1. Web Security Academy
  2. All materials
  3. Detailed

All learning materials - detailed

Access control vulnerabilities and privilege escalation
     What is access control?
          Vertical access controls
          Horizontal access controls
          Context-dependent access controls
     Examples of broken access controls
          Vertical privilege escalation
          Horizontal privilege escalation
          Horizontal to vertical privilege escalation
          Insecure direct object references
          Access control vulnerabilities in multi-step processes
          Referer-based access control
          Location-based access control
     How to prevent access control vulnerabilities
     Access control security models
          What are access control security models?
          Programmatic access control
          Discretionary access control (DAC)
          Mandatory access control (MAC)
          Role-based access control (RBAC)
     Insecure direct object references (IDOR)
          What are insecure direct object references (IDOR)?
          IDOR examples
               IDOR vulnerability with direct reference to database objects
               IDOR vulnerability with direct reference to static files
Cross-origin resource sharing (CORS)
     What is CORS (cross-origin resource sharing)?
     Same-origin policy
     Relaxation of the same-origin policy
     Vulnerabilities arising from CORS configuration issues
          Server-generated ACAO header from client-specified Origin header
          Errors parsing Origin headers
          Whitelisted null origin value
          Exploiting XSS via CORS trust relationships
          Breaking TLS with poorly configured CORS
          Intranets and CORS without credentials
     How to prevent CORS-based attacks
          Proper configuration of cross-domain requests
          Only allow trusted sites
          Avoid whitelisting null
          Avoid wildcards in internal networks
          CORS is not a substitute for server-side security policies
     Same-origin policy (SOP)
          What is the same-origin policy?
          Why is the same-origin policy necessary?
          How is the same-origin policy implemented?
     CORS and the Access-Control-Allow-Origin response header
          What is the Access-Control-Allow-Origin response header?
          Implementing simple cross-origin resource sharing
          Handling cross-origin resource requests with credentials
          Relaxation of CORS specifications with wildcards
          Pre-flight checks
          Does CORS protect against CSRF?
Clickjacking (UI redressing)
     What is clickjacking?
     How to construct a basic clickjacking attack
     Clickjacking with prefilled form input
     Frame busting scripts
     Combining clickjacking with a DOM XSS attack
     Multistep clickjacking
     How to prevent clickjacking attacks
          Content Security Policy (CSP)
Testing for WebSockets security vulnerabilities
     Manipulating WebSocket traffic
          Intercepting and modifying WebSocket messages
          Replaying and generating new WebSocket messages
          Manipulating WebSocket connections
     WebSockets security vulnerabilities
          Manipulating WebSocket messages to exploit vulnerabilities
          Manipulating the WebSocket handshake to exploit vulnerabilities
          Using cross-site WebSockets to exploit vulnerabilities
     How to secure a WebSocket connection
     What are WebSockets?
          What is the difference between HTTP and WebSockets?
          How are WebSocket connections established?
          What do WebSocket messages look like?
     Cross-site WebSocket hijacking
          What is cross-site WebSocket hijacking?
          What is the impact of cross-site WebSocket hijacking?
          Performing a cross-site WebSocket hijacking attack
SQL injection
     What is SQL injection (SQLi)?
     What is the impact of a successful SQL injection attack?
     SQL injection examples
     Retrieving hidden data
     Subverting application logic
     Retrieving data from other database tables
     Examining the database
     Blind SQL injection vulnerabilities
     How to detect SQL injection vulnerabilities
     SQL injection in different parts of the query
     Second-order SQL injection
     Database-specific factors
     How to prevent SQL injection
     SQL injection UNION attacks
          Determining the number of columns required in an SQL injection UNION attack
          Finding columns with a useful data type in an SQL injection UNION attack
          Using an SQL injection UNION attack to retrieve interesting data
          Retrieving multiple values within a single column
     Examining the database in SQL injection attacks
          Querying the database type and version
          Listing the contents of the database
               Equivalent to information schema on Oracle
     Blind SQL injection
          What is blind SQL injection?
