This section is basically brand new. It was added after I started the Academy. The section was relatively short with enough labs to get comfortable with the basic concepts. You don’t need to know how to create the web shells yourself, but you should at least be familiar with what they are. The labs give you some practice combining techniques – I think this is incredibly valuable and appreciate when this is included. There is a little practice with ExifTool, which is just a good thing to get familiar with if you’re not already. The race condition lab was pretty cool.
I would put this section 4th so far. I feel fairly comfortable with my order for the server-side content:
- Directory Traversal
- Information Disclosure
- Access Control
- File Upload Vulnerabilities
- Command Injection
- Business Logic Vulnerabilities
I might switch Authentication and SSRF, but I think Authentication is a more familiar topic to those new to web app pen testing. I’ve got about half of SSRF and 2/3 of XXEi to go, but I think the above order make a lot of sense. I don’t have them ordered in terms of “value” for bug hunting or pen testing, but in the order that I think would build most logically for those just getting started. I think basic technology skills will help you get through the first few sections and provide more gradual build than the PortSwigger order. I don’t have a problem with the PortSwigger, but I think I’m coming at it from a different perspective. The content and labs are excellent, so the order probably isn’t that important. My order is just what I would recommend to people looking to transition into infosec or someone with more of a defensive focus to work on some offensive skills.