PentesterLab PRO Review

PentesterLab is a platform which provides both online and offline labs designed to teach the art of web application penetration testing and web security. The site offers a number of free exercises and a subscription-based PRO package which gives access to over 200+ private exercises. PentesterLab PRO have categorized exercises into groups called badges. In this case, a badge is just like a course; therefore, you will be rewarded certificates along with a total of up to 140 Group A CPE credits for ISC2 after completing those badges.


Soon after I passed my OSCP certification exam, I was looking for a course related to web application security in order to learn and improve my skills in this category. I came across a black box web app pentest course called Web Application Penetration Testing eXtreme (WAPTX) from eLearnSecurity and a white box web app pentest course called Advanced Web Attacks and Exploitation (AWAE) from Offensive Security (OffSec). However, both were way out of my reach for my current budget. Since I just wanted to get the more knowledge and hand-on lab on web application security instead of certification, I tried to find something else that is more affordable. I then found a review of PentesterLab which caught my interest as it reminded me about quality of Pentester Lab: Web For Pentester and Pentester Lab: Web For Pentester II in VulnHub. In addition, I found out that not all but most of things covered in WAPTX are listed within PentesterLab PRO while there is also a badge named Code Review which seems to cover some areas in AWAE as well. Therefore, I decided to give it a try.


There is no essential prerequisite required to attend PentesterLab, although a basic understanding of HTTP, Unix, Burp Suite/ZAP Proxy and Wireshark will be useful. Moreover, PentesterLab also provides a Bootcamp which should guide you through a learning path to get into security and especially web penetration testing. Although most of this is not original content and simply links to Wikipedia, books and other external sources, it’s really convenient to have everything laid out in a cohesive manner so you know where to go and how to progress. In addition, each section is coupled with hand-on for you to get your hands out of your pockets and start practicing your skills.

PentesterLab PRO

At the time of writing, PentesterLab PRO is comprised of 17 badges, each containing a mixture of exercises that vary in difficulty from Easy to Hard. For more information related to badge and corresponding group A CPE credits for ISC2, please refer to Badges section below. Exercises within each badge contain high-quality, detailed course material that provide an introduction to the subject, details of the vulnerability and how to exploit that. To mark an exercise as complete you must obtain and submit a flag as proof of completion. You are free to work through the exercises in whichever order you choose. If you get stuck on a particular exercise then you can simply move on and return to it later. The time to complete each exercise will vary depending on your experience and existing knowledge.

Walkthrough videos are available for most of exercises. It’s always good to do additional research yourself to learn more about each topic and then try to complete the exercise before referring to the walkthrough. Moreover, it can also be played slowly and stopped to give little hints at a time, or you could even watch them after you solved the exercise to see if there is any another ways to solve it.

PentesterLab PRO also provide a Hacktivity summary which details the number of exercises you have completed each day/week/month and is a useful way to track your progress at-a-glance.

I started off with badges like Introduction, Unix, PCAP and Essential, and I think all of these badges cover most of the basics and also provide you a foundation to build upon in your quest to learn web security. For more information on what are covered within these badges, please refer to the details in Badge section below. I then found JSON Web Token (JWT) exercises in Blue and Green badge very interesting as you can do these exercises manually or write some scripts to solve it. If you are new to cryptography and want to learn it, there are also exercises such as ECB, CBC, CBC-MAC, ECDSA, AES and Length Extension Attack for you to work on. Furthermore, there are badges such as White, Serialize, Java Serialize and Yellow that will teach you code execution using public exploits (CVE), vulnerabilities in deserialization and etc while other badges like Orange, Brown and Capture-The-Flag give you extra mile on other badges. For instant, Brown badge will give you harder exercises focusing on client-side attack while Orange badge covers more exercises related to public exploits. Moreover, you will also learn how to reverse engineer Android application package (APK file) with Android Badge and how to intercept communication with Intercept Badge. In addition, Authentication/Authorization Badge will teach you how to exploit SAML and OAuth2. Last but not least, Code Review Badge covers the discovery of weaknesses and vulnerabilities by performing source code review.

Final Thoughts

If you are a Capture the Flag (CTF) player, I think some badges you might have already learned by doing CTF challenges; however, PentesterLab PRO do a very good job in collecting various challenges into one place and make it very easy to learn, understand and practice. If you want to be a CTF player and do not know where to start, I think this platform is surely a good starting point for your CTF journey.

If you are a current or future PWK/OSCP student, I would recommend it as a supplement to the PWK/OSCP course materials on web application penetration testing since PWK/OSCP course materials just only scratches the surface of what PentesterLab PRO offers in this realm.

In short, I would say PentesterLab PRO won’t make you an expert or walk away writing zero-day web app exploits, but it is an excellent starting point for anyone that wishes to learn web application penetration testing and web security through hands-on and real-world examples.


If you are curious about what are offered by each PentesterLab PRO badge, you have come to a right place as we have listed details of badge name, corresponding amount of Group A CPE credits for ISC2 and exercises covered within each badge.

