Learn the Basics of the Web First

• Understand how the web works (HTTP requests/responses, cookies, sessions, headers).
• Learn HTML, CSS, JavaScript basics, you don’t need to code like a dev, but enough to read source and JS logic.

Don’t Just Read…

• Learn in practical labs like: Portswigger's Academy, HackTheBox / TryHackMe, DVWA, Juice Shop, vulnweb.

Start with Server Side Vulnerabilities

• Server-side vulnerabilities happen when the server (not the browser) mishandles requests, user input, or logic.
• Unlike client-side bugs (like DOM XSS), these usually expose data, logic, or control on the backend.
• Server-side bugs often have higher impact: data leaks, account takeovers, privilege escalation.
• They help you understand how the web really works beyond just HTML and JavaScript.

First Core Topics to Learn

• Broken Authentication & Session Issues
  • Weak login, poor password reset, session fixation.
  • (Good intro, teaches how servers track users).
• IDOR (Insecure Direct Object Reference)
  • Accessing /user/123 when you’re supposed to see only your data.
  • (Super common & beginner-friendly).
• SQL Injection
  • Classic server bug — learn parameterized queries vs unsafe concatenation.
  • Even if rare in bug bounties, still essential.
• Command Injection
  • When input reaches system commands (ping, cat, ls).
  • Teaches the danger of unsanitized input.
• File Upload Vulnerabilities
  • Uploading a PHP/ASP file disguised as an image.
  • Leads to webshells, RCE.
• SSRF (Server-Side Request Forgery)
  • Making the server fetch URLs (internal services, metadata endpoints).
  • High-impact, modern bug.
• Understand the root cause → not just payloads, but why did the server trust the input?

Read Writeups (but break them down)

• Follow bug bounty reports or CTF writeups.