All courses
Resource hub
Featured resource
Forrester Wave Report 2025
Pluralsight named a Leader in the Forrester Wave™

Our tech skill development platform earned the highest scores possible across 11 criteria.

Learn more
Hamburger Icon
  • Path icon Learning Path
    • Libraries: This path is only available in the libraries listed. To access this path, purchase a license for the corresponding library.
  • Security
    •

Web App Pen Testing

10 Courses
4 Labs
15 Hours
Skill IQ

## This path covers the knowledge and skills required to operate as a Web Application Pen Tester.

Additionally, the skills covered directly align to the following CSWF, DCWF and Industry Roles:

**Workforce Framework for Cybersecurity (NICE Framework) & DoD Cyber Workforce Framework Roles:** - System Testing and Evaluation Specialist (SP-TST-001) - Vulnerability Assessment Analyst(PR-VAM-001) - Secure Software Assessor (SP-DEV-002)

**Industry Job Roles:** - Penetration Tester - Vulnerability Analyst - Application Security Analyst

This path will cover the essential tasks of web application pen testing, walking through each phase of the methodology as if you are shadowing a live application pen test. The scenario will cover testing through an application, discovering and exploiting vulnerabilities found. In addition, there are many vulnerabilities that a web app pen tester should be able to identify and test for. Don't miss the specialized courses covering a deep-dive into each of these types of vulnerabilities.

Get started

Content in this path

Web App Pen Testing

This path will cover the essential tasks of web application pen testing, walking through each phase of the methodology as if you are shadowing a live application pen test. The scenario will cover testing through an application, discovering and exploiting vulnerabilities found. In addition, there are many vulnerabilities that a web app pen tester should be able to identify and test for. Don't miss the specialized courses covering a deep-dive into each of these types of vulnerabilities.

Course

Web App Pen Testing: Reconnaissance

  • by Tim Tomes
  • 1h 14m
  • Nov 28, 2023
Course

Web App Pen Testing: Mapping

  • by Tim Tomes
  • 1h 49m
  • Dec 19, 2023

Specialized Web App Pen Testing

For a deeper dive into the OWASP Top 10

Course

Specialized Testing: API Testing

  • by George Smith
  • 56m
  • Dec 14, 2022
Course

Specialized Testing: Command Injection

  • by Michael Edie
  • 1h 2m
  • Jul 06, 2023
Course

Specialized Testing: XSS

  • by Christian Wenz
  • 1h 14m
  • Jul 30, 2022
Course

Specialized Testing: Sessions and Tokens

  • by Christian Wenz
  • 55m
  • Feb 27, 2023
Course

Specialized Testing: CSRF

  • by Christian Wenz
  • 48m
  • Nov 30, 2022
Course

Specialized Testing: Deserialization

  • by Peter Mosmans
  • 1h 1m
  • Feb 27, 2023
Course

Specialized Testing: SQL Injection

  • by Christian Wenz
  • 1h 13m
  • Oct 06, 2022

Web App Pen Testing Labs

In these labs, you will learn how attackers exploit vulnerabilities like XML External Entity (XXE) injection, broken access controls, insecure deserialization in ASP.NET ViewState, and Server-Side Template Injection (SSTI). You will practice identifying, exploiting, and understanding the attack chains that lead to privilege escalation and remote code execution. By completing these exercises, you will strengthen your ability to detect, prevent, and remediate critical web application security flaws.

Course

Getting Started in the Lab Environment

  • by Aaron Rosenmund
  • 6m
  • Oct 07, 2021
Lab

Retrieve Content Using Malicious XML External Entities (XXE)

  • by Riley Kidd
  • 30m
  • Aug 04, 2025
Lab

Gain Privileges Using Broken Access Control

  • by Lee Allen
  • 2h 15m
  • Aug 04, 2025
Lab

ASP.NET ViewState Deserialization Attack Chain

  • by Gavin JohnsonLynn
  • 1h 5m
  • Aug 04, 2025
Lab

SSTI and Remote Code Execution Attack Chain

  • by Riley Kidd
  • 40m
  • Aug 05, 2025
Try this learning path for free
Access this learning path and other top-rated tech content with a free trial.
Free individual trial Free team trial
Have questions? Get them answered now.
Start a live chat
What You'll Learn
Prerequisites
Related topics
  • Web Application Security
  • OWASP
  • Penetration Testing
  • Web Application Penetration Testing
Not sure where to start?
With over 500 assessments to choose from, you can see where your skills stand and receive adaptive learning recommendations to fill knowledge gaps in as little as 10 minutes.
Learn more