  • Introduction Badge (1 Group A CPE credits for ISC2)
    • Exploring platform
    • Basic web security
  • Unix Badge (5 Group A CPE credits for ISC2)
    • Navigating within Unix system
    • File compression utilities
    • SQL client
    • Unix task scheduler
    • Unix password cracking
    • Basic privilege escalation
  • Essential Badge (12 Group A CPE credits for ISC2)
    • Authentication
    • Authorization
    • Code Execution & Command Execution
    • Directory Traversal
    • File Inclusion (LFI & RFI)
    • LDAP Authentication
    • NoSQL & SQL Injection
    • Open Redirect
    • Server Side Request Forgery
    • Server Side template Injection
    • File Upload
    • XML Attack
    • Cross-Site Scripting
  • PCAP Badge (5 Group A CPE credits for ISC2)
    • Exploring Wireshark
    • Working with FTP, SMTP, POP, IMAP, DNS, HTTP and HTTPS protocol on Wireshark
  • White Badge (5 Group A CPE credits for ISC2)
    • Shellshock (CVE-2014-6271)
    • JSON Web Token (JWT)
    • From SQL Injection to Shell
    • Mod_jk Double-Decoding (CVE-2007-1860)
    • Pickle Code Execution
    • Electronic Code Book
  • Serialize Badge (5 Group A CPE credits for ISC2)
    • Java XMLDecoder
    • Jenkins Code Execution (CVE-2016-0792)
    • Spring ObjectInputStream
    • Rails Object Injection (CVE-2013-0156)
    • PHP API to Shell
  • Intercept Badge (6 Group A CPE credits for ISC2)
    • HTTP & HTTPS
    • Apple SSL (CVE-2011-0228 & CVE-2014-1266)
  • Yellow Badge (7 Group A CPE credits for ISC2)
    • PHPMailer RCE (CVE-2016-10033)
    • Ruby on Rails (CVE-2016-2098)
    • Cipher Block Chaining
    • Play Session Injection
    • Play XML Entities
    • JSON Web Token (JWT)
    • Struts s2-045 (CVE-2017-5638)
  • Blue Badge (11 Group A CPE credits for ISC2)
    • JSON Web Token (JWT)
    • Git Information Leak
    • Struts s2-052 (CVE-2017-9805)
    • CBC-MAC
    • Cisco Node-Jose (CVE-2018-0114 )
  • Capture-The-Flag Badge (11 Group A CPE credits for ISC2)
    • Ruby on Rails (CVE-2015-3224)
    • Werkzeug DEBUG
    • Padding Oracle
    • Luhn
    • Unickle
    • ECDSA
  • Android Badge (7 Group A CPE credits for ISC2)
    • APK File Extraction
    • Reverse Engineer
    • Obfuscation
    • Cryptography
  • Orange Badge (14 Group A CPE credits for ISC2)
    • Introduction to CSP
    • Cross-Site Request Forgery
    • JSON Cross-Site Request Forgery
    • XSS Include
    • SVG XSS
    • Go (CVE-2018-6574)
    • HTTPoxy/Golang HTTProxy (CVE-2016-5386)
    • Cross-Origin Resource Sharing
    • Cross-Site WebSocket Hijacking
    • postMessage()
    • Git (CVE-2018-11235)
    • Cross-Site Leak
  • Authentication / Authorization Badge (9 Group A CPE credits for ISC2)
    • SAML
    • OAuth2
    • Spring OAuth
  • Green Badge (24 Group A CPE credits for ISC2)
    • JSON Web Token (JWT)
    • GraphQL Introspection
    • Ruby 2.x Universal RCE Deserialization Gadget Chain
    • GraphQL: SQL Injection
    • Ruby on Rails (CVE-2019-5420)
    • From SQL injection to Shell
    • Length Extension Attack
    • Gogs RCE
    • Ruby on Rails (CVE-2019-5418)
    • IDOR to Shell
  • Brown Badge (8 Group A CPE credits for ISC2)
    • Signing Oracle
    • SSRF in PDF generation
    • JS Prototype Pollution
    • JSON Web Encryption
    • Apache Pluto RCE
    • Unicode and Uppercase
    • Unicode and Downcase
    • PHP phar://
    • Spring Actuators
    • From SQL injection to Shell
  • Code Review Badge (10 Group A CPE credits for ISC2)
    • Express
    • Flask
    • CGI node
    • Golang
    • JSON Web Token (JWT)
  • Java Serialize Badge (? Group A CPE credits for ISC2)
    • Exploit Java Deserialization

You may also like...

2 Responses

  1. Samarth Jain says:

    I recently subscribed for pentesterlab pro and it’s going great till now. But I want to ask about CPE’s. What are those CPE’s and what will happen if we get 140 CPE’s by completing all the badges. Sorry if it’s a silly question but I really want to know about this “140 Group A CPE credits for ISC2 ” thing.

    • KHroot says:

      If you are an ISC2 member which means that you have certified ISC2 certification exam such as Systems Security Certified Practitioner (SSCP), Certified Information Systems Security Professional (CISSP), Certified Authorization Professional (CAP), Certified Secure Software Lifecycle Professional (CSSLP), HealthCare Information Security and Privacy Practitioner (HCISPP) or Certified Cloud Security Professional (CCSP), you are required to earn and submit Continuing Professional Education (CPE) credits during three-year certification cycle in order to maintain the certification. For example, CISSP will need 120 Group A CPE credit during that 3 years (40 Group A CPE credit per year). For more information, please refer to this document (

Leave a Reply

%d bloggers like this: