Web Security & Bug Bounty: Learn Penetration Testing in 2021

Start a career or earn a side income by becoming a Bug Bounty Hunter. No experience needed. Hack websites, fix vulnerabilities, improve web security and much more. You'll learn penetration testing from scratch and master the most modern pentesting tools & best practices for 2021!

Taught by Andrei Neagoie and Aleksa Tamburkovski

This course includes:

  • 10.5+ hours on-demand, downloadable HD videos
  • 10+ bonus articles and resources
  • Access to live, exclusive ZTM community
  • Steps to go from absolute beginner to an ethical hacking and security expert
  • Certificate of Completion
Start Learning Now

Join 500,000+ students enrolled in ZTM courses!

What you'll learn

  • Learn Penetration Testing from scratch to become a bug bounty hunter and web security expert
  • Setting Up Your Hacking Lab: Kali Linux and Virtual Machines (Works with Windows/Mac/Linux)
  • Learn How To Hack & Attack Systems With Known Vulnerabilities
  • Bug Hunter and the Burpsuite Tool
  • Command Injection/Execution
  • Bruteforce Attacks
  • Security Misconfiguration
  • SQL Injection
  • Logging & Monitoring Best Practices
  • Networking Fundamentals
  • Discover, exploit, and mitigate all types of web vulnerabilities. Secure any of your future applications using best practices
  • How to make money from bug bounty hunting and make a career of it
  • Website Enumeration & Information Gathering
  • HTML Injections
  • Broken Authentication
  • Broken Access Control
  • Cross Site Scripting - XSS
  • XML, XPath Injection, XXE
  • Web Fundamentals
  • Linux Terminal Fundamentals

Meet your instructors

Hi! I'm Andrei.

Senior Software Developer turned Instructor, Founder of ZTM

Andrei is the instructor of some of the highest rated programming courses on the web. Some of his students (500,000+ in the past few years) now work for some of the biggest tech companies around the world like Apple, Google, Amazon, Tesla, IBM, Shopify and many more.


He has worked as a Senior Software Developer in Silicon Valley and Toronto for many years and is now taking all that he has learned to teach programming skills and to help you discover the amazing career opportunities that being a developer allows in life.

Hi! I'm Aleksa.

Ethical Hacker and Instructor

Aleksa is a Penetration Tester with over 5 years of experience in Ethical Hacking and Cyber Security. As a self made hacker that started from a young age he has learned it all from Ethical Hacking and Cyber Security to Online Privacy and How To Become Anonymous Online.

He has worked and discovered vulnerabilities for multiple companies and governments. He also worked as a freelancer testing private web applications. He believes that Online Security and Privacy is something valuable but that also doesn't get enough attention as many cyber attacks are being executed every single day!

No System is Safe and that is why we are here to help you learn how to discover vulnerabilities and secure them before the bad guys attempt anything malicious.

Why Zero To Mastery is right for you

With so many online resources available, it can be paralyzing not only figuring out where to start but more importantly which courses will actually teach you the skills you need to get hired.


That’s why the Zero To Mastery Academy exists, to provide industry-leading courses and content to teach you the relevant skills you need to advance your career and get you hired at some of the top companies in the world.


Join now to get complete access to this course and all others for only $23/month.

Monthly Membership

$39 / month
  • Unlimited access to all courses, workshops and career paths
  • Download all lessons for offline learning
  • Invite to private Discord with 200K+ members
  • Exclusive Academy only content
  • Access to private LinkedIn networking group
  • Custom ZTM course completion certificates
I'M READY TO TRY IT OUT

Annual Membership

$279 / year $23/month
  • All the benefits of a monthly membership
  • Save 40% compared to Monthly Membership
I'M READY TO COMMIT

Course Curriculum

We want you to make sure this course is a good fit for you. So start learning for free right now by clicking the PREVIEW links below.

Example Curriculum

  Introduction To Bug Bounty
Available in days
days after you enroll
  Our Virtual Lab Setup
Available in days
days after you enroll
  Website Enumeration & Information Gathering
Available in days
days after you enroll
  Introduction To Burpsuite
Available in days
days after you enroll
  HTML Injection
Available in days
days after you enroll
  Command Injection/Execution
Available in days
days after you enroll
  Broken Authentication
Available in days
days after you enroll
  Bruteforce Attacks
Available in days
days after you enroll
  Sensitive Data Exposure
Available in days
days after you enroll
  Broken Access Control
Available in days
days after you enroll
  Security Misconfiguration
Available in days
days after you enroll
  Cross Site Scripting - XSS
Available in days
days after you enroll
  SQL Injection
Available in days
days after you enroll
  XML, XPath Injection, XXE
Available in days
days after you enroll
  Components With Known Vulnerabilities
Available in days
days after you enroll
  Insufficient Logging And Monitoring
Available in days
days after you enroll
  Monetizing Bug Hunting
Available in days
days after you enroll
  Bonus - Web Developer Fundamentals
Available in days
days after you enroll
  Bonus - Linux Terminal
Available in days
days after you enroll
  Bonus - Networking
Available in days
days after you enroll
  Where To Go From Here?
Available in days
days after you enroll

Course Details

We guarantee you that this is the most comprehensive and up-to-date Penetration Testing course that you can find to go from absolute beginner to becoming a web security expert and getting paid as a bug bounty hunter. You will learn and master the most modern bug bounty and pentesting tools and best practices for 2021!

