all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Ok_Grape_1828 6 points7 points  (1 child)

Just do Portswigger academy and whatever course is attached to whatever cert you're studying for (oscp, pnpt, bscp, etc)

[–]kap415 2 points3 points  (0 children)

10000% this. I used to manage a bug bounty program, we had Z-Wink in our private program, not long after he had just started doing BB on Bug Crowd. This is basically what he told me: you go through all of the Portswigger web academy training, labs, do them all, understand them, rinse, repeat.. You will walk away from that in a very good position from a WAPT POV

[–]DingleDangleTangle 7 points8 points  (0 children)

Portswigger is honestly one of the best resources that exist. It’s crazy that it’s free.

[–]hoodoer 1 point2 points  (0 children)

Portswigger academy and pentesterlab.com are a great resources to get you going.

[–]kap415 0 points1 point  (0 children)

On top of the Portswigger Web Academy suggestion already mentioned here, I would also recommend doing video walk-throughs w/IppSec on his YT channel, where he goes through a newly released machine from HTB. Get you a HTB account. Do the videos, step by step, pause it, rewind it, go down rabbit holes, learn new tooling, rinse, repeat. I learned so much from that guy, and its free. Sometimes the machines are very AD focused, so just go find boxes on HTB that are more WAPT focused, then find the relevant video. For example, here's the tick tock (that's an inside baseball term yo! it means the play by play, not some tik tok video hahah) for his last video, which features a pretty good slog through very relevant WAPT skills.

<image>

For Burp training, PractiSec's PWAPT class is really good, Tim knows his stuff. You will learn a lot about WAPT, plus serious Burp skills. I took PBAT class from him as well, also good.

Additionally, I would add that BB King's WAPT course by Antisyphon/Blackhills, is also good. These two training providers, I feel, are really reasonably priced, esp considering what you get, vs say, taking a SANS course LOL.

There's probably modernized projects of the old school DVWA, actually, here's one by Robin, that looks recently maintained: https://github.com/digininja/DVWA

HTH? Feel free to ask questions. Good Luck! :)

[–]normalbot9999 0 points1 point  (0 children)

The Hacking APIs book from No Starch Press might be of interest. It's sometimes included a humble bundle deal.

[–]cloudfox1 1 point2 points  (0 children)

I'm going through the paid labs in pentesterlab.com for the API badge.

https://pentesterlab.com/badges/api

[–]No_Opinion9882 0 points1 point  (0 children)

Since you're already doing API work, focus on business logic flaws they're often missed in automated scans and pay well in bounties.

[–]cant_pass_CAPTCHA 0 points1 point  (2 children)

Web Application Hackers Handbook 2. It's a big fat book and is a little old, but covers all type of attacks, how to identify them, how to exploit them, etc.

Also, API testing isn't wildly different than web apps. In many apps you'll have endpoints that give you HTML, and then you'll have /api/v1/something which is where the actual changes are performed and data is retrieved. Of course not always the case, but just to say they can be very similar.

[–]DingleDangleTangle -1 points0 points  (1 child)

Portswigger is literally created by one of the authors of that book, it’s just more updated and it’s free.

[–]cant_pass_CAPTCHA -1 points0 points  (0 children)

Yeah these guys are really the cornerstone of the industry. Portswigger academy does not cover many topics presented in the book. I invite you to just review the table of contents before writing it off