EH-Net

Can anyone recommend some web application pen testing training that is not quite as expensive as the sans classes?

I would love to find some online live or recorded instructor lead classes.

Thanks,

Wayne

You could take a look at Offensive Security's "Advanced Web Attacks" (http://www.offensive-security.com/information-security-training/advanced-web-attack-and-exploitation/) course. As far as I know it might be available in an online format by the end of the year. I assume it will be in the same price range as their other online courses.

eLearnSecurity

http://www.elearnsecurity.com/ (http://www.elearnsecurity.com/)

You'll find many reviews on this site.

I'll second eLearnSecurity.  Great course material, very helpful labs.

I'm currently doing eCPPT and it's fun. The main reason was it's focus on web pentesting. Furthermore it is a nice warming up for the OSCP certification if you want to go that way.

The course content consists of a OS/Application section, WebApp and Network section. For me most material I knew already however I picked up a few new things and have gained a better understanding of the webapp pentesting part (I prefer OS/applications though haha). Did not write the exam report yet but am getting there.

Any questions? let me know. Also get the web application hackers handbook 2nd edition, it covers a lot of the same info as this course.

WAHH2 - http://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470

+1 to WAHH2 and the corresponding MDSec labs.

eLearn has good web app material, and is certainly a good starting place, but it doesn't have the same breadth and depth.

I'd agree with the above suggestions.

One of the members here (tturner) recently took the CSTP: Certified Security Testing Professional course and posted a review on his blog:

http://sentinel24.com/blog/7-safe-certified-security-testing-professional-review/#MyConclusion

I've also seen a course offered by the Samurai Web Testing Framework, although I haven't taken the instructor led training. However, they do publish the course slides and I worked through them and found them quite useful to build off of:

http://sourceforge.net/projects/samurai/files/SamuraiWTF%20Course/

I'd highly recommend Jeremy Druin's video series and Mutillidae. 79 videos and counting!

http://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae

Also OWASP has a bunch of great materials as well. Here's a link to the OWASP education project https://www.owasp.org/index.php/Category:OWASP_Education_Project  and OWASP has teamed with Security Innovation to make OWASP Team Mentor available which is a nice resource. http://owasp.teammentor.net/teamMentor and then a free hacking lab for OWASP Top 10 at https://www.hacking-lab.com/events/registerform.html?eventid=245

Don't forget http://www.securitytube.net/tags/web . I also highly recommend WAHHv2. I have not done the MDSEC labs and have heard good things but I was focusing on free resources here.

Thanks for the mention m0wgli. It really was a pretty great course for what it was (2 days really limits how deep you can cover material) but definitely not free (for anyone that didn't win an ethicalhacker.net contest I mean)

@tturner I thought it worth mentioning as it's a well written review. I recently took the CSTA course (in the UK) and was really impressed with the quality of the course materials as well as the instructors (Jerome/Owen).

@waynegs You may be aware of these already but there are lots of vulnerable by design webapps available for learning. Using these in conjunction with the WAHH2 you can learn alot.

The link below has most of the well known ones:

http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html

Another recent addition not included in the link above, which is worth a look:

https://hack.me/

Just to reiterate what's already been said, I've told several people that the elearnsecurity course is the best entry level web security course out there.

It provides such a good foundation.  After taking the course, I started reading the WAHH, and I found the material in the book much easier to understand because of what I learned from the eCPPT.

for practicing and learning SQL injection i reccomend this lab on a LAMP server: https://github.com/Audi-1/sqli-labs  and if you get stuck the developer of these labs has video tutorials on Security Tube