Posted in Blog, PortSwigger

PortSwigger Web Academy – 09, 10, & Server-Side Wrap-Up

It’s a little hard to believe that I’ve made it through all of the Server-Side topics of the web academy, but so I have. The last two sections were SSRF (server-side request forgery) and XXEi (XML eternal entity injection). Both were good. The SSRF section was a little shorter than I would have liked, but there were bits of SSRF in other places as well. The labs were good and introduced interesting techniques. You do need pro for the last one, but that seems reasonable.

The XXEi section was a bit odd. I did a couple of the labs earlier before doing the rest of the sections. Coming back to the rest now, they made a lot more sense. I like this section being the end of the server-side topics. I think it works well. I do think this section will be very tough if you don’t have any experience with XML. The provided solutions make it doable, but a fair amount of practice would be needed to get comfortable.

So 10 sections in, all the server-side topics down, where does that put me? From a web app pen testing standpoint, do I feel like I could sit down and do an effective pen test from memory? Meh, not without references. I think I could run a basic web app pen test. I know I’m capable of more in-depth testing, but I also recognize there are holes. Probably will fill in some of those in the client-side modules. I feel like I’m recognizing patterns and seeing possible exploits better. This was the deepest dive I’ve taken in some of these areas, which was helpful. I feel like I wanted to really internalize the info, I’d need to take a couple weeks and really focus on just this. Since my goal was more around getting ideas for detections and recognizing malicious activity in logs, I’m not as concerned with that. If I get time, I could apply this to bug bounty programs. Squeezing these in between other trainings (I did the Getting Started in Packet Decoding w/Chris Brenton and Securing the Cloud w/Andrew Krug since the last blog – reviews to come, both were very good), made this less of a priority.

If someone can prioritize these sections and combine it with bug bounty programs, I think they could come a long way very quickly. And that’s with all the client-side topics to go. I’m happy with my order for these – I’d leave XXEi to the end, but I would bump SSRF up compared to where PortSwigger has it.

  • Directory Traversal
  • Information Disclosure
  • Access Control
  • File Upload Vulnerabilities
  • Command Injection
  • Authenticaion
  • SSRF
  • Business Logic Vulnerabilities
  • SQLi
  • XXEi

I think this order builds well to allow someone with little to no experience to get to a decent level of web application pen testing fairly quickly. I would recommend doing them in a more compressed time frame than I have if you can. The content is really good for the most part. There are some gaps in the content that mostly get filled in with the labs (places where there’s a jump in the tactics or skills from the provided material to the labs). For free content put out by a company that isn’t focused on content, I’m good with that. I think if you are lost on how to do a specific lab going to the solutions will at least give you enough information to do more research. For several, just looking at the solutions was a face palm moment where I realized what I was missing. The best part for me was seeing what to look for in logs and getting ideas about ways to monitor. I would like to give the content more attention than I am, but that’s not my priority at the moment.


Lifelong paradox - cyber sec enthusiast - loves to learn

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.