Best Owasp Courses

Find the best online Owasp Courses for you. The courses are sorted based on popularity and user ratings. We do not allow paid placements in any of our rankings. We also have a separate page listing only the Free Owasp Courses.

Practical Ethical Hacking – The Complete Course

2020 Launch! Learn how to hack like a pro by a pro. Up to date practical hacking techniques with absolutely no filler.

Created by Heath Adams - Senior Penetration Tester


Students: 172071, Price: $29.99

Students: 172071, Price:  Paid

Welcome to this course on Practical Ethical Hacking.  To enjoy this course, you need nothing but a positive attitude and a desire to learn.  No prior knowledge is required.

In this course, you will learn the practical side of ethical hacking.  Too many courses teach students tools and concepts that are never used in the real world.  In this course, we will focus only on tools and topics that will make you successful as an ethical hacker.  The course is incredibly hands on and will cover many foundational topics.

In this course, we will cover:

  1. A Day in the Life on an Ethical Hacker.  What does an ethical hacker do on a day to day basis?  How much can he or she make?  What type of assessments might an ethical hacker perform?  These questions and more will be answered.

  2. Effective Notekeeping.  An ethical hacker is only as good as the notes he or she keeps.  We will discuss the important tools you can use to keep notes and be successful in the course and in the field.

  3. Networking Refresher.  This section focuses on the concepts of computer networking.  We will discuss common ports and protocols, the OSI model, subnetting, and even walk through a network build with using Cisco CLI.

  4. Introductory Linux.  Every good ethical hacker knows their way around Linux.  This section will introduce you to the basics of Linux and ramp up into building out Bash scripts to automate tasks as the course develops.

  5. Introductory Python.  Most ethical hackers are proficient in a programming language.  This section will introduce you to one of the most commonly used languages among ethical hackers, Python.  You'll learn the ins and outs of Python 3 and by the end, you'll be building your own port scanner and writing exploits in Python.

  6. Hacking Methodology. This section overviews the five stages of hacking, which we will dive deeper into as the course progresses.

  7. Reconnaissance and Information Gathering.  You'll learn how to dig up information on a client using open source intelligence.  Better yet, you'll learn how to extract breached credentials from databases to perform credential stuffing attacks, hunt down subdomains during client engagements, and gather information with Burp Suite.

  8. Scanning and Enumeration.  One of the most important topics in ethical hacking is the art of enumeration.  You'll learn how to hunt down open ports, research for potential vulnerabilities, and learn an assortment of tools needed to perform quality enumeration.

  9. Exploitation Basics.  Here, you'll exploit your first machine!  We'll learn how to use Metasploit to gain access to machines, how to perform manual exploitation using coding, perform brute force and password spraying attacks, and much more.

  10. Mid-Course Capstone.  This section takes everything you have learned so far and challenges you with 10 vulnerable boxes that order in increasing difficulty.  You'll learn how an attacker thinks and learn new tools and thought processes along the way.  Do you have what it takes?

  11. Exploit Development.  This section discusses the topics of buffer overflows.  You will manually write your own code to exploit a vulnerable program and dive deep into registers to understand how overflows work.  This section includes custom script writing with Python 3.

  12. Active Directory.  Did you know that 95% of the Fortune 1000 companies run Active Directory in their environments?  Due to this, Active Directory penetration testing is one of the most important topics you should learn and one of the least taught.  The Active Directory portion of the course focuses on several topics.  You will build out your own Active Directory lab and learn how to exploit it.  Attacks include, but are not limited to: LLMNR poisoning, SMB relays, IPv6 DNS takeovers, pass-the-hash/pass-the-password, token impersonation, kerberoasting, GPP attacks, golden ticket attacks, and much more.  You'll also learn important tools like mimikatz, Bloodhound, and PowerView.  This is not a section to miss!

  13. Post Exploitation.  The fourth and fifth stages of ethical hacking are covered here.  What do we do once we have exploited a machine?  How do we transfer files?  How do we pivot?  What are the best practices for maintaining access and cleaning up?

  14. Web Application Penetration Testing.  In this section, we revisit the art of enumeration and are introduced to several new tools that will make the process easier.  You will also learn how to automate these tools utilize Bash scripting.  After the enumeration section, the course dives into the OWASP Top 10.  We will discuss attacks and defenses for each of the top 10 and perform walkthroughs using a vulnerable web applications.  Topics include: SQL Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities (XXE), Broken Access Control, Security Misconfigurations, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, and Insufficient Logging and Monitoring

  15. Wireless Attacks.  Here, you will learn how to perform wireless attacks against WPA2 and compromise a wireless network in under 5 minutes.

  16. Legal Documentation and Report Writing.  A topic that is hardly ever covered, we will dive into the legal documents you may encounter as a penetration tester, including Statements of Work, Rules of Engagement, Non-Disclosure Agreements, and Master Service Agreements.  We will also discuss report writing.  You will be provided a sample report as well as walked through a report from an actual client assessment.

  17. Career Advice.  The course wraps up with career advice and tips for finding a job in the field.

At the end of this course, you will have a deep understanding of external and internal network penetration testing, wireless penetration testing, and web application penetration testing.  All lessons taught are from a real-world experience and what has been encountered on actual engagements in the field.

Note: This course has been created for educational purposes only.  All attacks shown were done so with given permission.  Please do not attack a host unless you have permission to do so.

Questions & Answers Team Availability and Rules

The Q&A team responds to most questions within 2 business days.  Specific Q&A rules are as follows:

1. Please encourage each other and help each other out. The support team is here to help, but are not staffed 24/7.

2. Support assistance will only be provided for course related material only. If you are using a tool or method in your labs that is not taught in the course, it is better asked in Discord on an appropriate channel outside of #course-chat.

