Back to courses

Web Security & Bug Bounty: Learn Penetration Testing

Start a career or earn a side income by becoming a Bug Bounty Hunter. No previous experience needed, we teach you everything from scratch. Hack websites, fix vulnerabilities, improve web security, and much more. You'll learn penetration testing from the very beginning and master the most modern pentesting tools and best practices!

22 Days

Average time students take to complete this course.

Last updated: March 2024

Course overview

We guarantee you that this is the most comprehensive and up-to-date Penetration Testing course that you can find to go from absolute beginner to becoming a Web Security Expert and getting paid as a Bug Bounty Hunter. You will learn and master the most modern bug bounty and pentesting tools and best practices for 2024!

What you'll learn

  • Learn Penetration Testing from scratch to become a Bug Bounty Hunter and Web Security Expert
  • Setting Up Your Hacking Lab: Kali Linux and Virtual Machines (Works with Windows/Mac/Linux)
  • Discover, exploit, and mitigate all types of web vulnerabilities. Secure any of your future applications using best practices
  • How to make money from bug bounty hunting and make a career of it
  • Learn how to hack & attack systems with known vulnerabilities
  • Website Enumeration & Information Gathering
  • Bug Hunter and the Burpsuite Tool
  • HTML Injections
  • Command Injection/Execution
  • Broken Authentication, Broken Access Control
  • Bruteforce Attacks
  • Security Misconfiguration
  • Cross Site Scripting - XSS
  • SQL Injection, XML, XPath Injection, XXE
  • Logging & Monitoring best practices
  • Web Fundamentals, Networking Fundamentals, Linux Terminal Fundamentals

This course is focused on learning by doing, not watching endless tutorials with nothing to show for it. You are going to learn how penetration testing works by actually practicing the techniques and methods used by Bug Bounty Hunters.

And you'll be learning in good company.

By enrolling today, you’ll also get to join our exclusive live online community classroom to learn alongside thousands of students, alumni, mentors, TAs and Instructors.

Most importantly, you will be learning from industry experts (Aleksa & Andrei) that have actual real-world experience working on security for large companies and websites/apps with millions of visitors.

No matter what you're background, previous experience or your current job, we make this course approachable for you by providing two paths.

1 Don't know how to code yet?

No problem at all. We've included three bonus sections to get you up to speed so you can start pentesting in no time at all.

2. Already know how to code?

Great. You're going to start off right away by creating your own virtual hacking lab to make sure we keep your computer safe throughout the course and get our computers properly set up for penetrations testing.

Here is what the course will cover to take you from Zero to Web Security Mastery

We guarantee you this is the most comprehensive, modern, and up-to-date online course on bug bounty hunting, penetration testing, and web security.

Unlike many other tutorials you'll fine online, we aren't going to waste your time teaching you outdated techniques and topics.

1. Introduction To Bug Bounty:

In this section, we answer "What is a Bug Bounty?" and "What is Penetration Testing?". We'll also explore the career path of a Pen Tester.

2. Our Virtual Lab Setup:

Create your virtual lab that we will use throughout the course (Kali Linux machine). Install a vulnerable virtual machine ("VM") called OWASPBWA that we will attack. Create an account on the TryHackMe Cyber Security training platform.

With almost every vulnerability, we will cover an example on TryHackMe and also on our vulnerable VM.

3. Website Enumeration & Information Gathering:

This is where we start with the practical Bug Bounty / Website Penetration Testing. We cover numerous tactics and tools that allow us to gather as much information about a certain website.

For this, we use different tools like Dirb, Nikto, Nmap.

We also use google hacking which is a useful skill to have once tools are not available.

4. Introduction To Burpsuite:

This is a very important tool for a Bug Hunter. Pretty much every Bug Hunter out there knows about this tool (and probably uses it). It has many different features that make hunting for bugs easier. Some of those features are crawling the webpage, intercepting and changing HTTP requests, brute-force attacks and more.

5. HTML Injection:

This is our first bug. It's also one of the easiest so we start with it. HTML injection is essentially just finding a vulnerable input on the webpage that allows HTML code to be injected. That code is later rendered out on the page as real HTML.

6. Command Injection/Execution:

Our first dangerous bug. Injecting commands is possible when the server runs our input through its system unfiltered. This could be something like a webpage that allows us to ping other websites but doesn't check whether we inputted a different command other than the IP address that it needs.

This allows us to run commands on the system, compromise the system through a reverse shell and compromise accounts on that system (and all the data).

7. Broken Authentication:

This is another vulnerability that occurs on websites. It essentially refers to weakness in 2 areas session management and credential management. It allows the attacker to impersonate legitimate users online. We show different examples through cookie values, HTTP requests, Forgot password page etc.

8. Bruteforce Attacks:

This can be a problem even if the website is secure. If the client has an easy and simple password set, it will also be easy to guess. We cover different tools used to send lots of passwords on the webpage to break into an account.

9. Sensitive Data Exposure:

This isn't a vulnerability in the system. Instead it's when developers forget to remove important information during production that can be used to perform an attack. We cover an example where a developer forgets to remove the entire database from being accessible to regular users.

10. Broken Access Control:

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.

Here we cover a vulnerability called Insecure direct object reference. A simple example would be an application that has user IDs in the URL. If it doesn't properly store and manage those IDs an attacker could potentially change the ID and access the information of another user.

11. Security Misconfiguration:

We've added this as a separate section. However, all the previous vulnerabilities also belong to it. Here we show an example of a vulnerability where the admins of websites haven't changed the default credentials for a certain application that runs on their server.

12. Cross Site Scripting - XSS:

This is a big vulnerability and is very common in many websites out there. This vulnerability allows us to execute JavaScript code on the webpage.

This is due to user input not being well filtered and processing the input as javascript code. There are 3 main types of XSS which are Stored, Reflected and DOM based XSS. We cover these 3 plus some unusual ones.

13. SQL Injection:

Another big vulnerability out there and a really dangerous one. Many websites communicate with the Database, whether it being a database that stores product information or user information.

If the communication between the user and the database is not filtered and checked, it could allow the attacker to send an SQL query and communicate with the database itself, allowing them to extract the entire database or even delete it.

There are a couple of types of SQL injection such as Error based or Blind SQL injection.

14. XML, XPath Injection, XXE:

XXE or XML External Entity is a vulnerability that allows an attacker to interfere with a website that processes XML data. It could allow the attacker to run a reverse shell or read files on the target system making it another severe vulnerability.

15. Components With Known Vulnerabilities:

Even if the website might not be vulnerable, the server might be running some other components/applications that have a known vulnerability that hasn't been patched yet. This could allow us to perform various types of attacks depending on what that vulnerability is.

16. Insufficient Logging And Monitoring:

Logging and monitoring should always be done from a security standpoint. Logging allows us to keep track of all the requests and information that goes through our application.

This can help us determine whether a certain attack is taking place. Or, if the attack already happened, it allows us to examine it a little deeper, see which attack it was, and then apply that knowledge to change the application so that the same attack doesn't happen again.

17. Monetizing Bug Bounty Hunting:

After practicing and covering all the vulnerabilities, we'll show you how you can make money from your new knowledge and skills.

We give you different platforms that can be used to start your career as a Bug Hunter and use one platform as an example to show how a bug bounty program works and what to pay attention to when applying.

18. Bonus - Web Developer Fundamentals:

This section is for anyone that doesn't have basic knowledge in Web Development or doesn't know exactly how websites work and are structured.

19. Bonus - Linux Terminal:

This section is for anyone that doesn't have basic knowledge of using the Linux Terminal. This is important as we will be using it throughout the course.

20. Bonus - Networking:

Fundamentals of networking and some basic terms to know as Penetration Testers and Bug Bounty hunters.

What's the bottom line?

This course is not about making you just code along without understanding the principles so that when you are done with the course you don’t know what to do other than watch another tutorial... No!

This course will push you and challenge you to go from an absolute beginner to someone that can earn income as a Pentester or Bug Bounty Hunter and become a Web Security Expert 💪.

And if you're serious about starting a full-time career in Ethical Hacking, you can take this course as part of our step-by-step Ethical Hacker Career Path.

How do we know?

Because thousands of Zero To Mastery graduates have gotten hired and are now working at companies like Google, Tesla, Amazon, Apple, IBM, JP Morgan, Facebook, Shopify + other top tech companies.

They are also working as top freelancers getting paid while working remotely around the world.

And they come from all different backgrounds, ages, and experiences. Many even started as complete beginners.

So there's no reason it can't be you too.

And you have nothing to lose. Because you can start learning right now and if this course isn't everything you expected, we'll refund you 100% within 30 days. No hassles and no questions asked.

When's the best time to get started? Today!

There's never a bad time to learn in-demand skills. But the sooner, the better. So start learning today by joining the ZTM Academy. You'll have a clear roadmap to developing the skills to get hired and advance your career.

Join Zero To Mastery Now

Don't just take our word for it

Our courses and community have helped 1,000s of Zero To Mastery students go from zero to getting hired to levelling up their skills and advancing their careers to new heights.

I got a solid foundation of Penetration Testing and how to go about working on Bug Bounties. Keep up the good work ZTM! I plan on working on my first bounty in the coming days and also getting my Pentest+. This course was a great introduction for me.

Jimmy S.

The course is very well planned and informative but straight to the point. The practical part is easy to follow and every detail is explained which is good for beginners. I'd recommend this course to those who want to learn bug bounty.

Nurfarihan B.

The instructors made the content so easy to understand with very simple and helpful explanations. I felt that I should have joined this course earlier then I would have been a hacker by now :)

Vijayakumar P.

The course was very easy to follow and explained in a smooth way to understand. The care of the instructors during the whole course about every single detail makes you feel the course was made specially and only for you.

Routha

Course curriculum

To make sure this course is a good fit for you, you can start learning pentesting & web security for free right now by clicking any of the PREVIEW links below.

