Professionally Evil Web App Pen Testing 101 Course

UPDATE: Updated the done steps. below.  Also changed the links from S3 to Git.

Since our founding in 2010 Secure Ideas has always tried to focus on education and increasing the amount of available knowledge in our field.   As such we have contributed to courses, presented at conferences around the world and contributed to open source projects.  Two years ago we announced our free training for veterans and first responders.  Last year we followed up with our free Scout security services for non-profit charities. And to be completely honest, we are pretty proud of what we have been able to do and to thank everyone for supporting us and helping make us better.

And in that mindset we want to announce our latest work on helping the industry build a body of knowledge.  A number of years ago we built a class that was used in a large number of training courses and made up a major part of a curriculum. In 2014 Secure Ideas wrote the last version of that.  We want to release this to the public so that anyone who wants to go through the materials is able to learn how to do web penetration testing.  And we want people to help us make it better.

So here is the plan:

  • Release the slides without the exercises (TODAY!<grin>)
  • Determine a format for the course that will allow many people to contribute (Done. GitPitch)
  • Create a Git repo for this course (Done:
  • Release the slides and exercises via this Git repo (Done for slides)
    • The exercises may take a bit of time as they will first require significant updates
  • Release the exercise targets and virtual machines
  • Release the Capture the Flag (CtF)
  • Maintain this course for as long as people want us too.

The course, Professionally Evil Web App Pen Testing 101 (PEWAPT) is designed to work as an introduction to web application penetration testing.  It mainly focuses on a methodology and tools to support the methodology.  We are releasing it using the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.  This can be found at


Feel free to download it now and let us know what you think!  You can email us at or on Twitter at @secureideasllc

3 thoughts on “Professionally Evil Web App Pen Testing 101 Course”

  1. Thanks for sharing the slide deck!
    I started reviewing the first pptx (PEWAPT101.1) and found quite a few things one could improve, but then soon gave up since the rendering of the slides in OpenOffice (4.1.5) obviously is sub-obtimal. I don’t have MS Office available, so I can’t really tell what are rendering problems and what are (design) errors.

    The PPT viewer available from MS displays the slides a little better, but still: I’m unable to edit & feed the edits back.

    But generally speaking: black text on dark blue background colour is really hard to read due to the very low contrast. I’d propose to either alter the dark blue colour into something a little lighter or to alter the black text into a mid-toned grey.

    And the black text at the bottom of the slide’s “body” area which is running into the gradient at the top of the footer section also is not too easy to read.

    1. Hi, Thanks for the feedback. When we get this in git the process will not require you to have powerpoint.

      As to the text in the gradient, I tried to fix all of the places that happened, but obviously I missed some. I will work on it.

      As to the dark blue background, I am not sure where we use that? Could you provide a day and slide number?


  2. This is a great start and I’m sure a rewarding one. I love the idea of an open source training project.

    I’m a developer who recently had the opportunity to join the security team at work. I have no real expertise in the security realm to speak of beyond secure code concepts, and a course like this would benefit someone like me greatly.

    If you would like my feedback on how this training material helped someone like me, I would be more than happy to provide it once everything is ready to test, so to speak.

    Thank you and see you in Detroit for Converge!

Comments are closed.

Scroll to Top