Day 4: Web security introduction
Web applications are the most common attack surface. Today you study how browsers talk to servers, where authentication breaks, and the vulnerability classes every ethical hacker and AppSec engineer must know.
Today's outcome: You understand HTTP, sessions, cookies, and the OWASP Top 10 at a beginner level.
Week progress
Day 4 of 7
- 1
Security mindset & threat basics
- 2
Networking for security
- 3
Linux command line
- 4
Web security introduction
You are here
- 5
SOC & log awareness
- 6
First hands-on lab
- 7
Pick your career direction
Goals
Learning objectives
By the end of today you should be able to:
- Trace an HTTP request/response and identify headers, cookies, and status codes
- List OWASP Top 10 categories and one example each
- Use a JWT decoder tool to inspect token structure (no exploitation)
- Relate one OWASP risk to a control you have seen in production
Schedule
Suggested schedule
Adjust timing to your pace — aim for one focused block per day.
- Tutorial~35 min
Study OWASP Top 10 tutorial — focus on injection, auth, and XSS sections.
- Inspect~15 min
Capture a login flow in dev tools; note cookies and Authorization headers.
- Tool~10 min
Paste a sample JWT into the JWT decoder and label header vs payload.
- Reflect~10 min
Pick one OWASP item and write how you would test for it safely.
Learn
Mapped learning resources
These links connect this day to tutorials, labs, roadmaps, and reference material on PentesterWorld.
OWASP Top 10 tutorial
Web application risks, testing mindset, and defensive controls.
Open resourceOWASP glossary entry
What OWASP is and how practitioners use the Top 10.
Open resourceJWT decoder tool
Inspect JSON Web Token structure during web security labs.
Open resourceSecurity mindset engineering
Attacker vs defender thinking for web and app scenarios.
Open resourceConcepts
Key terms for today
Notebook
Reflection prompts
Copy these into your learning notebook — answers become portfolio material later.
- What is the difference between authentication and authorization?
- Which OWASP risk is most common in apps I use?
- What would an attacker gain from stealing a session cookie?