How OffSec’s Web Application Security Course Helps Technical Team Members Become Better Developers, Attackers, and Defenders

May 31, 2023


Content Team

WEB-200: Foundational Web Application Assessments with Kali Linux is a black box style web application security course designed to teach the Learner how to assess web applications from an external perspective. A black box penetration test or web application assessment occurs when the tester doesn’t receive access to the application’s source code. This means that they need to behave like a regular user of the application, in order to enumerate, discover, and exploit different kinds of vulnerabilities.

In this blog post, we will identify how our web app security course can help your team members improve their security skills, whether they’re web application developers, blue teamers, or penetration testers. Plus, we’ll provide a suggestion for those looking to get into the field in the first place!

Builders and Developers

WEB-200 represents an excellent opportunity for developers to get into the mindset of an attacker. You will learn different methodologies, processes, and behaviors of potential malicious actors. In doing so, you will come to understand how your code can be abused to achieve outcomes that you may not have intended. 

Let’s take Cross-Site Scripting (XSS) as an example. Cross-Site Scripting can occur whenever a user is permitted to submit text that later gets rendered by a browser as HTML (ex: a blog post’s comments). Watch our OffSec Live recorded walkthrough if you’re interested in an in-depth demonstration. WEB-200 contains an excellent “sandbox” application that demonstrates to the Learner both what the attacker would see on their browser, as well as what the victim would see on theirs. 

Another benefit to development teams is that you can build up the capacity to audit code within the team by applying the skills and techniques learned in this web application security course. For example, you might try to abuse Server-Side Template Injection (SSTI) to obtain Remote Code Execution (RCE) on an application you are building that enlists templates.


The main reason to explore WEB-200 as a blue teamer is to understand the kinds of footprints attackers leave when attempting these kinds of attacks. WEB-200 is not a red teaming course and does not emphasize stealth. Therefore, it is a perfect tool for defenders to get acclimated with the kind of strings attackers can leave behind in logs while performing black box style attacks. 

For example, the SQL Injection Modules allow the Learner to select among various databases to execute their queries (and attacks) on. Since the course explores many different kinds of relational database systems, defenders can get acclimated with the different types of syntax and strings that are likely to be left behind in web server logs.

Defenders will also get a boost to their mental models of the impact and ramifications of different kinds of attacks. WEB-200 focuses on two broad types of attacks: authentication bypasses and remote code execution. Both of these can have a tremendous impact on an organization, but it can be difficult to internalize exactly what that might mean without first-hand experience. The WEB-200 Challenge Labs provide Learners with the opportunity to viscerally experience that impact themselves, over and over again.


Seasoned network penetration testers benefit from our web app security course because HTTP(S) still remains one of the most widespread technologies exposed to external networks. While PEN-200 covers Web Application Attacks, it does so neither at the level of depth nor breadth enjoyed by WEB-200. 

Penetration testers that are not performing regular assumed-breach type scenarios will inevitably encounter web applications as their primary entry point. It follows that having more varied, rich, and explored attack vectors in one’s pocket will help tremendously on both internal and external engagements. 

One way that WEB-200 allows Learners to fully explore web application attacker methodology is via the Assembling the Pieces Module. It covers a custom web application, how OffSec would handle assessing it, and then walks through every step of exploiting both authentication bypass and remote code execution. Then the machine is made available to the Learner to replicate the attacks or try their own. This general formula of auth bypass + elevated attack is then repeated in both the Challenge Labs and in the OffSec Web Assessor (OSWA) web application security certification exam itself, providing even more practice opportunities for attackers. 

Help! I’m New, Where Should I Start?

Many Learners looking to get into penetration testing begin with Penetration Testing with Kali Linux (PEN-200). While that is a reasonable path for many Learners, we’d like to argue that Learners would benefit from exploring WEB-200 first. There are a few reasons for this:

  1. An intuitive experience: The primary tools of the web application assessor are the browser and the proxy. Anyone reading this blog post is, almost by definition, intimately familiar with a browser. Learners without any other kind of security background will very likely still understand on an intuitive level what it’s like to comment on a blog post, log into an application, or reset one’s password. This is a very different experience from the kind of interactions Learners need to have in PEN-200, where the technology can be quite foreign.
  2. A (relatively) narrow scope: Since WEB-200 focuses only on web applications, Learners only need to concern themselves with specific technologies: mostly web servers, browsers, proxies, and databases. In PEN-200 the number of tools, technologies, and servers Learners need to become acquainted with is significantly higher. Someone new to the industry will likely benefit from a smoother onramp by needing to learn about less varied technology, and instead focus more deeply on methodology and understanding. The “attacker’s mindset” nurtured and tempered in WEB-200 is completely transferable to PEN-200, and vice versa. But it may also come more naturally in the former. 
  3. A transferable skillset: While PEN-200 and the OSCP represent the gold standard for getting into the penetration testing field, WEB-200 provides the Learner with a skill set that is easily transferred to the PEN-200 Learner. Fundamentally, attacking web applications is no different than attacking anything else: users with the ability to manipulate text can cause programs to interpret data as code. It is this interpretation that allows attackers to accomplish malicious objectives. By first learning and internalizing this process on an intuitive and visual technology like web applications, Learners can then apply these skills in more esoteric environments like endpoint privilege escalation and Active Directory.

The OSWA Web Application Security Certification

Learners who complete the course and pass the exam will earn the OffSec Web Assessor (OSWA) web app security certification, demonstrating their ability to leverage web exploitation techniques on modern applications.
Learners will: 

  • Obtain a wide variety of skill sets and competencies for web app assessments
  • Develop Black Box enumeration and exploitation techniques
  • Leverage modern web exploitation techniques on modern applications

This blog post has covered many of the different ways in which WEB-200: Foundational Web Application Assessments with Kali Linux can help you and your team improve your security skillset and understanding regardless of your current role. See if WEB-200 is right for your technical team by checking out the detailed syllabus here or by contacting our Sales team

Tags: , , ,