Introduction To Bug Bounty

7 lectures

Web Security & Bug Bounty1:41

PREVIEW

Course Outline6:08

PREVIEW

Exercise: Meet Your Classmates and Instructor

BEGIN

What is Penetration Testing?5:43

PREVIEW

What is a Bug Bounty?6:35

PREVIEW

Course Resources + Guide

BEGIN

How-to's: Speed up videos, Downloading videos, Subtitles

BEGIN

Our Virtual Lab Setup

7 lectures

Virtual Box, Kali Linux Download11:08

PREVIEW

Important- New Kali Linux Categories1:26

PREVIEW

Kali Linux Installation12:14

PREVIEW

OWASPBWA Installation8:35

PREVIEW

Creating TryHackMe Account2:47

PREVIEW

2 Paths2:05

PREVIEW

Unlimited Updates

BEGIN

Website Enumeration & Information Gathering

7 lectures

Website Enumeration - Theory4:59

BEGIN

Google Dorks11:28

BEGIN

Ping, Host, Nslookup ...7:21

BEGIN

Whatweb8:52

BEGIN

Dirb6:20

BEGIN

Nmap11:27

BEGIN

Nikto6:32

BEGIN

Introduction To Burpsuite

4 lectures

Burpsuite Configuration7:47

BEGIN

Burpsuite Intercept7:27

BEGIN

Burpsuite Repeater7:48

BEGIN

Burpsuite Intruder9:20

BEGIN

HTML Injection

5 lectures

HTML Injection - Theory3:24

BEGIN

HTML Injection 1 on TryHackMe9:01

BEGIN

HTML Injection 2 - Injecting User-Agent Header3:49

BEGIN

Injecting Cookie Field and Redirecting The Page5:23

BEGIN

Advance Example of HTML Injection13:18

BEGIN

Command Injection/Execution

5 lectures

Command Injection Theory4:14

BEGIN

Command Injection On TryHackMe and Blind Command Injection9:55

BEGIN

Solving Challenges With Command Injection9:30

BEGIN

Running PHP Reverse Shell With Command Execution Vulnerability7:26

BEGIN

Bypassing Input Filter And Executing Command7:24

BEGIN

Broken Authentication

6 lectures

Broken Authentication Theory4:23

BEGIN

Broken Authentication On TryHackMe6:00

BEGIN

Broken Authentication Via Cookie4:30

BEGIN

Basic Authorization in HTTP Request6:34

BEGIN

Forgot Password Challenge8:21

BEGIN

Session Fixation Challenge5:09

BEGIN

Bruteforce Attacks

4 lectures

Cluster Bomb Bruteforce6:38

BEGIN

Hydra Bwapp Form Bruteforce12:20

BEGIN

Hydra Post Request Form Bruteforce5:24

BEGIN

Bonus - Hydra SSH Attack4:14

BEGIN

Sensitive Data Exposure

1 lectures

Sensitive Data Exposure Example10:11

BEGIN

Broken Access Control

3 lectures

Broken Access Control - Theory6:27

BEGIN

Accessing passwd With BAC4:24

BEGIN

Ticket Price IDOR6:33

BEGIN

Security Misconfiguration

2 lectures

Security Misconfiguration - Default App Credentials4:41

BEGIN

Exercise: Imposter Syndrome2:55

BEGIN

Cross Site Scripting - XSS

7 lectures

XSS Theory6:12

BEGIN

Changing Page Content With XSS10:53

BEGIN

Bypassing Simple Filter3:48

BEGIN

Downloading a File With XSS Vulnerability9:05

BEGIN

DOM XSS Password Generator5:35

BEGIN

JSON XSS8:09

BEGIN

Old Vulnerable Real Applications4:11

BEGIN

SQL Injection

6 lectures

SQL Injection Theory4:00

BEGIN

Guide To Exploiting SQL Injection8:00

BEGIN

Getting Entire Database5:25

BEGIN

Extracting Passwords From Database19:43

BEGIN

Bypassing Filter In SQL Query6:06

BEGIN

Blind SQL Injection11:38

BEGIN

XML, XPath Injection, XXE

3 lectures

XPath Injection6:23

BEGIN

XPath Injection 23:57

BEGIN

XXE7:22

BEGIN

Components With Known Vulnerabilities

1 lectures

Components With Known Vulnerabilities10:06

BEGIN

Insufficient Logging And Monitoring

1 lectures

Insufficient Logging And Monitoring Example4:01

BEGIN

Monetizing Bug Hunting

2 lectures

What's Next & How To Earn Money By Finding Vulnerabilities?11:35

BEGIN

Unique and Interesting Bugs Discovered

BEGIN

Bonus - Web Developer Fundamentals

16 lectures

Browsing the Web6:00

BEGIN

Breaking Google2:59

BEGIN

The Internet Backbone5:29

BEGIN

Traceroute2:24

BEGIN

HTML, CSS, Javascript5:04

BEGIN

Build Your First Website7:48

BEGIN

HTML Tags8:39

BEGIN

Your First CSS13:42

BEGIN

What Is Javascript?5:33

BEGIN

Your First Javascript11:41

BEGIN

Javascript On Our Webpage9:05

BEGIN

HTTP/HTTPS19:58

BEGIN

Introduction To Databases10:54

BEGIN

SQL: Create Table5:15

BEGIN

SQL: Insert Into + Select4:33

BEGIN

What is PHP?5:16

BEGIN

Bonus - Linux Terminal

3 lectures

Linux 1 - ls, cd, pwd, touch...13:46

BEGIN

Linux 2 - sudo, nano, clear ...7:00

BEGIN

Linux 3 - ifconfig, nslookup, host ...7:34

BEGIN

Bonus - Networking

1 lectures

Networking Cheatsheet

BEGIN

Where To Go From Here?

