New subscription options!     Learn more


Learn the foundations of web application assessments with OffSec's new course, Web Attacks with Kali Linux (WEB-200)

Now enjoy more flexibility and go at your own pace with a Learn subscription.

Earn your OSWA


About WEB-200 | Buying Options | Course info | Details | Pricing

Web Attacks with Kali Linux (WEB-200)

Web Attacks with Kali Linux

Learn the foundations of web application assessments with Offensive Security’s new course, Web Attacks with Kali Linux (WEB-200), designed for job roles such Web Application Penetration Testers, Pentesters, and Web Application Developers.

WEB-200 teaches students how to discover and exploit common web vulnerabilities, and how to exfiltrate sensitive data from target web applications. Students will obtain a wide variety of skill sets and competencies for web app assessments.

Students who complete the course and pass the associated exam earn the Offensive Security Web Assessor (OSWA) certification, demonstrating their ability to leverage modern web exploitation techniques on modern applications. A certified OSWA candidate is prepared to take on the Advanced Web Attacks and Exploitation (WEB-300) course.

Now including topics on Server Side Request Forgery (SSRF) and Command Injection!


How to buy WEB-200

Individual Course


  • 90 days of lab access
  • One exam attempt
  • Self-guided

Learn One


  • One course
  • 365 days of lab access
  • Two exam attempts
  • Plus exclusive content

Learn Unlimited


  • All online courses*
  • 365 days of lab access
  • Unlimited exam attempts
  • Plus exclusive content
* You could qualify for a discount with Aspire and Achieve
* AWE (EXP-401) is only taught in live classes.
* Financing for Learn One now available through Climb Credit with as little as 0% APR and up to 36 monthly payments.
Payment as low as $65.76 a month. Only available to US students. Learn More.

Course Info


Students will learn how to:

  • Learn how to enumerate web applications and four common database management systems
  • Manually discover and exploit common web application vulnerabilities
  • Go beyond alert() and actually exploit other users with cross-site scripting
  • Exploit six different templating engines, often leading to RCE

About the exam

  • The OSWA exam is a proctored exam
  • The WEB-200 course and online lab prepares you for the OSWA certification

Who is the course for?

  • Job roles like: Web Penetration Testers, Pentesters, Web Application Developers, Application Security Analysts, Application Security Architects, and SOC Analysts and other blue team members
  • Anyone interested in expanding their understanding of Web Application Attacks, and/or Infra Pentesters looking to broaden their skill sets and Web App expertise

Course prerequisites

  • All prerequisites for WEB-200 can be found within the Offsec Fundamentals Program, included with a Learn subscription
  • Prerequisite Topics include:
    • WEB-100: Web Application Basics
    • WEB-100: Linux Basics 1 & 2
    • WEB-100: Networking Basics

New Training Subscriptions


Enjoy flexible learning options with the new Offensive Security Training Library subscriptions – Learn One and Learn Unlimited


Learn more


Course Details


This course covers the following Topics. View the WEB-200 syllabus.

  • Tools for the Web Assessor
  • Cross Site Scripting (XSS) Introduction and Discovery
  • Cross Site Scripting (XSS) Exploitation and Case Study
  • Cross Origin Attacks
  • Introduction to SQL
  • SQL Injection (SQLi) and Case Study
  • Directory Traversal
  • XML External Entity (XXE) Processing
  • Server Side Template Injection (SSTI)
  • Server Side Request Forgery (SSRF)
  • Command Injection
  • Insecure Direct Object Referencing
  • Assembling the Pieces
  • Challenge Labs release 1
  • Challenge Labs release 2
  • Exam

Topics: All WEB-200 Topics contain text, videos, and exercises in the Offsec Training Library. Note that videos may or may not be released at the same time as the text is.

Topic Lab Machines: Lab machines that are included with each Topic relate to that Topic’s hands-on exercises and help students apply the skills they’ve learned to a specific subject matter. The scope of a Topic machine is simply that machine’s Topic. Topic Lab Machines are released together with the topic text.

Exercises: Topics include both question-and-answer type exercises, as well as hands-on exercises with Lab machines.

Challenge Labs: Challenge Labs are additional sets of machines that allow students to apply the techniques and skills they have learned in the whole course to novel scenarios. They are meant to consolidate the knowledge contained in the course material and Topic Labs. The scope of  Challenge Lab is the full course content.

  • Students will obtain a wide variety of skill sets and competencies for Web App Assessments
  • Students will learn foundational Black Box enumeration and exploitation techniques
  • Students will leverage modern web exploitation techniques on modern applications

The new Fundamental content covered in WEB-100, included with a Learn subscription, prepares you to take WEB-200. Topics include:

  • Introduction to Web Secure Coding
  • Web Attacker Methodology

With more Topics added frequently!

Course Pricing

All prices in US dollars. Subscribe to Learn One or contact our training consultants if you're purchasing Learn Unlimited.
Discounts may be available for Learn One subscription.

Are You Ready?

Register for WEB-200