Program Web Application Pentest ini dirancang untuk membentuk penetration tester aplikasi web yang memahami metodologi pengujian keamanan web modern.
Materi mencakup:
Web fundamentals
HTTP/HTTPS
Reconnaissance
OWASP Top 10
Authentication testing
API Security
Business Logic Testing
Advanced Web Exploitation
Reporting professional
Program difokuskan pada:
Manual testing
Vulnerability discovery
Exploitation understanding
Security assessment workflow
Professional pentest reporting
Setiap modul terdiri dari:
Tujuan pembelajaran
Materi utama
Tools yang dipelajari
Praktik lab
Target skill
LEVEL 1 — WEB FUNDAMENTALS
Modul 1 — Introduction to Web Application Pentesting
Materi:
Pengertian web pentest
Pentest methodology
OWASP Top 10
Attack surface
Legal & ethics
Tools:
Kali Linux
Burp Suite
Praktik:
Setup web pentest lab
Target Skill:
Memahami dasar web pentesting.
Modul 2 — Web Technology Fundamentals
Materi:
Frontend vs Backend
HTTP/HTTPS
Request & response
Header
Cookie
Session
Web server
Tools:
Browser DevTools
Burp Suite
Praktik:
Analisa traffic web
Target Skill:
Memahami cara kerja aplikasi web.
Modul 3 — Linux & Command Line for Pentester
Materi:
Linux filesystem
Bash basics
Curl
Wget
Networking command
File handling
Tools:
Kali Linux
Terminal
Praktik:
Automation command line
Target Skill:
Menguasai command line untuk pentest.
Modul 4 — Burp Suite Fundamentals
Materi:
Proxy
Repeater
Intruder
Decoder
Comparer
Logger
Tools:
Burp Suite
Praktik:
Intercept & modify request
Target Skill:
Menguasai Burp Suite.
Modul 5 — Reconnaissance & Attack Surface Mapping
Materi:
Passive recon
Active recon
Subdomain enumeration
Directory discovery
Technology fingerprinting
Tools:
Subfinder
httpx
ffuf
Wappalyzer
Praktik:
Mapping target web lab
Target Skill:
Mampu melakukan reconnaissance web.
LEVEL 2 — AUTHENTICATION & SESSION TESTING
Modul 6 — Authentication Testing
Materi:
Login mechanism
Weak password policy
Brute force awareness
MFA basics
Password reset testing
Tools:
Burp Suite
Hydra
Praktik:
Authentication testing lab
Target Skill:
Memahami pengujian autentikasi.
Modul 7 — Session Management Testing
Materi:
Cookie security
Session fixation
Session timeout
JWT basics
Token handling
Tools:
Burp Suite
JWT Tooling
Praktik:
Session testing lab
Target Skill:
Memahami session security.
Modul 8 — Access Control Testing
Materi:
IDOR
Broken access control
Privilege escalation
Forced browsing
Tools:
Burp Suite
Praktik:
Access control lab
Target Skill:
Memahami authorization flaw.
LEVEL 3 — OWASP TOP 10 & WEB VULNERABILITIES
Modul 9 — SQL Injection
Materi:
SQL basics
Error-based SQLi
Blind SQLi
Time-based SQLi
WAF basics
Tools:
SQLMap
Burp Suite
Praktik:
SQL Injection lab
Target Skill:
Memahami SQL Injection.
Modul 10 — Cross Site Scripting (XSS)
Materi:
Reflected XSS
Stored XSS
DOM XSS
CSP basics
Tools:
Dalfox
Burp Suite
Praktik:
XSS lab
Target Skill:
Memahami XSS vulnerability.
Modul 11 — Cross Site Request Forgery (CSRF)
Materi:
CSRF attack flow
Anti-CSRF token
SameSite cookie
CSRF protection
Tools:
Burp Suite
Praktik:
CSRF testing lab
Target Skill:
Memahami CSRF.
Modul 12 — File Upload Vulnerability
Materi:
Upload bypass
MIME type bypass
Extension bypass
Webshell overview
Tools:
Burp Suite
Praktik:
Upload testing lab
Target Skill:
Memahami upload vulnerability.
Modul 13 — File Inclusion & Path Traversal
Materi:
LFI
RFI
Directory traversal
Sensitive file exposure
Tools:
Burp Suite
Praktik:
File inclusion lab
Target Skill:
Memahami file handling vulnerability.