3. Avoid spoilers for the mid-course capstone. If you are assisting another user or asking a question related to this section, please try to not provide direct answers/solutions.

4. Be kind to others and be patient. This field consists of patience, self-motivation, self-determination, and lots of Googling. Do not demand help or expect answers. That mindset will not take you far in your career. <3

Website Hacking / Penetration Testing & Bug Bounty Hunting

Become a bug bounty hunter! Hack websites & web applications like black hat hackers and secure them like experts.

Created by Zaid Sabih - Ethical Hacker, Computer Scientist & CEO of zSecurity


Students: 82125, Price: $129.99

Students: 82125, Price:  Paid

Note: The contents of this course are not covered in any of my other courses except for some basics. Although website hacking is covered in one of my other courses, that course only covers the basics where this course dives much deeper in this topic covering more techniques, more vulnerabilities, advanced exploitation, advanced post exploitation, bypassing security and more!

Welcome to my this comprehensive course on Website penetration testing. In this course you'll learn website / web applications hacking & Bug Bounty hunting! This course assumes you have NO prior knowledge in hacking, and by the end of it you'll be at a high level, being able to hack & discover bugs in websites like black-hat hackers and secure them like security experts!

This course is highly practical but it won't neglect the theory, first you'll learn how to install the needed software (on Windows, Linux and Mac OS X) and then we'll start with websites basics, the different components that make a website, the technologies used, and then we'll dive into website hacking straight away. From here onwards you'll learn everything by example, by discovering vulnerabilities and exploiting them to hack into websites, so we'll never have any dry boring theoretical lectures.

Before jumping into hacking, you'll first learn how to gather comprehensive information about the target website, then the course is divided into a number of sections, each section covers how to discover, exploit and mitigate a common web application vulnerability, for each vulnerability you will first learn the basic exploitation, then you will learn advanced techniques to bypass security, escalate your privileges, access the database, and even use the hacked websites to hack into other websites on the same server.

All of the vulnerabilities covered here are very common in bug bounty programs, and most of them are part of the OWASP top 10.

You will learn how and why these vulnerabilities are exploitable, how to fix them and what are the right practices to avoid causing them.

Here's a more detailed breakdown of the course content:

1. Information Gathering - In this section you'll learn how to gather information about a target website, you'll learn how to discover its DNS information, the services used, subdomains, un-published directories, sensitive files, user emails, websites on the same server and even the hosting provider. This information is crucial as it increases the chances of being able to successfully gain access to the target website.

2. Discovery, Exploitation & Mitigation - In this section you will learn how to discover, exploit and mitigate a large number of vulnerabilities, this section is divided into a number of sub-sections, each covering a specific vulnerability, firstly you will learn what is that vulnerability and what does it allow us to do, then you will learn how to exploit this vulnerability and bypass security, and finally we will analyse the code causing this vulnerability and see how to fix it, the following vulnerabilities are covered in the course:

  • File upload -  This vulnerability allow attackers to upload executable files on the target web server, exploiting these vulnerabilities properly gives you full control over the target website.

  • Code ExecutionThis vulnerability allow users to execute system code on the target web server, this can be used to execute malicious code and get a reverse shell access which gives the attacker full control over the target web server.

  • Local File InclusionThis vulnerability can be used to read any file on the target server, so it can be exploited to read sensitive files, we will not stop at that though, you will learn two methods to exploit this vulnerability to get a reverse shell connection which gives you full control over the target web server.

  • Remote File InclusionThis vulnerability can be used to load remote files, exploiting this vulnerability properly gives you full control over the target web server.

  • SQL Injection -  This is one of the most dangerous vulnerabilities, it is everywhere and can be exploited to do all of the things the above vulnerabilities allow us to do and more, so it allows you to login as admin without knowing the password, access the database and get all data stored there such as usernames, passwords, credit cards ....etc, read/write files and even get a reverse shell access which gives you full control over the target server!

  • Cross Site Scripting (XSS) - This vulnerability can be used to inject javascript code in vulnerable pages, we won't stop at that, you will learn how to steal credentials from users (such as facebook or youtube passwords) and even gain full access to their computer.

  • Insecure Session Management - In this section you will learn how to exploit insecure session management in web applications and login to other user accounts without knowing their password, you'll also learn how to discover and exploit CSRF (Cross Site Request Forgery) vulnerabilities to force users to change their password, or submit any request you want.

  • Brute Force & Dictionary Attacks - In this section you will learn what are these attacks, the difference between them and how to launch them, in successful cases you will be able to guess the password for a target user.

3. Post ExploitationIn this section you will learn what can you do with the access you gained by exploiting the above vulnerabilities, you will learn how to convert reverse shell access to a Weevely access and vice versa, you will learn how to execute system commands on the target server, navigate between directories, access other websites on the same server, upload/download files, access the database and even download the whole database to your local machine. You will also learn how to bypass security and do all of that even if you did not have enough permissions! 

With this course you get 24/7 support, so if you have any questions you can post them in the Q&A section and we'll respond to you within 15 hours.


  • This course is created for educational purposes only and all the attacks are launched in my own lab or against systems that I have permission to test.

  • This course is totally a product of Zaid Sabih & zSecurity, no other organization is associated with it or a certification exam. Although, you will receive a Course Completion Certification from Udemy, apart from that NO OTHER ORGANIZATION IS INVOLVED.

Applied Ethical Hacking and Rules of Engagement

Gain 40h Empirical Knowledge of Cyber Security, Penetration Testing, Python Hacking & Build up a SIEM with Elastic Stack

Created by Seyed Farshid Miri - Network and Cyber Security Expert


Students: 47281, Price: $19.99

Students: 47281, Price:  Paid

<<< Welcome to the most complete Ethical Hacking and Threat Hunting course available online, where both topics in offensive security, as well as defensive security, are professionally covered. This course includes two crash courses about Linux and Python as well.>>>

The following seven pillars constitute the foundation of this life-changing course:

1- Ethical Hacking
Learn how to think and act like a hacker and work with various techniques and tools to achieve this goal. As an ethical hacker at the end of this course, you will be able to help your customers mitigate various attack vectors and their corresponding details practically based on various security standards and best practices. Also, you will learn how to execute various ethical hacking phases as Reconnaissance, Scanning, Gaining Access, Maintaining Access, Clearing Tracks, and others.

