate sector.
  • Only individuals who provide proof of their findings in addition to writing a commercial-grade penetration testing report that correctly identifies the weaknesses and best remediations in this "engagement", are awarded the eWPT Certification.


With eLearnSecurity Web Appplications Penetration Testing course, you will be able to study theory and methodology and practice your acquired skills through exercises and labs. You'll gain more than a certificate: you'll gain current skills that align with the changing demands of your industry.


eLearnSecurity's eWPT is the only certification for Penetration testers that evaluates your abilities at attacking your target and providing thorough professional documentation and recommendation.


  • Complete support offered in all labs and exercises
  • Practice in our virtual lab and learn how to produce a commercial-grade penetration testing report
  • Your work personally evaluated by instructors - no automated evaluation


The Web Application Penetration Testing course is an investment in your own career and your company. Give yourself a competitive advantage and an edge on hackers!




add web app pentesting to your certified skills



The WAPT course is a practice-based curriculum that comes integrated with the Coliseum Lab.


When you enroll in WAPT course, you can choose how much Coliseum lab time you need: 60/90/120 days with our Flat model or even 60/90/120 hours with the On-Demand model.
The On-Demand model lets you use the lab at any time, enjoying new labs when they are available. This is revolutionary.


The following labs are completely integrated with the training course and are considered "Educational labs" where you are given step-by-step instructions in the Lab manual PDF and within the lab itself:

# Lab Topic
1 User enumeration, Inadequate password policy (Dictionary attack, Bruteforce)
2 Failure to restrict URL access
2 SQL injection
3 Attacking HTML5 - CORS
5 Attacking HTML5 Cross Window Messaging
6 Session.1 Arrogant bank hijacking through XSS
7 Session.1 Arrogant bank Session Fixation
8 Attacking Session.4 - CSRF
9 Attacking Session.5 Cross domain
10 Attacking Session.1 Guessing SessionID.2
11 Attacking Session.1 Guessing SessionID.2
12 Attacking web services .1 Discovering hidden exposed methods
13 Attacking web services .2 SOAPAction spoofing
14 Attacking web services .3 SQL injection
15 XPath Injection - Exploitation
16 ERROR based SQL Injection
17 Blind SQL Injection
19 Persistent XSS
20 Persistent XSS - Bypassing filters


But wait...there's more!


Coliseum Lab WAPT package

Former WAS360 package, now WAPT package, allows you to test the earned skills against 19 different real world web sites on which to perform black box pentests.

These scenarios are closer to challenge-type labs where the student needs to find a way to reach the goals and objectives, different for each lab.

Should the student need assistance, Cicero is there with useful tips that will help the student during the penetration test.



Enroll now




The Web App Penetration Testing course is a highly technical and in depth course.

Everyone with a solid background in Web application and a minimum understanding of the main web application security threats can enroll in the course.

Understanding of Penetration testing, even in networks, will help during the course.

If you are unsure, please check the following guidelines.



Minimum skills required
Before you enroll in the course you should have a grasp of how HTTP and Web servers work. Moreover, even basic knowledge of HTML/Javascript will help.

It is not strictly necessary that you know how to program in PHP or Java or .NET although, in certain cases, snippets of code are used to depict a typical vulnerable scenario.

Recommended skills
A good understanding of web applications and a basic understanding of main attacks like XSS and SQL injection.

Knowing how to write simple Javascript or simple PHP can help for advanced scenarios.


I don't reach the Recommended skills required. What should I do?


If you don't meet the Minimum required skills you are entitled to enroll in our course at your own risk.
We will do our best to help you fill the skills gap pointing you towards the right direction.
Moreover our course comes with life-time access to course material so you can always refer to external books or references,
when you encounter difficulties during the course.


If you don't meet the Recommended required skills you should not worry.
You can still enroll in our course and eventually use the help of our private forum to clear your doubts.
Our instructors will be there to help you with any kind of question related to the course and even the background skills that you would require.


Need help determining your level?


Please contact us through live chat or our contact web form. One of our consultants will be available to help.

Enroll now




Read what our clients, Industry experts and Leading Information Security websites say about our courses...



I think if you are looking for Penetration Testing Training this is a great choice, even if you have no desire to take the certification you can learn a lot just by studying the modules and applying yourself.
If you are just starting out (still studying or a fresh grad) I think the course and the certification will definitely have a positive effect on your career... and certainly makes economic sense when comparing to attending real life 5-day courses. It goes into a lot more depth than other courses and can really benefit your skills. I wish there was something like this in 1999 when I was starting out. The way in which the material is presented is a lot more interactive and interesting than many other courses out there with a good mix of words, images and videos plus a good theory/practical mix too. This makes it a lot easier as many of the topics within info sec can get very dry very fast.

Shaolin Tiger, Founder of Darknet.org.uk

eCPPT curriculum is definitely a valuable security training which permits both professionals and beginners to significantly improve or update their skills in a minimal amount of time.

Frédéric Bourla, Head of Ethical Hacking Department at High-Tech Bridge SA

I could not be what I am today if I did not know Mr Armando Romeo. Last 2 years I was a beginner, and I took eCPPT. This course opened up my horizon in penetration testing. Since then, my life has changed. I wish to express my gratitude to eLearnSecurity's staffs and especially to Mr Romeo for his help. You pave the way for me to enter the real security world.

