This was a fun section. Learned some new things with headers and referrers – which is a big part of why I’m going this. Labs were a good variety and all doable with the community version. I’d probably stick this third at this point – Directory traversal, Information Disclosure, Access Control, Command Injection, Authentication, Business Logic, SQLi. I get the order PortSwigger used, but I think this order is a little more complete beginner friendly. I’ll keep tweaking as I go, but I’m pretty comfortable with the first two.
This section has a lot of labs (13) so lots of practice. All were pretty doable with the content covered in the material. No scripting for me in this section. I didn’t see a need. I like this section earlier in the learning path because it uses some very basic techniques (like examining the source code) that are beginner friendly.
A lot of the labs involved having an authenticated user, which makes sense. Not having one or an admin level user would make some of these labs much more difficult. I think you could get close with some guessing and in-depth crawling, but having creds makes a big difference.
Biggest takeaway from this section for me was “this was fun.” The labs were all pretty quick, and I just had fun doing them. Good section for building some momentum.