2- Penetration Testing
Learn how to hack easy to hard real-world simulated virtual machines on HackTheBox Live Hacking! using unique exploits, tactics, and techniques. Learn the art of intrusion with these CTFs (Capture the Flags) which will help you in the future on every real work project.
Also work on pentest methods in web, network, vulnerability assessment workflows, and “Defense in Depth” best practices which will help you hack like black-hat hackers, defend or secure them like security experts and harden your corporate environment against malicious actors.

3- Red-Teaming techniques and tactics

Learn beginner to advanced pentesting techniques. Learn how to think and act like threat actors to stop them at various phases of the attack life cycle.
MITRE ATT&CK Framework: reconnaissance, initial foothold, lateral movement, privilege escalation, command and control, active directory attacks, Linux, and mac os x malware and attack techniques.
Learn scripting languages for the Cobalt Strike Framework and other red-team engagement frameworks to perform development and operations on them.
Learn how to develop your C2 infrastructure to avoid detection by blue teams and SOCs during red team operations.

4- Elastic Stack Wazuh Manager (SIEM)
Learn how to set up a complete SIEM (Security Information and Event Management) using Elastic Stack (formerly ELK Stack) using Wazuh Manager. Also, learn how to ingest various log formats from different log sources such as Linux and Windows servers, Fortigate firewall appliances, and so on. You will learn how to activate different functionalities (capabilities) of the Wazuh manager such as vulnerability monitoring, File Integrity Monitoring, CIS Hardening Benchmark Monitoring, and much more. Also, you will learn how the underlying decoders and rules are programmed to detect an unlimited amount of security events across an enterprise network.

5- Threat Hunting (Blue-Teaming)
There is a complete section for threat hunting where you put what you've learned into work and run attacks such as Spawn Session and Process Injection, ShellShock, MSHTA, Brute-Force, Mimikatz, and so on from your Parrot OS and detect them with your SIEM tool that you've set up and completely configured during the course. During this section, you get familiar with how different IoC (Indication of Compromise) will appear in your SIEM tool.

6- Python Scripting for Security
Learn how to create scripts and programs to do what you want whenever you are required to, from small scripts that are needed during pentest to more sophisticated ones during Red Team Ops. there is a crash course about Python basics included in this course to promote you in this must-know language field.

7- Linux (Kali Linux and Parrot OS)
Linux runs the world, especially when it comes to the cybersecurity world. There is a crash course about Linux basics in this course. However, during this course and after many hours of exciting hands-on practices on the different offensive and defensive security methods you will become a Linux expert at the level of a cybersecurity expert. You will learn Kali Linux and Parrot OS as the main Linux distros used in this course.


Here is an overview of the main content of the course:

  • Sections 1 to 3 are for introduction and preparation. Here you set up your offensive lab and will learn the basics of Linux to get prepared for the ethical hacking sections. You will also install Kali Linux and Microsoft Visual Studio Code as your main IDE (Integrated development environment). Then you move on to create your vulnerable labs such as dvwa, bwapp, webgoat, and so on. Also, you will do your first capture-the-flag (CTF) and create your HTB (HackTheBox dot com) account if you haven't before.

  • You will start your professional white hat hacking training from sections 4 to 10. Here you will learn a broad range of hacking tools, attack vectors, technics, and procedures. They start from Reconnaissance, enumeration, vulnerability scanning to exploitation, post-exploitation, password cracking. You will continue with network attacks (wired and wireless), social engineering attacks, Web applications attacks (OWASP Top 10), and much more.

  • You'll take your second crash course in Python in section 11. Here you learn Python geared towards IT Security and Hacking purposes.

  • Now you have earned all the requirements, a professional hacker needs in the pentesting battlefield. In section 12, you get to know the interesting world of CTFs (Capture the Flags), especially on HackTheBox dot com and will hack 8 machines:
    3 Easy machines: BLUE, DEVEL, NETMON
    1 Hard: CONTROL
    By the end of this section, you are an ethical hacker who feels incredibly confident with penetration testing in different hacking scenarios.

  • Everything is standardized in modern times. Giving a break to practical hacking, in section 13 you will learn the must-know security standards such as MITRE, OWASP, PTES, OSSTMM and their terminologies as well as methodologies in the IT Security field.

  • We did everything up to here to be a great Red Teamer, here you learn how to use all that practical ethical hacking techniques along with MITRE ATT&CK Tactics, Techniques, and Procedures to conduct a comprehensive Red Teaming assessment on your customers. In section 14 you will learn how to work based on various MITRE TTPs with a powerful Red Teaming Framework. You will also learn how to customize your C2 to be like what you want and also learn how to do various operations with it.

  • More than half of today's APTs (Advanced Persistent Threats) are experts on active directory attacks and you as an ethical hacker or Red Teamer should also know how to do that and report vulnerabilities to your customers. In section 15 you will learn how to configure AD, create a vulnerable AD lab and perform some of the most important attacks in this category. Having this category of attacks in a separated section is because of the importance and amount of common attacks by APTs on this module in the victim’s environment.

  • In section 16 we tried to cover every tactic, its corresponding technique, and also the procedures behind it standardized by MITRE ATT&CK all in one. We will study most of the operations done by threat actors and APTs. Their TTPs are covered line by line and in near future, with some updates, we are going to practice every technique after its explanations. Also, most of these TTPs are covered during the course without knowing what category of TTPs it is. It is really important to stick to MITRE ATT&CK and that’s why we put a small section on it.