          Exploiting blind SQL injection by triggering conditional responses
          Inducing conditional responses by triggering SQL errors
          Exploiting blind SQL injection by triggering time delays
          Exploiting blind SQL injection using out-of-band (OAST) techniques
          How to prevent blind SQL injection attacks?
     SQL injection cheat sheet
          String concatenation
          Database version
          Database contents
          Conditional errors
          Batched (or stacked) queries
          Time delays
          Conditional time delays
          DNS lookup
          DNS lookup with data exfiltration
Cross-site scripting
     What is cross-site scripting (XSS)?
     How does XSS work?
     What are the types of XSS attacks?
     Reflected cross-site scripting
     Stored cross-site scripting
     DOM-based cross-site scripting
     What can XSS be used for?
     Impact of XSS vulnerabilities
     How to find and test for XSS vulnerabilities
     Content security policy
     Dangling markup injection
     How to prevent XSS attacks
     Common questions about cross-site scripting
     Reflected XSS
          What is reflected cross-site scripting?
          Impact of reflected XSS attacks
          Reflected XSS in different contexts
          How to find and test for reflected XSS vulnerabilities
          Common questions about reflected cross-site scripting
     Cross-site scripting contexts
          XSS between HTML tags
          XSS in HTML tag attributes
          XSS into JavaScript
               Terminating the existing script
               Breaking out of a JavaScript string
               Making use of HTML-encoding
               XSS in JavaScript template literals
          XSS in the context of the AngularJS sandbox
          AngularJS sandbox
               What is the AngularJS sandbox?
               How does the AngularJS sandbox work?
               How does an AngularJS sandbox escape work?
               How does an AngularJS CSP bypass work?
               How to prevent AngularJS injection
     Cross-site scripting (XSS) cheat sheet
          Event handlers
               Event handlers that do not require user interaction
               Event handlers that do require user interaction
          Restricted characters
          Other useful attributes
          Special tags
          Client-side template injection
               AngularJS sandbox escapes reflected
               DOM based AngularJS sandbox escapes
               AngularJS CSP bypasses
          Scriptless attacks
               Dangling markup
          Classic vectors (XSS crypt)
     Stored XSS
          What is stored cross-site scripting?
          Impact of stored XSS attacks
          Stored XSS in different contexts
          How to find and test for stored XSS vulnerabilities
     DOM-based XSS
          What is DOM-based cross-site scripting?
          How to test for DOM-based cross-site scripting
               Testing HTML sinks
               Testing JavaScript execution sinks
          Exploiting DOM XSS with different sources and sinks
          DOM XSS combined with reflected and stored data
     Exploiting cross-site scripting vulnerabilities
          Exploiting cross-site scripting to steal cookies
          Exploiting cross-site scripting to capture passwords
          Exploiting cross-site scripting to perform CSRF
     Content security policy
          What is CSP (content security policy)?
          Mitigating XSS attacks using CSP
          Mitigating dangling markup attacks using CSP
          Bypassing CSP with policy injection
          Protecting against clickjacking using CSP
     Dangling markup injection
          What is dangling markup injection?
          How to prevent dangling markup attacks
     How to prevent XSS
          Encode data on output
          Validate input on arrival
               Whitelisting vs blacklisting
          Allowing "safe" HTML
          How to prevent XSS using a template engine
          How to prevent XSS in PHP
          How to prevent XSS client-side in JavaScript
          How to prevent XSS in jQuery
          Mitigating XSS using content security policy (CSP)
Cross-site request forgery (CSRF)
     What is CSRF?
     What is the impact of a CSRF attack?
     How does CSRF work?
