The materials and labs exloded over the last months: Web cache poisoning Information disclosure vulnerabilities Insecure deserialization Authentication SQL injection Cross-site scripting Cross-site request forgery (CSRF) XML external entity (XXE) injection Clickjacking (UI redressing) Cross-origin resource sharing (CORS) Server-side request forgery (SSRF) HTTP request smuggling OS command injection Server-side template injection Directory traversal Access control vulnerabilities and privilege escalation Testing for WebSockets security vulnerabilities DOM-based vulnerabilities
The full list of labs is not included here, it is simply too long!
Link: Web Security Academy Content: Teaches the basics of Web Application Security, so far SQL Injection, XSS, OS command injection and File Path traversal. Comes with small labs. Career: Penetration Tester but I recommend it also for everyone interested in security Level: Beginner Price: Free
The description from the originial website: “Welcome to the Web Security Academy. This is a brand new learning resource providing free training on web security vulnerabilities, techniques for finding and exploiting bugs, and defensive measures for avoiding them. The Web Security Academy contains high-quality learning materials, interactive vulnerability labs, and video tutorials. You can learn at your own pace, wherever and whenever suits you. Best of all, everything is free!”
For tracking and doing the labs you need to create an accout.
I found the explanations and the labs very suitable for beginners and I think it is a great starting point for web application security.
The team behind it is the same that is behind the Burpsuite and the famous Web Application Hackers Handbook (consider buying it if you want to go deeper into the topic):
The Web Application Hackers Handbook Authors: Daffy Stuttard, Marcus Pinto Content: The standard book about hacking Web Applications, goes into depth about the most important topics. Authors also created the BurpSuit. Career: Penetration Tester Level: Good for beginners, but also useful for experienced penetration testers