Pornsook Kornkitichai, Security Engineer at Kasikorn Bank

I took the eCPPT course due to the lack of actual certifications that prove you have the skills required to attack and actually penetrate targets. Most certifications simply prove that you can take an exam and learn theory, but I was very pleased with the requirements to pass this course as it shows you have the practical skills as well.

Simon Earl, Director at IT Security Experts Ltd

This is what the CEH/LPT* should have been, and I am delighted to say that if students can master the topics and techniques in eLearnSecurity's Penetration Testing Pro, they should be well on their way to being an accomplished pentester

Jason Haddix, Penetration tester at HP and founder of SecurityAegis.com

eLearnSecurity's training really dives deep into the underlying concepts beneath pentesting tools. Covered in the course are much deeper understandings of topics such as buffer overflows (which, while I already understood the concepts, Armando and his team went out of their way to come up with the best high-level to low-level explanations I've read on the topic, for newcomers and seasoned professionals alike), Network Security, and Web Application Security. The coverage of these topics, and the amount of time they allow the student to access them, really helps to enforce good learning, with extended opportunity and study time, for an exceptional value. For anyone who is budget constrained, I'd say, with total confidence, that the value of eLearnSecurity's training meets and / or exceeds the value of many other programs available, and if one truly desires to learn the technical aspects of IT Security, it's a certification course well-worth the time and investment.

Timothy E. Everson MCNE CDE CLE CCNA CEH, Novell Inc.

The mix of Video Tutorials, exercises and support from fellow students on the forum was fantastic. Anyone who wants to specialize in Web Penetration Testing, this course is a must to get you started. Thanks for your efforts in making this happen Armando

Denis Hancock, Manager Samurai at Consulting Pty Ltd

Having been in the security field for over 5 years I assumed this would be a quick and easy certification. After getting into the training course I was pleased to find that I was learning new things and that the course was certainly more challenging than I had anticipated. I found that it filled in several knowledge gaps when it comes to pentesting, and I would recommend this course to both veterans and newcomers to the security field.

Steven Collins

The learning experiences was amazing! I have learned so much in such a short time. Would recommend to any one (even the more experienced of us) to take that course. You wouldn't believe how much you can still learn!

Oded Brilon, StrikeForce Engineer at CSC Australia

Unbiased third party reviews that you can find online:



*Comparison with v6 of CEH curriculum




If you have questions that you don't find answered here please contact us.


What software/hardware requirements are there?

You need to have a web browser with Flash plugin enabled.

In order to study the course you won't be forced to use any particular OS. If you run Backtrack/Kali as a virtual machine, you should have at least 2Gb RAM, 4GB is better.

An internet connection speed of at least 128Kbit/s. 256Kbit/s or higher is recommended.



How do you provide support?

As soon as you enroll in one of our courses you are provided with access to private forum where you will find instructors and community managers available to help you 24/7. Response time is usually a matter of hours (sometimes minutes).

Support for billing, technical and exam-related questions is also provided through email, ticketing service and live chat.



How can I pay?

We accept all major credit cards, Paypal, Wire transfer, 2Checkout, MoneyBookers and purchase order.

MoneyGram or Western Union are NOT accepted.



Are there any hidden fee?

There are no hidden fees. If you are from a country where VAT is required (most EU countries), you have to add VAT to our ticket price. We are legally obligated to collect VAT on your purchases.

There is no software to buy or renewal fees to pay and you get lifetime access to acquired course materials.



What happens when there's a new update to the contents?

You have lifetime access to course material and we will include minor updates to the contents free of charge. Minor updates include: an addition of a new module, a new video, bug fixes, improvements to labs, addition of a small number of new labs.

A major upgrade occurs when there is more than one new module added or the contents added are a significant portion of the material you acquired.

When we issue a new major upgrade you can upgrade to the new version with a minor upgrade fee, or keep your current version. The upgrade fee will be established proportionally to the amount of new content added and according to the time elapsed between your enrollment and the release of the new content. Note: if you enroll today and we issue a new major release you will get the new release for free.

There is no published update schedule and we reserve the right to issue minor or major updates when we see the need.



Can I request a refund if contents are too difficult for me?

We only process refunds/chargebacks for fraudulent transactions.



What is the difference between subscription and full plans?

The only substantial difference between the two plans is that you can have your payment diluted through the subscription plan while nothing changes in terms of the content you receive.



If I choose to pay through the subscription plan, can I still get certified?

Yes, you will be given an eWPT voucher as soon as you get the entire material.

Your exam deadline will be counted starting from the day you are assigned the eWPT voucher.



Can I cancel my subscription?

You can cancel your subscription at any time.
As soon as you enroll you will receive 2 logins: one to access our course material and another to access your billing panel on our payment gateway Plimus. By using the Plimus login here you can manage your subscriptions.

Our subscription is meant to facilitate the payment for the course, not for you to receive sections of our course separately.
Once the subscription is completed, your access to the course material is unlimited.



If I choose to pay through the subscription plan, how much do I pay and when?

Please refer to our Enroll page for Installment plans.


"Read this before signing up for any Penetration Testing Course"