Training course - Web vulnerabilities - OWASP Top 10

Teaching objectives

At the end of the course, participants will be able to :

• Understand the main security risks associated with web applications.
• Identify the most common vulnerabilities present in web applications.
• Exploit these vulnerabilities in a controlled penetration test context.
• Implement corrective and preventive measures.
• Use the tools commonly employed during a web pentest.
• Understand the structure and expectations of a security audit report.

Introduction to web vulnerabilities

This first part lays the foundations for understanding how an application security audit works, and the context in which pentesting takes place.

Participants will discover the fundamental concepts of cybersecurity applied to web applications, as well as the legal and methodological aspects of penetration testing.

Topics covered

• Introduction to cybersecurity and application security
• The legal and ethical framework of pentesting
• Web penetration test methodology
• The different phases of a security audit
• Presentation of the vulnerable web application used during the course
• Presentation of web pentest tools
• Discovering and getting to grips with Burp Suite Community
• Interception and modification of HTTP requests
• Analysis of web application operation

OWASP Top 10 vulnerabilities

This section is the heart of the course. Participants will learn how to identify, understand and exploit the major vulnerabilities described in the OWASP Top 10.

Each vulnerability will be discussed with :

• a theoretical explanation
• a demonstration
• a practical workshop
• security measures to be implemented

Topics covered

• Presentation of the OWASP Top 10 (changes between 2017, 2021 and 2025)
• SQL injection
• Command injection
• Cross-Site Scripting (XSS): reflexive, stored and DOM-based
• Authentication vulnerabilities
• Session management
• Tokens and JWT
• CORS and misconfigurations
• CSRF (Cross-Site Request Forgery)
• SSRF (Server Side Request Forgery)
• LFI / RFI (file inclusion)
• File upload vulnerabilities
• Bypass restrictions
• Webshell upload
• Business logic vulnerabilities
• Race conditions
• Elevation of privileges

Pedagogical approach

The training is based on a very practical approach, with :

• live demonstrations
• guided exercises
• hands-on labs
• realistic operating scenarios

Participants will work on a deliberately vulnerable application, reproducing situations encountered during real security audits.

Requirements

This course can be run either face-to-face or remotely, depending on participants' needs and constraints. Practical exercises require the use of a virtual machine or a secure laboratory environment, which will be provided to participants.

Target audience

This course is primarily aimed at developers, system administrators, security managers/IT directors and cybersecurity consultants.

Prerequisites

Basic knowledge of web development is recommended for this course.

How to access

Registration for the course can be done online or after a videoconference interview.

Access time

Access to training generally takes 2 to 4 weeks, depending on participants' availability and the organization of the session.

Accessibility

As the training is mainly distance learning, it is accessible to people with reduced mobility. In the case of face-to-face training, it will take place on premises accessible to people with reduced mobility.

Supervision

Training is provided by a cybersecurity expert with nearly 10 years' experience in offensive cybersecurity.

Educational follow-up

Course materials in PDF format will be provided to learners. In addition, online cybersecurity training platforms will be used.

Follow-up

Daily online registration will be carried out to track participants' attendance.

Results tracking

At the end of the course, learners will take a multiple-choice test to validate their learning.