5 lectures

Thank You1:13

BEGIN

Review This Course!

BEGIN

Become An Alumni

BEGIN

Endorsements On LinkedIn

BEGIN

Learning Guideline

BEGIN

Meet your instructors

Your instructors aren’t just experts with years of real-world professional experience. They have been in your shoes. They make learning fun. They make complex topics feel simple. They will motivate you. They will push you. And they go above and beyond to help you succeed.

Aleksa Tamburkovski

Hi, I'm Aleksa Tamburkovski!

Aleksa, a Zero To Mastery Academy instructor, is a Penetration Tester with 5+ years of experience in Ethical Hacking & Cyber Security. Aleksa's goal is to teach you the foundations of Ethical Hacking & Cyber Security.

SEE MY BIO & COURSES

Aleksa Tamburkovski

Ethical Hacker

Andrei Neagoie

Hi, I'm Andrei Neagoie!

Andrei, lead instructor of Zero To Mastery Academy, has taught 1,000,000+ students worldwide how to code and get hired. ZTM grads work for world-class companies like Apple, Google, Amazon, Tesla, IBM, Facebook, Shopify and many more.

SEE MY BIO & COURSES

Andrei Neagoie

Senior Software Engineer

Frequently asked questions

Are there any prerequisites for this course?

  • No previous programming or pentesting knowledge required. We teach you everything you need to learn from scratch
  • A computer (Windows, Mac, or Linux) with an internet connection

Who is this course for?

  • Anybody who is interested in becoming a Bug Bounty Hunter or Penetration Tester and actually get paid to find bugs and vulnerabilities
  • Anybody who is interested in learning web security and how hackers take advantage of vulnerabilities and flaws
  • Students who are interested in going beyond all of the "beginner" tutorials out there that don't give you real-world practice or skills you need to actually get hired
  • Any Developer looking to secure their web applications and servers from hackers
  • You want to learn from an actual Penetration Tester with 5+ years of experience working for and discovering vulnerabilities for major companies and governments

Why should I learn pentesting, web security and bug bounty hunting?

This is a fast growing field making it a great opportunity to learn new skills and earn some money at the same time. Here's some stats from HackerOne:

  • Great side income: ~$45 million in bounties were awarded to hackers in the past year on HackerOne. That's an 86% year-over-year increase in total bounties paid
  • Get hired faster: 80% of Hackers said they will use the skills and experience learned while hacking to help land a job

Do you provide a certificate of completion?

We definitely do and they are quite nice. You will also be able to add Zero To Mastery Academy to the education section of your LinkedIn profile as well.

Are there subtitles?

Yes! We have high quality subtitles in 11 different languages: English, Spanish, French, German, Dutch, Romanian, Arabic, Hindi, Portuguese, Indonesian, and Japanese.

You can even adjust the text size, color, background and more so that the subtitles are perfect just for you!

Still have more questions about the Academy?

Still have more questions specific to the Academy membership? No problem, we answer some more here.

Invest in a better you. For less than a coffee a day.

Choose your currency:
$ USD US Dollar
Lifetime
100% OFF$999
$999
Only pay once, ever
You're serious about advancing your career and never getting left behind
Start Learning Now

MOST POPULAR

Save 40% vs. monthly (that's $189 a year)
Annual
100% OFF$279 / year
$23 / month
$279 / year
You're committed to getting hired and starting a career in tech
Start Learning Now
Monthly
100% OFF$39 / month
$39 / month
You're ready to upskill and advance your career
Start Learning Now

Every ZTM membership includes:

Unlimited access to all courses, projects + workshops, and career paths
Access to our private Discord with 400,000+ members
Access to our private LinkedIn networking group
Custom ZTM course completion certificates
Live career advice sessions with mentors, every month
Full access to all future courses, content, and features
100% RISK FREE

We know you'll love ZTM. That's why we provide a no hassle, 30-day money back guarantee.