This course is focused on learning by doing, not watching endless tutorials with nothing to show for it. You are going to learn how penetration testing works by actually practicing the techniques and methods used by bug bounty hunters in 2021. Don't waste your time learning outdated techniques and topics you'll find in a lot of tutorials.

Graduates of Zero To Mastery are now working at Google, Tesla, Amazon, Apple, IBM, JP Morgan, Facebook, Shopify + other top tech companies. They are also working as top freelancers getting paid while working remotely around the world. This can be you.

By enrolling today, you’ll also get to join our exclusive live online community classroom to learn alongside thousands of students, alumni, mentors, TAs and Instructors.

Most importantly, you will be learning from industry experts (Aleksa & Andrei) that have actual real-world experience working on security for large companies and websites/apps with millions of visitors.

Already know how to code? Great. You're going to start off right away by creating your own virtual hacking lab to make sure we keep your computer safe throughout the course and get our computers properly set up for penetrations testing.

Don't know how to code yet? No problem at all. We've included three bonus sections to get you up to speed so you can start pentesting in no time at all.

This pentesting / bug bounty course will cover:

1. Introduction To Bug Bounty:

In this section, we answer "What is a Bug Bounty?" and "What is Penetration Testing?". We'll also explore the career path of a Pen Tester.

2. Our Virtual Lab Setup:

  • Create your virtual lab that we will use throughout the course (Kali Linux machine).
  • Install a vulnerable virtual machine ("VM") called OWASPBWA that we will attack.
  • Create an account on the TryHackMe Cyber Security training platform.
  • With almost every vulnerability, we will cover an example on TryHackMe and also on our vulnerable VM.
  • From here you will choose one of two different paths depending on the knowledge that you already have.

3. Website Enumeration & Information Gathering:

This is where we start with the practical Bug Bounty/ Website Penetration Testing. We cover numerous tactics and tools that allow us to gather as much information about a certain website. For this, we use different tools like Dirb, Nikto, Nmap. We also use google hacking which is a useful skill to have once tools are not available.

4. Introduction To Burpsuite:

This is a very important tool for a Bug Hunter. Pretty much every Bug Hunter out there knows about this tool (and probably uses it). It has many different features that make hunting for bugs easier. Some of those features are crawling the webpage, intercepting and changing HTTP requests, brute-force attacks and more.

5. HTML Injection:

This is our first bug. It's also one of the easiest so we start with it. HTML injection is essentially just finding a vulnerable input on the webpage that allows HTML code to be injected. That code is later rendered out on the page as real HTML.

6. Command Injection/Execution:

Our first dangerous bug. Injecting commands is possible when the server runs our input through its system unfiltered. This could be something like a webpage that allows us to ping other websites but doesn't check whether we inputted a different command other than the IP address that it needs. This allows us to run commands on the system, compromise the system through a reverse shell and compromise accounts on that system (and all the data).

7. Broken Authentication:

This is another vulnerability that occurs on websites. It essentially refers to weakness in 2 areas session management and credential management. It allows the attacker to impersonate legitimate users online. We show different examples through cookie values, HTTP requests, Forgot password page etc.

8. Bruteforce Attacks:

This can be a problem even if the website is secure. If the client has an easy and simple password set, it will also be easy to guess. We cover different tools used to send lots of passwords on the webpage to break into an account.

9. Sensitive Data Exposure:

This isn't a vulnerability in the system. Instead it's when developers forget to remove important information during production that can be used to perform an attack. We cover an example where a developer forgets to remove the entire database from being accessible to regular users.

10. Broken Access Control:

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user. Here we cover a vulnerability called Insecure direct object reference. A simple example would be an application that has user IDs in the URL. If it doesn't properly store and manage those IDs an attacker could potentially change the ID and access the information of another user.

11. Security Misconfiguration:

We've added this as a separate section. However, all the previous vulnerabilities also belong to it. Here we show an example of a vulnerability where the admins of websites haven't changed the default credentials for a certain application that runs on their server.

12. Cross Site Scripting - XSS:

This is a big vulnerability and is very common in many websites out there. This vulnerability allows us to execute Javascript code on the webpage. This is due to user input not being well filtered and processing the input as javascript code. There are 3 main types of XSS which are Stored, Reflected and DOM based XSS. We cover these 3 plus some unusual ones.

