If you’ve been into the penetration testing/ethical hacking scene for any length of time, you’re undoubtedly familiar with the field of web application pentesting. Though most professionals have a solid foundation in this area and encounter it all the time, it tends to be viewed as a specialization. What if you’re not an expert yet but you want to get closer to that goal? You could shell out a bunch of cash on a course, or a bunch of time and effort on finding and configuring vulnerable apps in your VM, or you could also just check out https://www.pentesterlab.com and avoid both of these hassles. If you haven’t guessed, I’m a fan, and in this article I plan to tell you why.

Hey look, it’s the homepage.

Before I get going I just want to mention that I am not in any way endorsed by or affiliated with Pentesterlab and this review is born only from my own experience with it during my time studying for the OSCP certification. Alright, we good?

What even is Pentesterlab?

It is a lab for pentesters. What’s more, it’s a lab specifically built for learning the art of web application pentesting and focuses almost exclusively on it, with one notable exception which I’ll get to later on. It’s not a simple lab sandbox environment or CTF in the vein of something like HacktheBox, but actually guides you through a whole lot of different concepts in web app pentesting, via written coursework and videos, from your basic SQL injections all the way to advanced concepts that I won’t pretend to have a grasp of yet. The creators frequently update the content to cover newly discovered vulnerabilities and techniques as well so even if you activate God mode and get through everything, if you stick around there will always be more to come.

What are the courses like?

If you sign up for one of their very affordable pro subscriptions (as low as $34.99 for three months with a student email address at the time of this writing), you get instant access to every bit of material on the site. Did I mention there’s a lot? Pentesterlab currently hosts 14 increasingly different and varying “badges” that you can earn. These badges function as organizational units of related materials that build upon themselves progressively and in a coherent manner. The “Essential Badge”, one of the foundational units in the series, covers the most common web application vulnerabilities in increasingly complex steps. This badge, for example, starts with a series of five authentication vulnerabilities, followed by a series of six authorization vulnerabilities, followed by nine code execution vulnerabilities, followed by… yeah, this continues for quite a while, and that’s just one badge!

The first step of the Essential Badge unit. I’m so authenticated right now.

As I touched on earlier, each step of each badge comes with accompanying written course material for the subject and a fairly brief video demonstration showing how to exploit the vulnerability. This comes in very handy for when you inevitably get a little stuck on something. One of the big benefits of the exercises, in my opinion, is that almost all of them can be done right in the browser. No downloading VMs, no downloading and configuring vulnerable apps yourself. The exercises for each topic are accessed by a given link and have an objective based on whatever topic you are studying. Typically, this is exploiting a vulnerability to obtain a flag which is then used as proof that you passed the lesson. There’s nothing stopping you from moving on if you aren’t able to get the flag, it just won’t mark the topic as complete and it won’t count toward you earning the associated badge.

Oh, well that sounds painless.

If you aren’t ready to jump into the exercises quite yet and want to learn some of the foundational knowledge that you will need to get the most out of the coursework, Pentesterlab provides a “Bootcamp” section to get you started. Though most of this is not original content and simply links to Wikipedia and other external sources, it’s really convenient to have everything laid out in a cohesive manner so you know where to go and how to progress.

Don’t know what you don’t know? Bootcamp can help.

What could have been better?

As much as I really do love the site, it’s not perfect and there are some things that I feel could and should have been done a bit better. One of the first issues I came across was inconsistent audio quality and volume in the video demonstrations. Sometimes I’d have to crank up the volume all the way and still struggle to hear. Other times, I’d get blasted out of my chair, though that was much less frequent. I also feel like the Bootcamp section was a bit of a wasted opportunity to provide more quality course material for beginners. Wikipedia articles don’t tend to be the best at explaining difficult concepts to people. This was largely noticeable due to the contrast with the higher quality course materials created by Pentesterlab on the rest of the site.

Conclusion

Pentesterlab won’t make you an expert. You won’t walk away writing zero-day web app exploits during your morning commute, but I have yet to find a better entry point for learning web application pentesting than this. Despite it’s relatively minor flaws, I really can’t recommend it highly enough for anyone with modest technical knowledge and a desire to learn more about this always-in-demand field. If you’re a current or future OSCP student, I’d recommend it doubly so as a supplement to the PWK course materials on web apps which only just scratch the surface of what Pentesterlab offers in this realm.

I appreciate that you’re still reading my blog, but now you should go sign up for Pentesterlab.com