  • Up to section 17, you finished your pythonic offensive security with all possible aspects. Now you are a professional and ethical hacker. From this section on, you start your defensive security journey, where the focus is mainly on defense against offensive technics and tactics you've learned up until here. In this section, you learn terminologies and methodologies such as "Defense in Depth" on the defensive side, where the SIEM tool is in the center of attention.

  • In section 18 you start building up your fully customized Linux-based and 100% open source SIEM tool using Elastic-Stack and Wazuh Manager (The Open Source Security Platform). In this section, you set up Wazuh Manager Server, Open Distro for Elasticsearch, Filebeat, and Kibana.

  • Then in section 19, you move on to endpoints such as Windows and Linux Servers, Windows 10, and Fortigate firewall appliance, to integrate these different log sources into your ELK-Stack SIEM server. Also, you will learn how you can roll out authenticated Wazuh agents on a network of Windows machines using Domain GPOs in an automated form.

  • Section 20 covers index management in Elasticsearch where the life cycle of the indexes will be managed. In this lecture, you will learn how to manage your accumulated alerts in your Elastic Stack to improve your server disks and storage.

  • In section 21 you will extend your configured SIEM with its capabilities such as File Integrity Monitoring (FIM), Linux Syscalls monitoring, Enterprise continuous vulnerability monitoring, CIS Hardening Benchmarks (SCA), Windows Defender, and Sysinternals Sysmon Eventchannel.

  • How one can create new alerts out of ingested logs in Wazuh Manager is the topic of section 22. In this section, you will learn how decoders and rules are constructed behind the scenes and how you can create your own custom decoders and rules for your own requirements.

  • And finally, you will finish this course with hunting IoCs (threat hunting) in your fully customized SIEM. In section 23, you will run some of the attacks you have learned during the course such as Mimikatz, HTA, Brute Force, etc. from your Cobalt Strike on your Parrot OS against your endpoints (Wazuh agents) and you will examine generated alerts for these specific security events.



  • This course is created for educational purposes only, all the attacks are launched in our own lab or against online Lab systems that are legally permitted to run tests against them.

  • This course is totally a product of the two instructors of this course and no other organization is associated with it. Although, you will receive a Course Completion Certification from Udemy, apart from that NO OTHER ORGANISATION IS INVOLVED.

Practical Ethical Hacking for Beginners

Learn practical skills for ethical hacking & penetration testing with this comprehensive course, no experience necessary

Created by Experts with David Bombal - Experts helping you become an expert.


Students: 43556, Price: $19.99

Students: 43556, Price:  Paid

This course is for anyone interested in becoming an ethical hacker, no matter your current skill level. The curriculum is designed for absolute beginners interested in a career as a security professional, beginning with the absolute basics of penetration testing, and progressing to advanced topics and techniques. Get started today in your Ethical Hacking career.

The goal of ethical hacking is to find security vulnerabilities in an organization’s digital systems and networks. The best way to test the security of this infrastructure is to attempt to break in through penetration testing techniques. The increasing amount of high-profile cyber incidents continues to emphasize the need for individuals with these skills, with job demand projected to continue at an exponential rate.

The techniques shown here leverage free tools which are explained throughout the course, including instructions for creating your own home lab for practice and study. One of the primary tools you will become familiar with is Kali Linux, which is a Debian-based Linux distribution aimed at penetration testing and security auditing.

This course explores the following topics and more:

-  Networking Basics

-  Creating a Virtual Lab

-  Kali Linux Tools for Penetration Testing

-  Linux Basics

-  Python Basics

-  Penetration Testing Methodology

-  Legal Considerations

-  Report Writing

-  Passive and Active Reconnaissance

-  Scanning and Enumeration

-  Reverse and Bind Shell

-  Automated Payloads and Exploitation

-  Brute Force Attacks

-  Credential Stuffing

-  Password Spraying

-  Tips for Maintaining Access and Covering Tracks

-  Web Server Vulnerabilities

- Wifi Hacking

Web Application Security for Absolute Beginners (no coding!)

OWASP top 10 common cyber security attacks! Stop hackers, manage web application security and apply security principles!

Created by Soerin Bipat - Teacher, PhD candidate, Security consultant and Entrepreneur


Students: 17982, Price: $124.99

Students: 17982, Price:  Paid

[UPDATED in 2021]
Within 1,5 hour you will understand web application security without having to code. This course will jumpstart your security career

I will teach you the 10 most common threats identified by the Open Web Application Security Project (OWASP). At the end of the course you will learn: 
1) what the OWASP top 10 threats and are,
2) the impact per security threat for your business 
3) how these security threats can be executed by attackers / pentesters / hackers
4) how these security threats can be mitigated 

You will able to understand the above-mentioned points without having to understand code...
For your convenience I've combined the OWASP 2017 and OWASP 2013 top 10 list into a single list of 10 common web application security threats.

How is that possible?
The threats are explained conceptually, since the implementation of a threat may differ per situation. Therefore, having a general understanding of the security threats, its implications and potential solutions will provide you with the essential knowledge to mitigate the impact of these web application security threats. Hence, no security coding or security testing experience needed.

So, after following this course am I able to develop code-based solutions for the top 10 threats? 
No. This course will teach you the basic concepts behind the 10 most common web application security threats so that you can critically question and discuss these security issues with software/operational engineers.

Uhm, after following this course I'm a full-fledged security expert, right?
Depends on the knowledge of the person that is judging your expertise. Most likely this won't be the case.  

