PortSwigger - Web Security Academy
https://portswigger.net/web-security
Last updated
https://portswigger.net/web-security
Last updated
The Web Security Academy is a free online training center for web application security. It includes content from PortSwigger's in-house research team, experienced academics, encouraging theoretical and practical study with truly effective laboratories.
In my case I installed Burp Suite Community Edition and Chromium on my main machine (Debian OS), by starting BurpSuite and clicking on Proxy -> Intercept -> Open Browser (orange button) it is possible to have Chromium already set for use and communicating directly with Burp.
As suggested into HexDump BSCP Technical Guide there's not the methodology and the order of you path is subjective, you can use the existing learning paths, proceed with individual modules, do all the lab apprentice first etc, below is the table relating to a possible personalized study path: https://blog.leonardotamiano.xyz/tech/bscp-technical-guide/
1
Informatin Disclosure
Server-Side
Low
2
Essential Skills
Advanced
Low
3
SQL Injection
Server-Side
Low
4
Command Injection
Server-Side
Low
5
Path Traversal
Server-Side
Low
6
XXE Injection
Server-Side
Low
7
File Upload Vulnerabilities
Server-Side
Low
8
Server-Side Request Forgery (SSRF)
Server-Side
Low
9
Authentication
Server-Side
Low
10
Access Control
Server-Side
Low
11
Clickjacking
Client-Side
Low
12
Web LLM attacks
Advanced
Low
13
Cross-site scripting (XSS)
Client-Side
Medium
14
Cross-site request forgery (CSRF)
Client-Side
Medium
15
Cross-origin resource sharing (CORS)
Client-Side
Medium
16
DOM-based vulnerabilities
Client-Side
Medium
17
Server-Side Template Injection
Advanced
Medium
18
Business Logic Vulnerabilities
Server-Side
Medium
19
HTTP Host Header Attacks
Advanced
Medium
20
Prototype Pollution
Advanced
Medium
21
WebSockets
Client-Side
Medium
22
JWT attacks
Advanced
Medium
23
GraphQL API Vulnerabilities
Advanced
Medium
24
Insecure Deserialization
Advanced
Medium
25
OAuth Authentication
Advanced
High
26
Race Conditions
Server-Side
High
27
HTTP Request Smuggling
Advanced
High
28
Web Cache Poisoning
Advanced
High
29
Web Cache Deception
Server-Side
High
Personally, i'm using a mixed approach.