Web Application Penetration Testing

Curious about this course?

Enroll now and get access to all of our material and labs!

Plans and Pricing


View enrollment fees for individual students.


Purchase eLearnSecurity courses for your company.

Study at your own pace

WAPT comes with life-time access to course material and flexible access to the most sophisticated virtual labs on Web Application Securityi and Penetration Testing: Hera Lab.

Discover Contents

Become Certified

Obtain the eWPT certification and prove your practical skills with the only 100% practical certification on Web Application Penetration Testing

Discover eWPT

Course at a glance

  • Start from the very basics
  • Covers OWASP TOP 10 2013 and beyond
  • Master Burp Suite
  • In depth Web application analysis and information gathering
  • XSS & SQL Injection
  • Session related vulnerabilites
  • HTML5 attacks
  • Start fromWeb Application Attacks and land to Network and Infrastructure Penetration Testing
  • Gives you access to dedicated forums
  • Makes you a proficient professional pentester
  • After obtaining the eWPT certification qualifies you for 40 CPE

Course material

  • 5+ hours of video training material
  • 1850+ slides
  • 56 Labs in Hera Lab

Course delivery

  • Self-paced / HTML5, PDF, MP4
  • Off-line access available
  • Access from PC, Tablet and Smartphone

Test drive this course for free


  • Module 1 : Penetration Testing Process

    This module the student will learn the methodologies and the reporting best practice in order to become a confident and professional penetration tester.

  • Module 2 : Introduction to Web Applications

    In this module the student will understand the basics of Web applications. An in-depth coverage of the Same Origin Policy in its latest developments and the Cookie RFC will help experienced and non-experienced penetration testers gain critical foundational skills useful for the rest of the training course.

  • Module 3 : Information Gathering

    Let the Penetration test start! Every penetration test begins with the Information gathering phase.

  • Module 4 : Cross Site Scripting

    In this module he most widespread web application vulnerability will be dissected and studied in all its parts. Students will gain all the skills needed to fully unleash the power of cross site scripting exploitation!

  • Module 5 : SQL Injection

    In this module will be studied the most advanced techniques to find and exploit SQL Injections.

  • Module 6 : Authentication and Authorization

    During this module, the student will learn the most common authentication mechanisms, their weaknesses and the related attacks.

  • Module 7 : Session Security

    The student will learn how sessions work and what are the most common attacking patterns. Moreover they will study how to prevent session attacks.

  • Module 8 : Flash

    The student will first study the Flash security model and its pitfalls. Then will use the most recent tools to find and exploit vulnerabilities in Flash files.

  • Module 9 : HTML5

    In this module we will be discussing the most important elements of HTML5: cross origin resource sharing, cross window messagins, web sockets, sandboxing and web storage. The student will learn how to leverage these features to mount successful attacks.

  • Module 10 : Files and Resources Attacks

    The student will learn how to identify and exploit path traversal, file inclusion and unrestricted file upload vulnerabilities.

  • Module 11 : Other Attacks

    The student will practice a number of vulnerabilities that, despite being less known or publicized, are still affecting a number of web applications.

  • Module 12 : Web Services

    During this highly in depth module the student will first become familiar with web services paradigms and protocols and then learn all the most important related security issues.

  • Module 13 : XPath

    In this module, the student will learn advanced XPath injection techniques, in theory and practice in Hera lab.

Download PDF Syllabus


  • Basic understanding of HTML, HTTP and Javascript.
  • Reading and understanding PHP code will help although it is not mandatory.
  • No web development skills required.

This training course is for...

  • Penetration testers
  • Web developers
  • IT admins and staff


The WAPT course is a practice-based curriculum. Being integrated with Hera Lab, the most sophisticated virtual lab on IT Security, it offers an unmatched practical learning experience.

Lab IDDescriptionCategory
Lab 1 Introduction - 2 Challenging Labs Educational/Challenge
Lab 2 Information Gathering - 2 Challenging Labs Educational/Challenge
Lab 3 Cross Site Scripting - 7 Challenging Labs Educational/Challenge
Lab 4 SQL Injection - 10 Challenging Labs Educational/Challenge
Lab 5 Authentication and Authorization - 14 Challenging Labs Educational/Challenge
Lab 6 Session Security - 9 Challenging Labs Educational/Challenge
Lab 7 Flash Security - 1 Challenging Lab Educational/Challenge
Lab 8 HTML5 - 4 Challenging Labs Educational/Challenge
Lab 9 File and Resources Attacks - 4 Challenging Labs Educational/Challenge
Lab 10 Other Attacks - 1 Challenging Lab Educational/Challenge
Lab 11 Web Services - 4 Challenging Labs Educational/Challenge
Lab 12 XPath - 5 Challenging Labs Educational/Challenge


Get eWPT Certification

eLearnSecurity's eWPT certification is the most practical AND professionally oriented certification you can obtain in web application penetration testing

Learn more


  • Armando Romeo
    Armando Romeo

    Armando Romeo is the founder and CEO of eLearnSecurity. Prior to founding eLearnSecurity he has spent 5 years in web application security research with hundreds of vulnerability advisories released. Armando currently leads the R&D team and inspires new projects and new training activities.

  • Francesco Stillavato
    Francesco Stillavato

    His experience spans from web application secure coding to secure network design. He has contributed to the Joomla project as a Developer and has conducted a number of assessments as a freelance. Francesco Stillavato's research is now focused on Mobile Application Penetration Testing on Android and iOS. Publications: Francesco is the co-author of the Penetration testing course Professional, Mobile Application Security and Penetration Testing, Penetration Testing Student and author of all Hera Lab scenarios.

  • Davide Girardi
    Davide Girardi

    Davide Girardi has 9 years of experience in attacking and defending enterprise systems and networks. Davide has a strong technical background on network security and efficiency. Davide's research focuses on exploit development and advanced attacks. He is co-author of the Penetration Testing Student and author of many Hera Lab scenarios.

Enroll now and get access to all of our material and labs!


The mix of Video Tutorials, exercises and support from fellow students on the forum was fantastic. Anyone who wants to specialize in Web Penetration Testing, this course is a must to get you started. Thanks for your efforts in making this happen

Denis Hancock
Manager Consulting Pty Ltd

Having been in the security field for over 5 years I assumed this would be a quick and easy certification. After getting into the training course I was pleased to find that I was learning new things and that the course was certainly more challenging than I had anticipated. I found that it filled in several knowledge gaps when it comes to pentesting, and I would recommend this course to both veterans and newcomers to the security field.

Steven Collins

eLearnSecurity's training really dives deep into the underlying concepts beneath pentesting tools.

Timothy E. Everson
Novell inc

Go to top of page