What!?! Why should I enroll?
Only enroll when you are new to secure coding, secure web development and want a complete beginners’ perspective on web application security. This course is specifically developed for:

- (Project) managers that lead software projects, but have no clue how software engineers could mitigate potential security issues 
- Recruiters hiring software engineers
- Software engineers that want to refresh their knowledge on web application security and secure coding principles
- Beginning red team, blue team, yellow and purple team members, hackers, or penetration testers
- Anyone interested in the basics of web application security or OWASP top 10 explained in layman’s terms

Ok, but there is already a lot of information on OWASP available on the web. So, what’s in it for me?
I thought you would never ask! This course differentiate itself from existing available information because: 
- Existing OWASP documentation is technical and therefore difficult to comprehend (I'll include some examples of technical documents as a resources that you may download).
- Unlike most other courses, you may actually claim 1 Continuing Professional Education (CPE) after finishing this course completely
- I'll update this course with new videos on request or as significant security issues surface that have important implications for managers. Thus, over time this course may become your one-stop security education! 
- I've included lots of documents that explain detailed mitigation strategies. Please note that these documents contain code and are therefore more suited for people that are implementing or testing security fixes.  
- I've included lots of links to websites that provide comprehensive background information. 
- That's not it, there is more...   

BONUS Material:
- Defense in depth. This is one of the basic security principles.
- Basic explanation of STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege). I've also added privacy by design resources in this course. This means both security by design and privacy by design!
- Overview of a secure software development process. Build security into you delivery process
- Frequently asked questions. Ask a security question and I'll answer it with a video.

Why include bonus material, is the main course not exciting enough?
Again, excellent question! Getting security right goes well beyond web application security. With the bonus material, I would like to inform you about the complementary measures that should be taken into account.

I’m fully convinced of the benefits, but I don’t see why I should learn all this from you.
True, let me explain by giving you an overview of my experience:
- Chief Information Security Officer (present). Managing Security, Privacy and Quality professionals. Responsible for implementing and maintaining a well balanced organisational risk posture;
- Security and privacy operations manager (2 years). Acting as a security liaison on strategic accounts, I monitor the security of 2500+ workstations, 500+ servers and 10+ firewalls and routers, report on the operational security status of European and Dutch law and integrate intelligence results from AVDS, Check Point, Nagios, Nessus, Palo Alto Traps,SCCM, SCEP, SEP, SCOM and SIEM;
- Parttime PhD Candidate (7 years - present). I read the science, you'll get the knowledge! What more do you want? 
- Software quality consultant (6,5 years). I've advised many managers of large / small IT projects on various software related aspects; 
- IT auditor (1 year). I have closely worked with accountants and audited large governmental IT projects; 
- Quality assurance engineer (3 years). I have implemented large IT systems for large companies. 

You can find more details on LinkedIn on or my profile.

Go ahead and click the enroll button, and I'll see you in lesson 1!


OWASP Top 10 2017: Exploit and Mitigation

Web Application Pentesting and Mitigations

Created by Nayan Das - Instructor at Udemy


Students: 10796, Price: $19.99

Students: 10796, Price:  Paid

We will be looking at the OWASP Top 10 web attacks 2017. Students are going to understand each attack by practicing them on their own with the help of this course. We will use Mutillidae 2 Vulnerable Web Application for all attack practice. We will start from setting up the lab to exploiting each vulnerability.

This course not just focuses on attacks but also helps understanding the mitigations for each vulnerability.

Students will understand the mitigations through Secure Source Codes and Best Practices provided in this course that should be followed by the developers to protect their web application from these vulnerabilities.

Web Security and Hacking for Beginners

One Month Web Security

Created by One Month - Learn to code in 30 days


Students: 9724, Price: $29.99

Students: 9724, Price:  Paid

By the end of One Month Web Security, you will be able to review your own applications for security issues and ensure the code is properly hardened against malicious attacks. You will also be able to design new applications with security in mind, significantly lowering the risk and cost associated with deploying new applications.

Uncle Rat’s Bug Bounty Guide

Take the leap from practice platform to bug bounty target

Created by Wesley Thijs - I am the XSS Rat


Students: 8133, Price: $89.99

Students: 8133, Price:  Paid


I can not promise this course will find you bugs. I can promise i will leave you with a solid methodology that's netted me a few nice extra monthly salaries. This method is not guaranteed to work for you. You will need to adept. You will need to work.

If any course promises you that they WILL find you bugs, run as fast as you can.


My name is uncle rat and i am here to help you take the next step. I am not here to hold your hand, i am here to push you over the edge. You've been practicing on pratice platforms for long enough now, don't you think? It's time.

I will provide you with a solid methodology to build upon. I don't want you to follow in my footsteps, i want you write your own legend. This is after all the place where legends are born. 

Every chapter has at least a video file with slides to download and where applicable a full text PDF with extra information. All extra's like cheat sheets are seperatly downloadeable for your comfort. 

- The XSS Rat

CAT 'goals.txt'

I can hack, but i can only hack one target at a time. My passion is teaching so why not hit two birds with one stone?

I created this course because i strongly believe that if i hack 1 target i am just me but if i train 1000 hackers, we are an army. 

This is my goal, i want to make the internet a safer place but i can't do it alone.

The OWASP top 10 demystified

A practical guide for ethical hackers, developers and software testers to the 10 most prevalent security defects of 2017

Created by Wesley Thijs - I am the XSS Rat


Students: 4892, Price: $89.99

Students: 4892, Price:  Paid

Who am i?

I am The XSS Rat, also known as Wesley. I created infosec tutorials and courses in a unique way. It's my opinion that a teacher should be able to bring knowledge in an inspirational way but also make sure that knowledge is retained. This is a very unique challenge requiring out of the box thinking. My courses never just consist of a video or video + PDF only format. Courses should be interactive and not just boring reads of powerpoint slides.

Who is this course for?

