I'm new here and I want to ask you a question:

I’m passionate about hacking and I don’t know what to start with … I watched ‘’ 100 ‘’ of web hacking tutorials, but always when I started doing something I got stuck (I didn’t know what to do anymore).
where do you recommend me to start learning?
Sincerely, NnON


Where do you get stuck? On real websites?

If you ask me, the best way to learn stuff and have a good practice is to play wargames and read CTF writeups. You can check out https://www.wechall.net/. There a tons of websites for IT related challenges from coding to reversing and hacking. Almost always with a community in the background which is willing to support people when they face problems.

If you want to get really serious, i can just suggest HackTheBox or TryHackMe. If you want really good courses in a perfect testing eviroment, TryHackMe should be ideal for you. You may have to pay 10 bucks a month to unlock ALL rooms, but imoo it is fully worth. You have really good tutorial rooms with awesome explainations and links to extended knowledge, machines u can attack and test your new learned skills, a guided path for best learning results and a really nice community on discord. Their topics are also very wide spreaded, the Web parts are in my opinion good to understand and the vuln sites a kept realistic and challenging.


Hi there, i would highly recommend checking this video from Stök, he talks about there is alot of free resources where you can learn webhacking. Some places where you can learn and practice it is on Portswigger.net, hacker101.com.

Here is a direct link to the websites he talked about https://www.stokfredrik.com/bugbountytraining

Remember we are always here!

Good luck!


One thing that doesn’t always get touched on and I think really necessary if you are actually trying to be good at web hacking, is learning web development. You don’t need to be some coding guru for web hacking but just even a little bit of knowledge will accelerate your understanding and help you actually retain information. Instead of rushing to learn SQL injection, learn SQL first. Want to learn RCE? Learn how file uploads work. Etc etc.

Its “8 weeks” but it definitely does not take 8 weeks to finish this course. Some weeks are simply 1 hour of content so you could finish it pretty quickly. Building a web application, understanding HTTP, and all the things that go together will allow you to make sense of what you are trying to do.

I also am a fan of portswigger academy once you feel like you have basic understanding of how the web and the software work: Learning path | Web Security Academy - PortSwigger

You can rush and try and use a bunch of tools and blindly try to carry out web hacking but you’ll learn and develop much faster by getting the basics down first.

1 Like

All the suggestions here so far are good. Think about where you want to start. Web hacking is a great beginning! Like the others have suggested, make an account on PortSwigger’s site, download Burp Suite, and start solving their labs here: Web Security Academy: Free Online Training from PortSwigger. Their documentation is easy to understand and they offer labs ranging in all difficulties for you to test. They also have solutions if you get stuck, but the key is patience and persistence.

I would not recommend HackTheBox or some of those right off the bat; they usually require prerequisite knowledge on how to use basic tools and kind of assume that you know in general what to look for.

1 Like

I have to echo hydr8 that wargames and CTFs are a great way to learn/practice, at least for me. Two I’d recommend:

Natas from overthewire.org is a great wargame for server side web security. It is in only php but is good with fundamentals and has a great progression. First level is super easy, last one melts your brain, and every challenges seems doable after you’ve done the previous one.

And WeCTF is a good web only CTF. WeCTF+ is an explicitly educational one you can run locally and try to solve. And WeCTF 2021 is happening in a few days, if you’re free you should sign up!

1 Like