Can anyone recommend some web application pen testing training that is not quite as expensive as the sans classes?

I would love to find some online live or recorded instructor lead classes.

Thanks,

Wayne

eLearnSecurity

http://www.elearnsecurity.com/

You'll find many reviews on this site.

I'm currently doing eCPPT and it's fun. The main reason was it's focus on web pentesting. Furthermore it is a nice warming up for the OSCP certification if you want to go that way.

The course content consists of a OS/Application section, WebApp and Network section. For me most material I knew already however I picked up a few new things and have gained a better understanding of the webapp pentesting part (I prefer OS/applications though haha). Did not write the exam report yet but am getting there.

Any questions? let me know. Also get the web application hackers handbook 2nd edition, it covers a lot of the same info as this course.

+1 to WAHH2 and the corresponding MDSec labs.

eLearn has good web app material, and is certainly a good starting place, but it doesn't have the same breadth and depth.

I'd highly recommend Jeremy Druin's video series and Mutillidae. 79 videos and counting!

http://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae

Also OWASP has a bunch of great materials as well. Here's a link to the OWASP education project https://www.owasp.org/index.php/Category:OWASP_Education_Project  and OWASP has teamed with Security Innovation to make OWASP Team Mentor available which is a nice resource. http://owasp.teammentor.net/teamMentor and then a free hacking lab for OWASP Top 10 at https://www.hacking-lab.com/events/registerform.html?eventid=245

Don't forget http://www.securitytube.net/tags/web . I also highly recommend WAHHv2. I have not done the MDSEC labs and have heard good things but I was focusing on free resources here.

@tturner I thought it worth mentioning as it's a well written review. I recently took the CSTA course (in the UK) and was really impressed with the quality of the course materials as well as the instructors (Jerome/Owen).

@waynegs You may be aware of these already but there are lots of vulnerable by design webapps available for learning. Using these in conjunction with the WAHH2 you can learn alot.

The link below has most of the well known ones:

http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html

Another recent addition not included in the link above, which is worth a look:

https://hack.me/

for practicing and learning SQL injection i reccomend this lab on a LAMP server: https://github.com/Audi-1/sqli-labs  and if you get stuck the developer of these labs has video tutorials on Security Tube