This course is for everyone who needs to work with the OWASP top 10 but found the guide made by OWASP hard to apply or understand like me i have created this course after performing deep research on all the mentioned topics and learning how to apply these techniques. On several topics we will provide hack-a-long video's to make the topics covered visual which allows for a better understanding and it makes it so that you don't need an extreme level of knowledge to get started with this wonderful list.

Even though we have done everything in our power to make this course as beginner friendly, a basic understanding of web applications such HTTP(s) methods such as GET and POST and what is meant by a parameter.


- A video and PDF covering every topic in the OWASP top 10 as seen from the perspective of testers, developers and managers

- Extra content on several topics where applicable

- Hack along demo video's demonstrating several vulnerability types where applicable

Complete Ethical Hacking & Penetration Testing for Web Apps

Learn OWASP TOP 10 Vulnerability Categories and the Defenses and Fixes for them. Covering all the popular hacking types

Created by Abhilash Nelson - Computer Engineering Master & Senior Programmer at Dubai


Students: 4797, Price: $89.99

Students: 4797, Price:  Paid




Hello and welcome to Web Based Ethical Hacking and Penetration Testing for Beginners. This course is an introduction to your career as a web security expert.

Internet is all around us. We have been using the facilities of internet since a long while and as the internet came in, the cyber-security threat also started to appear. You can hear stories of cyber-attacks day by day in news papers and media.

As the facilities, the easiness and the comfort of using internet based applications, even if its a web application or a mobile application which is using a cloud based API, the chances of getting a cyber attack has also been increased. It has been increased to such a level that we cannot even predict what happens the next day, because hackers are always alert and vigilant and they are looking for a loophole to get into an application and steal your information.

Like the saying " A person knows how to break a lock, can make a good lock !" , because he knows the vulnerabilities, he knows the loop holes and that person can build a good secure application or he can guide the developer to build a good application which is almost secure and which does not have the loop holes that has already been discovered.

So being cyber security professionals or being cyber security enthusiasts , we will deal with the OWASP Top 10 vulnerabilities . OWASP is a community based project, that is Open Web Application Security Project. Periodically they will be updating their list of vulnerabilities. And in this Top 10 list of vulnerabilities we will be having a subset of other vulnerabilities which will be coming under this top 10 vulnerabilities. So we will cover almost 30 kind of most popular vulnerabilities in this course and these vulnerabilities are the common vulnerabilities that is currently in the Cyber World.

Once you get hold of these 30 vulnerabilities, you will be having enough confidence to test a web application or test a cloud based application in an API based application, a mobile application which is using a cloud based API. In every session I am giving you the mitigations, the defensive mechanisms that we can follow to avoid the vulnerability that we discussed in that particular session. So you will be able to suggest the defensive measures to the programmer or to the developer who is developing the web application.

Please make sure you are using these techniques only for Penetration Testing as well as Ethical Hacking and please do not use it for any other illegal purpose or any other un-ethical kind of things.

Cyber-security and Penetration Testing is a very lucrative career. This course is indented for Cyber Security Beginners, with an overview of basic web coding, interested to come into the cyber security world,and also, existing Testers, who are willing to go into the Penetration Testing. People who are interested in Ethical Hacking can also do this course.

In this course, we will be concentrating mainly on how Penetration Testing can be done on web based applications. And it can also be used for mobile based applications because most of the mobile based applications communicate with a cloud based API. The security of this API is actually the security of the mobile application which is using this API. And by the end of this course, we will be providing you with a course completion certificate on-demand, which you can include in your resume and it will be giving very high value to your current profile.

I promise that you are going to have a really thrilling experience doing Penetration Testing and Ethical Hacking. So see you soon in the class room.

Secure Product Lifecycle 101

Fundamental security concepts, principles, tools and techniques for the development lifecycle

Created by Implementing Security - Cybersecurity leader and instructor


Students: 2025, Price: $49.99

Students: 2025, Price:  Paid

This course is a comprehensive introduction to the foundations of secure development that's aimed at anyone with an interest in application security and securing the SDLC. Secure Product Lifecycle 101 provides a broad knowledge of security best-practice as it relates to development work - which will lead to an understanding of how to create more secure, reliable, and robust products end-to-end. This course covers the OWASP Top 10, secure design principles, security techniques, risk management, and a range of security tools: leading to familiarity and understanding of how security can be embedded into the development lifecycle.

Full Ethical Hacking Course

Learn all about ethical hacking and penetration testing.

Created by Loi Liang Yang - Ethical Hacker | Penetration Tester


Students: 1641, Price: $89.99

Students: 1641, Price:  Paid

Introduction to cyber-security and ethical hacking platforms and learn from the top ethical hacker and penetration testing instructor, Loi Liang Yang, who has over 200,000 subscribers across the globe with more than 5 million views on his security content.

Introduction to cyber-security

  • Cyber-attack chain

  • Reconnaissance

  • Weaponization

  • Delivery

  • Exploitation

  • Installation

  • Command and Control

  • Actions on Objective

Virtualization on VirtualBox

  • Kali Linux

  • Install, deploy and run Kali Linux

  • Installation and deployment of vulnerable server for testing


Information gathering

Assess security vulnerabilities

Scanning engines

  • Nmap scanning

Search engine scanners

Internet scanners

  • Google search engine

Open source intelligence

  • Recon-ng scanning

Security standards

Center for Internet Security (CIS)

Hardening checks for systems


Metasploit framework for ethical hacking

  • Basic commands and usage

  • Module exploration

  • Search for vulnerabilities from scanning results

  • Exploitation of systems

  • Post-exploitation for privilege escalation and scanning

Security hardening and configuration

Social engineering

  • Dark Web with Tor

    • Hacking groups and forums

  • Wireless security assessment with WiFi PineApple

    • Wireless vulnerabilities

  • Social Engineering Toolkit (SET) attacks

  • Direct attacks into Windows 10 with Macros and Powershell

Web, application and database vulnerabilities

Open Web Application Security Project (OWASP) top 10

  • Injection

  • Broken authentication

  • Sensitive data exposure

  • XML External Entities

  • Broken access control

  • Security misconfiguration

  • Cross-Site Scripting

  • Insecure Deserialization

  • Using components with known vulnerabilities

  • Insufficient logging and monitoring

Full SQLMAP tutorial for web penetration testing

BurpSuite tutorial for manual injection on web penetration testing

Payload testing with custom load

Creation of payload

  • Payloads package on injection

  • Fully undetected payloads

  • Buffer overflow for shell

Come join thousands of students who has learned from the top ethical hacking and penetration testing instructor, Loi Liang Yang, now!