Learn with the best

Tim Tomes
Tim Tomes
Tim is a believer, husband, father, veteran, software developer, web application security engineer, and the founder of PractiSec (Practical Security Services). With extensive experience in web application security and software development, Tim currently conducts consultative engagements, manages multiple open source software projects (Recon-ng Framework, the HoneyBadger Geolocation Framework, PwnedHub, etc.), writes technical articles (lanmaster53.com), and frequently instructs and presents on s...
George Smith
George Smith
George Smith has spent more than 25 years in the IT industry. During this time he has held a variety of positions, starting with web UI development and business analysis, progressing with system administration and infrastructure, then switching to core systems programming, technical consulting, and finally becoming an E-Commerce Architect and Subject Matter Expert. He is well versed in modern trends like Containerization, Infrastructure as Code, Serverless computing models, and more. George demo...
Michael Edie
Michael Edie
Michael is a Senior Security Consultant with 10+ years of experience in the public and private sectors. He is a proactive and iterative cyber threat hunter specializing in detection engineering, DFIR, and automation. Michael has led teams and directed collaborative efforts to develop and implement strategies for mitigating evolving threat trends. He is the Founder and Principal Consultant of Sawbox Consulting, where he identifies and resolves security issues, implements solutions and evaluates s...
Christian Wenz
Christian Wenz
Christian Wenz is an architect, consultant and author focusing on web technologies. He wrote or co-wrote over 100 books, is a fixture at international developer conferences since 2001, is a Microsoft Most Valuable Professional (MVP) for Developer Technologies since 2004, and the main author of the official Zend PHP certification. His day job includes conducting security audits, migrating old code bases, implementing complex web applications and helping companies choose the right web strategy an...
Peter Mosmans
Peter Mosmans
Peter started out in the nineties as software engineer working on internet banking applications for various European financial institutions. After developing, he moved to the role of defending and designing systems and networks for high-availability websites. Since 2004 he started specializing in breaking: pentesting complex and feature-rich web applications. Currently he leads a global team of highly skilled penetration testers as lead pentester. He is a contributor to several open-source penet...
Aaron Rosenmund
Aaron Rosenmund
Aaron M. Rosenmund is a cyber security operations subject matter expert, with a background in federal and business defensive and offensive cyber operations and system automation. Leveraging his administration and automation experience, Aaron actively contributes to multiple open and closed source security operation platform projects and continues to create tools and content to benefit the community. As an educator & cyber security researcher at Pluralsight, he is focused on advancing cyber secur...
Riley Kidd
Riley Kidd
Riley has technical security consultancy experience – leading and building teams to deliver projects and outcomes for clients. He has created and facilitated technical trainings across secure coding, python for hackers, offensive operations, and Capture The Flag competitions. Riley has created technical educational content across YouTube, TCM Academy, and his personal Capture The Flag platform – 247CTF. Riley holds a number of certifications including OSCP, OSCE, OSED, OSWE, OSEP, CRTO, CRTL, C...
Lee Allen
Lee Allen
With over two decades of experience in the security industry, Lee is a seasoned professional with a proven track record of delivering top-notch security services to a diverse range of organizations. From Internet Service Providers and computer manufacturers to global pharmaceutical companies, public universities, and a major bank, Lee has worked with some of the biggest names in the industry. With experience as a leader of the penetration testing team at a large bank, Lee has developed deep expe...
Gavin JohnsonLynn
Gavin JohnsonLynn
Gavin has 20 years’ experience writing software in regulated environments and for global organisations. The last five years of his development career were spent with a focus on security, becoming the security lead for a significant payments project at a FTSE 100 company. He has experience with languages from COBOL to .Net and many languages in between. Gavin's experience of secure development revealed a passion for security, leading him to become a speaker and blogger on the subject. He has held...

Join our learners and upskill
in leading technologies