Unlock enhanced API scanning with Burp Suite Enterprise Edition  –  Learn more
Boost your career

Boost your career

The Web Security Academy is a strong step toward a career in cybersecurity.

Flexible learning

Flexible learning

Learn anywhere, anytime, with free interactive labs and progress-tracking.

Learn from experts

Learn from experts

Produced by a world-class team - led by the author of The Web Application Hacker's Handbook.

Burp Suite Certified

New topic: Web cache deception

Learn how to discover and exploit web cache deception vulnerabilities using new powerful techniques that exploit RFC ambiguities, bypassing the limitations of web cache deception attacks you may already be familiar with. Content and labs based on Gotta cache em all: bending the rules of web cache exploitation, first presented by PortSwigger Research at Black Hat USA 2024.

Learn more

Learning materials and labs

View all learning materialsView all labs

Up-to-the-minute learning resources

The Web Security Academy is a free online training center for web application security. It includes content from PortSwigger's in-house research team, experienced academics, and our Chief Swig Dafydd Stuttard - author of The Web Application Hacker's Handbook.

Unlike a textbook, the Academy is constantly updated. It also includes interactive labs where you can put what you learn to the test. If you want to improve your knowledge of hacking, or you'd like to become a bug bounty hunter or pentester, you're in the right place.

Learn visual
Practice visual
Test visual
Track visual
Sign up Login

Satisfy your curiosity - safely and legally

We make Burp Suite - the leading software for web security testing. And we love our users (because they're the people who make Burp what it is). That's why we created the Web Security Academy. It's also why the Academy is 100% free.

The Web Security Academy exists to help anyone who wants to learn about web security in a safe and legal manner. You can access everything (for free) and track your progress by creating an account. Please see the sidebar for more information.

Student
Burp Suite

Hack like the pros do

Web security and ethical hacking are lucrative careers to get into, but they're often seen as dark and mysterious arts. The Web Security Academy smashes that stereotype. We make the latest application security knowledge available to everyone.

Some of our interactive labs will, by their nature, require you to use tools to solve them. But fear not. If you don't have access to Burp Suite Professional, then Burp Suite Community Edition allows you to experiment for free. Download Burp Suite here.

Web security training built for humans, not robots

Let's face it, some of the online web application training out there can be a bit dull. And isn't hacking supposed to be fun? We certainly think so. That's why we've taken a fully interactive approach when it comes to the design of our web security training.

While each topic in the Academy is fully explained in text, many also include video content to summarize key points. Then there are the interactive labs - realistic puzzles designed to test your skills as a hacker. These transfer directly over into real-life cybersecurity situations.

Video
Cool swag

Track your progress, win cool swag

Although we designed the labs to be fun, that doesn't necessarily mean they're easy (because where would be the fun in that, right?). We also love a bit of competition here at the Web Security Academy - and that's how we came up with the idea for the Hall of Fame.

Every time we release a new lab, we'll announce it on Twitter. The first Web Security Academy users to solve the lab will win Burp Suite swag - as well as getting their name in the Hall of Fame for all to see. Of course, you can remain anonymous if you prefer.

All topics

SQL injection XSS CSRF Clickjacking CORS XXE SSRF Request smuggling Command injection Server-side template injection Insecure deserialization Path traversal Access control Authentication OAuth authentication Business logic vulnerabilities WebSockets DOM-based Web cache poisoning HTTP Host header attacks Information disclosure File upload vulnerabilities JWT attacks Essential skills Prototype pollution GraphQL API vulnerabilities Race conditions NoSQL injection API testing Web LLM attacks Web cache deception Video guidelines Credits

Getting started with the Web Security Academy

Find out more

View all Web Security Academy topics

Find out more

Track your progress in the Hall of Fame

Find out more