Course Overview

Welcome to this course on Practical Web Hacking. This course follows on from the Practical Bug Bounty course and will take you deeper into the world of finding and exploiting vulnerabilities in web applications. It’s recommended that you have completed the Practical Bug Bounty course or at least one year's worth of experience in hacking web applications before you take this course. In this course, you will develop a deeper understanding of how web attacks work, learn to craft custom payloads and build a methodology for finding and exploiting more complex vulnerabilities. 


The Practical Web Hacking Course Will Cover:

  • How web applications work
  • Authentication attacks
  • Broken access control
  • Server-side request forgery
  • Advanced SQL injection attacks and NoSQL injection
  • File inclusion
  • XML External Entity Injection
  • XSS and filter bypasses
  • Attacking JSON Web Tokens
  • Mass assignment
  • Open redirects
  • Race conditions
  • Capstone challenge


By the end of the course you will have a good understanding of how these attacks work, be able to find them in situations that are not immediately obvious or overlooked by automated scans and fuzzing. You will also be able to modify and craft custom payloads to bypass filters or achieve exploitation in unusual circumstances.



Prerequisites & System Requirements

  • A computer able to run a Linux virtual machine
  • Completion of the Practical Bug Bounty course OR 1 years web hacking experience
  • A positive attitude

Practical Web Hacking Course Objectives


In this course, you will learn:

  • Understand how web applications and their various components work
  • Understand common and intermediate attacks against web applications
  • Ability to identify potential weaknesses and vulnerabilities in web applications
  • Ability to craft payloads to exploit an identified vulnerability




man searching for bugs on a desktop

Who Should Take the Practical Web Hacking Course?


Practical Web Hacking is aimed at those who want to understand, find and exploit vulnerabilities within web applications for penetration testing and bug bounty hunting. This is an intermediate course so an understanding of web applications and basic attacks is required. If you’re new to web application security testing then we recommend you take the Practical Bug Bounty course first. This course is also ideal for experienced network penetration testers who want to improve their web application testing skills. 

Practical Web Hacking Course Curriculum - 10+ Hours

  Introduction
Available in days
days after you enroll
  Authentication
Available in days
days after you enroll
  Access Control
Available in days
days after you enroll
  SSRF (Server-Side Request Forgery)
Available in days
days after you enroll
  SQL Injection
Available in days
days after you enroll
  File Inclusion
Available in days
days after you enroll
  XXE (XML External Entity Injection)
Available in days
days after you enroll
  XSS / JavaScript Injection
Available in days
days after you enroll
  JWTs (JSON Web Tokens)
Available in days
days after you enroll
  Mass Assignment
Available in days
days after you enroll
  WebSockets
Available in days
days after you enroll
  Open Redirects
Available in days
days after you enroll
  Race Conditions
Available in days
days after you enroll
  Capstone Challenge
Available in days
days after you enroll
Alex Olsen headshot

About the Instructor: Alex Olsen

Alex is a Web Application Security specialist with experience working across multiple sectors, from single-developer applications all the way up to enterprise web apps with tens of millions of users. He enjoys building applications almost as much as breaking them and has spent many years supporting the shift-left movement by teaching developers, infrastructure engineers, architects, and anyone who would listen about cybersecurity.

Alex holds a Master's Degree in Computing, as well as CEH and OSCP certifications.

Follow Alex on Social Media:

LinkedIn - https://www.linkedin.com/in/alex-olsen-47119322/

all-access membership wolf logo

This course is included in our All-Access Membership starting at $29.99/month

Get full access to the Practical Web Hacking course and our full course catalog when you enroll in our All-Access Membership.

Frequently Asked Questions


Can I get a refund if I'm unhappy with my purchase?

Yes. All courses come with a 24-hour money-back guarantee.


Will I receive a certificate of completion when I finish a course?

Yes. All courses come with a certificate of completion.

Do the courses count as Continuing Education Units (CEUs)?

Yes. Every certificate of completion comes with the total CEUs earned listed on the certificate.

What is the All-Access Pass?

As of July 1st, 2023 TCM Academy transitioned to a monthly subscription model, where you now receive full access to all of the courses on our platform for as long as your subscription remains active.

What if you already own courses on TCM Academy?

If you already own a course on our platform, you will continue to own that course forever. Previously owned courses will not be affected by this change.


I can see the course, but it won’t load or play. What should I do?

We use Cloudflare to protect our course platform and unfortunately, it does not play nice with VPNs. If you are experiencing issues, turn off your VPN and try again. If that does not solve the issue, please contact our support team at [email protected] and we will help you out.