So, if you are a beginner, or even an intermediate pentester, this post will be of your interest, since I will give you the best sources to start.
This post is really simplified, so the user can go and access directly to link sources. I could speak my opinion and knowledge of every tool, but it will take me hours to write, and it's not the idea of the post.
So, lets get directly to the point:
Minimum requirments before start:
PHP lenguage (To understand vulnerabilitys in whitebox scenarios)
Basic knowledge in linux(This can help you to understand LFIs to RCE, etc)
Wordpress ajax file interaction(Very important to understand how wordpress vulnerabilitys works)
Best tools for web hacking:
Burpsuite — To analyze websites requests
SQLMap — For SQLI Injection
Ghuari — Alternative to sqlmap to bypass
Meld — This tools helps you for patch diffing
Wps Scan — To scan wordpress plugins & themes
Fuzzing tools like gobuster/dirbuster/dirsearch — Use one of you prefer
Top vulnerabilitys that I recommend to study:
SQLi Injections
Cross Site Scripting
Local File Inclusion
Remote File Inclusion
Bussines Logic Vulnerabilitys
API Vulnerabilitys
OAuht Broken Authentication
File Upload vulnerabilitys
Server Site Request Forgery
Cross Site Request Forgery
Ways to conduct a web pentest:
BlackBox Pentest — This is the most common one during bug bounty or in your pentest job, blackbox pentesting means that you only have acces to the website, and no other source code, so you have to use mostly burpsuite and some other tools, if the server has WAF you have to bypass it.
WhiteBox Pentest — Besides is really discused in Youtube videos, is less applied by junior pentesters. This involves reading and exploiting coding in web apps. A good campo in this are wordpress plugins, since they are source code, a lot of exploit devs reads the code to find vulnerabilitys.
A good website to understand better this is Wordfence:
Sources to undertand and exploit web vulnerabilitys:
Portswigger — https://portswigger.net/web-security/all-labs
Hacktricks — https://hacktricks.wiki/en/index.html
Blogs&other resources — Since in pentesting, the information is really disperstate, I invite you to search yourself more sources to learn.
Best youtube channels to learn web hacking are:
There are more youtube channels related to web hacking, just go and search youserlf, these 2 are the ones that I know.
Hacking Communitys:
This is very important field to learn even more web hacking.
Peackokc — https://discord.gg/2pUkRjVU
And thats all, I dont know any other good ones.
A different perspective way to learn hacking web
Instead of going all full black box and not understanding any exploit that you execute, or you try to execute, you should try to understand how vulnerabilities work. Instead of learning a specific method to bypass 403 Forbidden, try to understand also which configuration in the system may cause this flaw, learn why /etc/passwd could be read in an LFI, and what other files could be read in this context, and much more.
Certifications that I recommend for web hacking:
OSWE — https://www.offsec.com/courses/web-300/ (whitebox web hacking)
BSCP — https://portswigger.net/web-security/certification (blackbox web hacking)
EWPTX3 — https://ine.com/security/certifications/ewptx-certification
Reading bug bounty reports to learn vulnerabilitys
This is a very important way to understand web app vulnerabilities, since it gives you real scenarios of vulnerabilities in webs. You can type on Google (vulnerability) + HackerOne report, and it will give HackerOne reports related to this vulnerability.
In conclusion, these are probably the best sources to understand web app vulnerabilities, while web app vulnerabilities is an extremely complex and constantly updating field.