13. SQL Injection:

Another big vulnerability out there and a really dangerous one. Many websites communicate with the Database, whether it being a database that stores product information or user information. If the communication between the user and the database is not filtered and checked, it could allow the attacker to send an SQL query and communicate with the database itself, allowing them to extract the entire database or even delete it. There are a couple of types of SQL injection such as Error based or Blind SQL injection.

14. XML, XPath Injection, XXE:

XXE or XML External Entity is a vulnerability that allows an attacker to interfere with a website that processes XML data. It could allow the attacker to run a reverse shell or read files on the target system making it another severe vulnerability.

15. Components With Known Vulnerabilities:

Even if the website might not be vulnerable, the server might be running some other components/applications that have a known vulnerability that hasn't been patched yet. This could allow us to perform various types of attacks depending on what that vulnerability is.

16. Insufficient Logging And Monitoring:

Logging and monitoring should always be done from a security standpoint. Logging allows us to keep track of all the requests and information that goes through our application. This can help us determine whether a certain attack is taking place or if the attack already happened, it allows us to examine it a little deeper, see which attack it was, and then apply that knowledge to change the application so that the same attack doesn't happen again.

17. Monetizing Bug Bounty Hunting:

After practicing and covering all the vulnerabilities, we'll show you how you can make money from your new knowledge and skills. We give you different platforms that can be used to start your career as a bug hunter and use one platform as an example to show how a bug bounty program works and what to pay attention to when applying.

18. Bonus - Web Developer Fundamentals:

This section is for anyone that doesn't have basic knowledge in Web Development or doesn't know exactly how websites work and are structured.

19. Bonus - Linux Terminal:

This section is for anyone that doesn't have basic knowledge of using the linux terminal. This is important as we will be using it throughout the course.

20. Bonus - Networking:

Fundamentals of networking and some basic terms to know as Penetration Testers and Bug Bounty hunters.


This course is not about making you just code along without understanding the principles so that when you are done with the course you don’t know what to do other than watch another tutorial... No!

This course will push you and challenge you to go from an absolute beginner to someone that can earn income as a Pentester / Bug Bounty Hunter and become a web security expert.

We guarantee you this is the most comprehensive online course on bug bounty hunting, penetration testing, and web security 💪. And if you're serious about a career in Ethical Hacking, you can take this course as part of our step-by-step Ethical Hacker Career Path.

Click Start Learning Now to join the Academy. We'll see you inside the course!

Answers to (at least some of) your questions

Are there any prerequisites for this course?

  • A computer and internet connection. Mac / Windows / Linux - all operating systems work with this course.
  • No previous programming knowledge required. We teach you everything you need to learn from scratch.

Who is this course for?

  • Anybody who is interested in becoming a bug bounty hunter or penetration tester and actually get paid to find bugs and vulnerabilities
  • Anybody who is interested in learning web security and how hackers take advantage of vulnerabilities and flaws
  • Students who are interested in going beyond all of the "beginner" tutorials out there that don't give you real-world practice or skills you need to actually get hired
  • Any developer looking to secure their web applications and servers from hackers
  • You want to learn from an actual Penetration Tester with 5+ years of experience working for and discovering vulnerabilities for major companies and governments

Why should I learn pentesting, web security and bug bounty hunting?

This is a fast growing field making it a great opportunity to learn new skills and earn some money at the same time. Here's some stats from HackerOne:

  • Great side income: ~$45 million in bounties were awarded to hackers in the past year on HackerOne. That's an 86% year-over-year increase in total bounties paid
  • Get hired faster: 80% of Hackers said they will use the skills and experience learned while hacking to help land a job

Do you provide a certificate of completion?

We definitely do and they are quite nice. You will also be able to add Zero To Mastery Academy to the education section of your LinkedIn profile as well.

Can I download the videos?

Definitely. You can download any and all lessons for personal use. We do everything we can to make learning easy, fun, and accessible whether that’s on your commute, on a flight or if you just have limited access to good wifi.

Still have more questions specific to the Academy membership? No problem, check these out.

Live the life you want, starting now

Learning to code and becoming a developer provides endless opportunities to live the life you want. Whether that’s a high paying job with a world-class tech company, working remotely or building your own apps, the ZTM Academy will equip you with the skills and knowledge to achieve your dreams.


Our courses walk you through the entire journey of starting to learn to code to having a successful career in the tech industry. Along the way, you’ll not only be supported by Andrei, Aleksa and our course TAs but also your thousands of peers in the exclusive Zero To Mastery developer community.


Join now to take the first step to change your life.

Monthly Membership

$39 / month
  • Unlimited access to all courses, workshops and career paths
  • Download all lessons for offline learning
  • Invite to private Discord with 200K+ members
  • Exclusive Academy only content
  • Access to private LinkedIn networking group
  • Custom ZTM course completion certificates
I'M READY TO TRY IT OUT

Annual Membership

$279 / year $23/month
  • All the benefits of a monthly membership
  • Save 40% compared to Monthly Membership
I'M READY TO COMMIT