OWASP Proactive Controls

OWASP Proactive Controls

Created by Stone River eLearning - 500,000+ Happy Udemy Students


Students: 1022, Price: $89.99

Students: 1022, Price:  Paid

The OWASP: Proactive Controls course is part of a series of training courses on the Open Web Application Security Project (OWASP). The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important. This training assists the developers who are new to secure development to ensure application security.

The OWASP Foundation was established with a purpose to secure the applications in such a way that they can be conceived, developed, acquired, operated, and maintained in a trusted way. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. This course along with the other courses in the series on OWASP provides a basic overview of the concepts that form an integral part of the OWASP core values.

PenTesting with OWASP ZAP: Mastery course

Master Security Testing with OWASP ZAP | Pentest web applications effectively

Created by Atul Tiwari - Ethical hacker | Security Evangelist | Penetration Tester


Students: 865, Price: $19.99

Students: 865, Price:  Paid

[+] Course at a glance

Welcome, to this course, "PenTesting with OWASP ZAP" a fine grained course that enables you to test web application, automated testing, manual testing, fuzzing web applications, perform bug hunting and complete web assessment using ZAP. focused over ease of use and with special abilities to take down the web applications that most of the tool will leave you with unnoticed and or, un touched critical vulnerabilities in web applications but then the ZAP comes to rescue and do the rest what other tools can not find.

"This course is completely focused over pen testing web applications with ZAP"

The ZAP, is a fine grained tool that every penetration testers, hacker, developers must have in their arsenal and hence required a solid understanding and through training to perform security testing from its core. ZAP can work with and integrate with many tools in the hacking, penetration testing segment such as: SQLmap, nmap, Burp suite, Nikto and every tool inside kali linux. Invoking with burp gives much flexibility to combine the power of ZAP and burp suite at the same time and in complete order.

[+] Some special features of the ZAP

  • Quick start using “point and shoot”

  • Intercepting proxy with liked browser

  • Proxying through zap then scanning

  • Manual testing with automated testing

  • ZAP HUD mode, to test apps and attack in a single page

  • Attack modes for different use cases.

  • Active scanning with passive scanning

  • Requester for Manual testing

  • Plug-n-hack support

  • Can be easily integrated into CI/CD

  • Powerful REST based API

  • Traditional AJAX spider

  • Support for the wide range of scripting languages

  • Smart card support

  • Port scanning

  • Parameter analysis

  • Invoking and using other apps I.e: Burp suite

  • Session management

  • Anti-CSRF token handling

  • Dynamic SSL certificates support

And much more...

[+] Course materials

  • Offline access to read PDF slides

  • 8+ Hours of Videos lessons

  • Self-paced HTML/Flash


  • PDF Slide

[+] Below are the Vulnerabilities that ZAP security tests against a web application & web server to hunt for loopholes

Path Traversal, Remote File Inclusion, Source Code Disclosure - /WEB-INF folder, Server Side Include, Cross Site Scripting (Reflected)

Cross Site Scripting (Persistent) - Prime, Cross Site Scripting (Persistent) - Spider, Cross Site Scripting (Persistent), SQL Injection

Server Side Code Injection, Remote OS Command Injection, Directory Browsing, External Redirect, Buffer Overflow Medium

Format String Error, CRLF Injection Medium, Parameter Tampering, Script Active Scan Rules, Remote Code Execution - Shell Shock

Anti CSRF Tokens Scanner, Heartbleed OpenSSL Vulnerability, Cross-Domain Misconfiguration, Source Code Disclosure - CVE-2012-1823

Remote Code Execution - CVE-2012-1823, Session Fixation, SQL Injection - MySQL, SQL Injection - Hypersonic SQL, SQL Injection - Oracle

SQL Injection - PostgreSQL, Advanced SQL Injection, XPath Injection, XML External Entity Attack, Generic Padding Oracle

Expression Language Injection, Source Code Disclosure - SVN, Backup File Disclosure, Integer Overflow Error, Insecure HTTP Method

HTTP Parameter Pollution scanner, Possible Username Enumeration, Source Code Disclosure - Git, Source Code Disclosure - File Inclusion

Httpoxy - Proxy Header Misuse, LDAP Injection, SQL Injection - SQLite, Cross Site Scripting (DOM Based), SQL Injection - MsSQL

Example Active Scanner: Denial of Service, An example active scan rule which loads data from a file, Cloud Metadata Potentially Exposed

Relative Path Confusion, Apache Range Header DoS, User Agent Fuzzer, HTTP Only Site, Proxy Disclosure, ELMAH Information Leak

Trace.axd Information, .htaccess Information, .env Information Leak, XSLT Injection.


OWASP: Threats Fundamentals

OWASP: Threats Fundamentals

Created by Stone River eLearning - 500,000+ Happy Udemy Students


Students: 810, Price: $89.99

Students: 810, Price:  Paid

The OWASP: Threats Fundamentals course is part of a series of training courses on the Open Web Application Security Project (OWASP). This course covers the fundamental concepts and techniques to identify different types of threats. The course also teaches the students to improve the security by avoiding misconfigurations, data exposure and insecure cryptography.

