As of lately, I’ve been trying to level-up my Web App knowledge by going through some Portswigger Web Academy labs and articles. Recently, I’ve just finished the 30 labs required to complete the Cross-Site Scripting (XSS) section, and have really been enjoying it. Since I’ve had a couple people ask me about Portswigger Web Academy since I’ve started doing it, I figured a blog post would be in order…
What is Portswigger Web Academy?
So before I hop in with my opinions, I feel it may be necessary to provide a quick high-level overview of what the Portswigger Web Academy is.
The Web Academy was created by the very company that created Burp Suite. If you’re not familiar with Burp Suite, its a very powerful tool that I am currently utilizing a ton, and finding new features almost every time I use it.
The Web Academy offers free training on many important categories of web vulnerabilities such as SQL Injection, Cross-Site Scripting (XSS), XXE Injection, Insecure Deserialization, and more. The labs are split up into three levels of difficulty: Apprentice, Practitioner, and Expert. Additionally, you can track your progress to see where you stand in the learning materials, and the vulnerability labs.
As you can see above, I’ve still got some work to do. In the above image, this is currently my progress after completing all of the XSS labs and training material.
The training material goes into great depth about vulnerabilities and why they exist, how to take advantage of them, as well as how to protect against them.
The Labs
Much like other platforms and services that offer vulnerable labs, there are hits and misses. Since I’m a pretty simple person, I found these labs to be overwhelmingly positive.
Tracking
One of the greatest things I mentioned above is the ability to track your progress. When you complete a lab successfully, the lab environment you started will automatically notify you that you’ve completed the lab, and the Web Academy will automatically add this completion to your progress for you. If you’re like me, you may be forgetful at times. Because of that, I have no doubt in my mind that I’d likely forget to mark a lab as completed. The Web Academy does that for me so I don’t have to worry about it. What’s also great is once you complete a lab, it will show as completed on any page which references it. So for example, if you click on the page to bring you to all of the labs offered in the Web Academy, it will look something like this:
Instant Deployment
On top of the great tracking, labs will instantly deploy for you when you click “Access the lab”. This allowed me to work through the content pretty quickly. I didn’t have to wait around for a few minutes for everything to be configured, it works right away.
The “Real Factor”
More often than not, I get pretty annoyed and frustrated with the overwhelming amount of unrealistic labs, boxes, machines, vm’s, etc. out there for “pentest training”. As much as I enjoy a good CTF, challenge, or puzzle to work through, I really just want to cut through all the BS and become a better professional in my career. Through doing the labs and reading the material (still only XSS, mind you), I have already began to hone in on things to look for. I am finding myself becoming more detail oriented and able to try multiple approaches whereas before, I’d try a couple things and move on. Most of the labs I’ve encountered have been either a blog or e-commerce scenario, which is certainly realistic web applications a penetration tester will encounter.
How it stands versus eLearnSecurity Web App Course
I was asked about this from someone, and I felt it was a good question which should be addressed here as well. I believe the Web Academy is a great starter which should be used as a primer before the eLearnSecurity’s WAPT course. The Web Academy provides a structured and organized learning environment, perhaps a bit better than eLearnSecurity. Because of that, it’s great for a beginner to go through various web vulnerabilities step-by-step.
I’d recommend doing the Apprentice and Practitioner level labs and skip over and revisit the Expert labs at a later time.
I can’t confirm the Web Academy does not have labs where you chain together exploits, but I currently have not encountered that. This is where you’ll get a good bang for your buck on the eLearnSecurity course. Being able to leverage various vulnerabilities and chain exploits is great experience, and the WAPT offers this. It also makes you think outside the box a lot during the labs and exam, while providing a certification at the end to help build out your resume and prove your knowledge.
Current Final Thoughts
As I still have more labs and training material to go through, I’ll likely revisit this conversation again and either update this post or create a new one. That said, I am very much enjoying the Portswigger Web Academy, and I feel as it’s already increasing my tool-set and making me a better Penetration Tester in the real world. I definitely recommend going through the material and the labs.