Modul 14 — Command Injection & RCE
Materi:
OS command injection
Remote Code Execution
Input validation
Filter bypass basics
Tools:
Burp Suite
Metasploit
Praktik:
Command injection lab
Target Skill:
Memahami RCE vulnerability.
Modul 15 — SSRF & XXE
Materi:
SSRF basics
Internal network access awareness
XXE basics
XML parser security
Tools:
Burp Suite
Praktik:
SSRF lab
XXE lab
Target Skill:
Memahami server-side vulnerability.
LEVEL 4 — ADVANCED WEB TESTING
Modul 16 — API Security Testing
Materi:
REST API
GraphQL basics
JWT weakness
Broken object level authorization
Tools:
Postman
Burp Suite
Praktik:
API pentest lab
Target Skill:
Mampu melakukan API testing.
Modul 17 — Business Logic Testing
Materi:
Workflow abuse
Race condition
Price manipulation
Coupon abuse awareness
Tools:
Burp Suite
Praktik:
Business logic testing lab
Target Skill:
Memahami business logic flaw.
Modul 18 — Web Cache & CDN Testing
Materi:
Cache poisoning basics
CDN behavior
Header manipulation
Tools:
Burp Suite
Praktik:
Cache testing lab
Target Skill:
Memahami cache vulnerability.
Modul 19 — JWT & OAuth Security
Materi:
JWT structure
OAuth flow
Token validation
Authentication weakness
Tools:
Burp Suite
jwt-tool
Praktik:
JWT testing lab
Target Skill:
Memahami token security.
Modul 20 — WebSocket Security Testing
Materi:
WebSocket communication
Real-time communication security
Message manipulation
Tools:
Burp Suite
Praktik:
WebSocket testing lab
Target Skill:
Memahami keamanan WebSocket.
LEVEL 5 — PROFESSIONAL WEB PENTESTING
Modul 21 — Automation & Recon Workflow
Materi:
Recon automation
Fuzzing basics
Content discovery
Workflow optimization
Tools:
nuclei
ffuf
katana
httpx
Praktik:
Automated recon workflow
Target Skill:
Mampu melakukan automation dasar.
Modul 22 — Reporting & Documentation
Materi:
Vulnerability documentation
Risk rating
Executive summary
Evidence collection
Tools:
Dradis
Obsidian
Praktik:
Membuat laporan pentest
Target Skill:
Mampu membuat laporan profesional.
Modul 23 — Pentest Methodology & Workflow
Materi:
Planning
Scoping
Testing methodology
Validation
Reporting flow
Tools:
Burp Suite
Pentest checklist
Praktik:
Simulasi full workflow
Target Skill:
Memahami workflow pentesting profesional.
Modul 24 — Bug Bounty Web Hunting
Materi:
Scope analysis
Recon strategy
Vulnerability validation
Responsible disclosure
Tools:
Burp Suite
nuclei
subfinder
Praktik:
Simulasi bug bounty hunting
Target Skill:
Memahami workflow bug bounty.
Modul 25 — Final Web Application Pentest Project
Materi:
Full web pentest workflow
Recon hingga reporting
Multi-vulnerability assessment
Professional presentation
Tools:
Full Web Pentest Toolkit
Praktik:
Final web pentest project
Presentasi hasil assessment
Target Skill:
Siap menjadi Web Application Pentester.
BONUS SECTION
Tools Penting Web Pentest
Burp Suite
SQLMap
ffuf
nuclei
subfinder
httpx
Dalfox
Postman
Wappalyzer
katana
Sertifikasi Rekomendasi
eWPT
OSWE
BSCP
CPTS
CEH
OSCP
Platform Praktik
PortSwigger Web Security Academy
Hack The Box
TryHackMe
DVWA
Juice Shop
VulnHub
Roadmap Karier
Beginner:
Junior Web Pentester
Security Analyst
Intermediate:
Web Application Pentester
Bug Bounty Hunter
Advanced:
Senior Pentester
Security Consultant
Application Security Engineer
PENUTUP
Program Web Application Pentest dirancang untuk membentuk penetration tester aplikasi web profesional dengan pemahaman modern terhadap OWASP Top 10, API Security, business logic testing, dan workflow pentesting industri.