The OWASP Foundation was established with a purpose to secure the applications in such a way that they can be conceived, developed, acquired, operated, and maintained in a trusted way. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. This course along with the other courses in the series on OWASP provides a basic overview of the concepts that form an integral part of the OWASP core values.

Ultimate Guide to Web Application Security OWASP Top Attacks

Master Top Techniques Used by Hackers, Get Hands-on Practical Exercises to "Know the Enemy" and Secure Your Apps.

Created by Taoufik Znibae - Cyber Security Expert and Researcher


Students: 180, Price: $89.99

Students: 180, Price:  Paid

*** Continuously Updated ***

Welcome to "Ultimate Guide to Web Application Security OWASP Top Attacks"

In this course, we will explore together the most common attacks against web applications, referred to as OWASP TOP 10, and learn how to exploit these vulnerabilities so that you have a solid background in order to protect your assets. You will:

- Discover OWASP Top attacks and how they are performed and the tricks and techniques related to them.

- Do extensive exercises on DVWA (Damn Vulnerable Web Application) and OWASP BWA (Broken Web Applications) to see in actual practice how to attack live systems and what goes on behind the scenes.

- Learn to get information about a target domain and search for potential victims.

- See the tools most used by hackers of all levels grouped in one place; the Kali Linux distribution.

- Code some of your own scripts to get you started with advanced penetration where you will need to forge you own tools.

DISCLAIMER: This course is for educational purposes only. Use at your own risk. You must have an explicit authorization to use these techniques and similar ones on assets not owned by you. The author holds no legal responsibility whatsoever for any unlawful usage leveraging the techniques and methods described in this course.

If you like the course, please give a rating and recommend to you friends.

Website Security: ASP.Net Web Cybersecurity, OWASP Top 10+

Learn to Identify and Mitigate Common Web Application Vulnerabilities in ASP.Net Core and Develop Secure Applications

Created by Chuck McCullough - Software Engineer


Students: 89, Price: $19.99

Students: 89, Price:  Paid

Every day we hear news of yet another breach of  some organization's data.  Many of these result in huge costs to the organization, some have even  gone out of business as a result.  The Payment Card Industry (PCI) as well as many other international and local regulations require some level of security awareness for developers.  This course was designed specifically to increase the awareness of security flaws in code.

Students will learn the OWASP top 10 as well as software engineering practices that lead to a more secure development work product through many hands-on exercises complete with instruction and source code.

  • Security in the software development lifecycle

  • Injection Flaws - SQL Injection, XPath Injection, cmd Injection and more

  • Broken Authentication - learn to use Identity to avoid authentication flaws

  • XML External Entities

  • Sensitive Data Exposure

  • Security Misconfiguration

  • Broken Access Control - prevent direct object references

  • Cross Site Scripting

  • Insecure object deserialization

  • Using components with known vulnerabilities

  • Insufficient Logging and Monitoring

  • Other issues - CSRF, Validation

  • Securing the business tier

Secure by default

Learn to build applications that are secure by default.  Following the best practices of software development not only provides great results in a cost efficient way, but also enhances the security posture of the application.  Hands-on labs demonstrate these concepts.

This course has been presented to thousands of developers over the last 2 decades with great success.  Evolving the course to keep up with todays challenges and technologies is a primary goal for us.  Join expert developer Chuck McCullough for this course on web security.

OWASP – ZAP : Penetration Testing & Website Hacking

Learn all about web application penetration testing and website hacking.

Created by Sagar Raghuwan - Ethical Hacker & Penetration Tester


Students: 46, Price: $19.99

Students: 46, Price:  Paid

Welcome to my course Penetration Testing & Website Hacking.

This course covers web application attacks and how to learn bug bounties. There is no prerequisite of prior hacking knowledge and you will be able to perform web attacks and hunt bugs on live websites and secure them.

This course is not like other hacking or penetration testing course with outdated vulnerabilities and only lab attacks. This contains maximum live websites to make you comfortable with the Live Hunting Environment.

This course will start from basic principles of each vulnerability and How to attack them using multiple bypass techniques, In addition to exploitation, you will also learn how to fix them.

This course is completely focused over pen testing web applications with ZAP"

The ZAP, is a fine grained tool that every penetration testers, hacker, developers must have in their arsenal and hence required a solid understanding and through training to perform security testing from its core. ZAP can work with and integrate with many tools in the hacking, penetration testing segment such as: SQLmap, nmap, Burp suite, Nikto and every tool inside kali linux. Invoking with burp gives much flexibility to combine the power of ZAP and burp suite at the same time and in complete order.

A Complete Beginner Guide To Web Application Security

Learn all the top 10 web application security risks under the OWASP Top 10 with practical examples!

Created by The Cyber Security Academy - Cyber Security Practitioner


Students: 9, Price: $19.99

Students: 9, Price:  Paid

This course covers the top 10 web application security risks faced by the World Wide Web as identified under the Open Web Application Security Project (OWASP). 

During the course, you will learn all you need to know about the security risks through well-structured, bite-sized videos.

At the end of the course, you should be able to easily answer the below questions:

  • What are the top 10 web application security risks?

  • Describe what each risk is about

  • How each risk can threaten and impact organisations

  • How do attackers exploit the risks and execute their attacks

  • How to mitigate or manage each risk 

OWASP: Avoiding Hacker Tricks Training

OWASP: Avoiding Hacker Tricks Training

Created by InfoSec Academy -


Students: 7, Price: $19.99

Students: 7, Price:  Paid

The OWASP: Avoiding Hacker Tricks course is part of a series of Open Web Application Security Project (OWASP) training courses. This course covers the basic concepts and techniques to avoid hacking and to protect the environment from all kinds of internal and external threats. The course also discusses briefly the types of attacks that an application may face in its lifecycle.