Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Wow Where do I start as a beginner? On Web Security Academy??? Help plz

CHill | Last updated: Dec 05, 2019 03:27AM UTC

I'm a little overwhelmed with the Academy page. Is there an order to follow and build on? Where do I start as a beginner? On Web Security Academy??? Help plz

Ben, PortSwigger Agent | Last updated: Dec 05, 2019 08:25AM UTC

Hi, Our recommendation would be to start with the SQL Injection and Cross-site Scripting material. If you open up an individual lab then it will let you know what difficulty level it is aimed at (Apprentice, Practioner and Expert) so that should also give you an idea of the order that you should be following. Please let us know if you need any further assistance.

Jeremy | Last updated: Mar 11, 2020 02:49PM UTC

+1 for filters or subsections on the "all labs" screen. With over 100 labs it's pretty tedious tracking down labs of the appropriate difficulty. site:portswigger.net inurl:web-security "apprentice" in a Google search, looking for results with apprentice in all caps, and saving to bookmarks folder for now

Ben, PortSwigger Agent | Last updated: Mar 12, 2020 11:32AM UTC

Thanks for the addition feedback, Jeremy. I will add a feature request for this functionality into our development backlog and associate your ticket to this. Our developers can prioritze their resources based upon demand.

Michael | Last updated: Sep 21, 2020 01:56PM UTC

I wrote a script to group the labs by difficulty and topic: https://github.com/roberson-io/portswigger. You can refer to the list on my repo or run the script in the "labs" directory yourself. If you run it yourself, there's an option to prompt for your login and show the solve status for each lab, too.

Ashleymrei | Last updated: Sep 03, 2021 03:34PM UTC

Hello, Any updates on this? It's now 1 year later and you still cannot filter by difficulty. It took me a while to figure out where I should begin as well. It looks like all apprentice level items should be completed before Practitioner labs, but if we are supposed to complete all SQLi labs first, then Practitioner items will also be in that mix. Confusing for new comers.

Ben, PortSwigger Agent | Last updated: Sep 06, 2021 10:42AM UTC

Hi, Unfortunately, this functionality is still in our development backlog. I will add your interest to the existing feature request that we have in place for this so that our developers are fully aware of the demand for it. In terms of the structure of academy - the learning path has been organised in such a way that the topics that are conceptually easier to understand by users (such as SQL injection and authentication) are suggested as the first ones to look at (rather than jumping straight into things like HTTP request smuggling). The idea being that users with no prior experience can gradually improve their knowledge without being unnecessarily put off by being thrust into the deep end with overly complex concepts straight away. Within each individual topic there should also be a steady increase in complexity as new elements are introduced - in effect, a user is introduced to the basics of that topic area and then gradually exposed to more concepts so that they become more confident with that particular vulnerability type. If a user has a good handle on the information within a given topic area then I would not see any issues with them completing all of the labs within a given topic (even if there are a range of difficulty levels) because they should have been gradually increasing their knowledge of the concepts involved. Of course each user is free to tackle the web academy in any way they choose so could complete the Apprentice and/or Practitioner level labs before moving onto the next topic. The 'All Labs' page (https://portswigger.net/web-security/all-labs) could be used to determine which labs are still outstanding from each topic if they then want to return to complete the Expert level labs. Cheers Ben Wright Technical Product Specialist PortSwigger

Ashleymrei | Last updated: Sep 07, 2021 06:03PM UTC

Perhaps a better process would be categorizing each lab section by "apprentice, practitioner, expert" and within each lab section, label those labs as "Level 1, Level 2, Level 3"? Examples: SQL Injection section = Apprentice Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data = Level 1 (currently apprentice) Lab: SQL injection UNION attack, determining the number of columns returned by the query = Level 2 (currently practitioner) Cross-site Scripting section = Apprentice Lab: Reflected XSS into HTML context with nothing encoded = Level 1 (currently apprentice) Lab: Blind SQL injection with time delays and information retrieval = Level 2 (currently practitioner) Lab: Reflected XSS protected by CSP, with CSP bypass = Level 3 (currently expert) If this is not feasible then at least order the contents in the "All Labs" section logically. Right now the two SQLi Apprentice labs are all the way at the bottom of the list. We can't even argue that it goes in alphabetical order because "Blind SQL injection" is listed in the middle of the all SQLi labs. Under SQLi the first labs showing up are to perform UNION attacks, not the two apprentice labs...

Ben, PortSwigger Agent | Last updated: Sep 08, 2021 01:32PM UTC

Hi, Thank you for the feedback - we will pass it on to the Web Academy team!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.