     How to construct a CSRF attack
     How to deliver a CSRF exploit
     Preventing CSRF attacks
     Common CSRF vulnerabilities
          Validation of CSRF token depends on request method
          Validation of CSRF token depends on token being present
          CSRF token is not tied to the user session
          CSRF token is tied to a non-session cookie
          CSRF token is simply duplicated in a cookie
     Referer-based defenses against CSRF
          Validation of Referer depends on header being present
          Validation of Referer can by circumvented
     Defending against CSRF with SameSite cookies
     XSS vs CSRF
          What is the difference between XSS and CSRF?
          Can CSRF tokens prevent XSS attacks?
     CSRF tokens
          What are CSRF tokens?
          How should CSRF tokens be generated?
          How should CSRF tokens be transmitted?
          How should CSRF tokens be validated?
XML external entity (XXE) injection
     What is XML external entity injection?
     How do XXE vulnerabilities arise?
     What are the types of XXE attacks?
     Exploiting XXE to retrieve files
     Exploiting XXE to perform SSRF attacks
     Blind XXE vulnerabilities
     Finding hidden attack surface for XXE injection
          XInclude attacks
          XXE attacks via file upload
          XXE attacks via modified content type
     How to find and test for XXE vulnerabilities
     How to prevent XXE vulnerabilities
     XML entities
          What is XML?
          What are XML entities?
          What is document type definition?
          What are XML custom entities?
          What are XML external entities?
     Finding and exploiting blind XXE vulnerabilities
          What is blind XXE?
          Detecting blind XXE using out-of-band (OAST) techniques
          Exploiting blind XXE to exfiltrate data out-of-band
          Exploiting blind XXE to retrieve data via error messages
          Exploiting blind XXE by repurposing a local DTD
               Locating an existing DTD file to repurpose
Server-side request forgery (SSRF)
     What is SSRF?
     What is the impact of SSRF attacks?
     Common SSRF attacks
          SSRF attacks against the server itself
          SSRF attacks against other back-end systems
     Circumventing common SSRF defenses
          SSRF with blacklist-based input filters
          SSRF with whitelist-based input filters
          Bypassing SSRF filters via open redirection
     Blind SSRF vulnerabilities
     Finding hidden attack surface for SSRF vulnerabilities
          Partial URLs in requests
          URLs within data formats
          SSRF via the Referer header
     Blind SSRF vulnerabilities
          What is blind SSRF?
          What is the impact of blind SSRF vulnerabilities?
          How to find and exploit blind SSRF vulnerabilities
HTTP request smuggling
     What is HTTP request smuggling?
     What happens in an HTTP request smuggling attack?
     How do HTTP request smuggling vulnerabilities arise?
     How to perform an HTTP request smuggling attack
          CL.TE vulnerabilities
          TE.CL vulnerabilities
          TE.TE behavior: obfuscating the TE header
     How to prevent HTTP request smuggling vulnerabilities
     Finding HTTP request smuggling vulnerabilities
          Finding HTTP request smuggling vulnerabilities using timing techniques
               Finding CL.TE vulnerabilities using timing techniques
               Finding TE.CL vulnerabilities using timing techniques
          Confirming HTTP request smuggling vulnerabilities using differential responses
               Confirming CL.TE vulnerabilities using differential responses
               Confirming TE.CL vulnerabilities using differential responses
     Exploiting HTTP request smuggling vulnerabilities
          Using HTTP request smuggling to bypass front-end security controls
          Revealing front-end request rewriting
          Capturing other users' requests
          Using HTTP request smuggling to exploit reflected XSS
          Using HTTP request smuggling to turn an on-site redirect into an open redirect
          Using HTTP request smuggling to perform web cache poisoning
          Using HTTP request smuggling to perform web cache deception
OS command injection
     What is OS command injection?
     Executing arbitrary commands
     Useful commands
     Blind OS command injection vulnerabilities
          Detecting blind OS command injection using time delays
          Exploiting blind OS command injection by redirecting output
          Exploiting blind OS command injection using out-of-band (OAST) techniques
     Ways of injecting OS commands
     How to prevent OS command injection attacks
Directory traversal
     What is directory traversal?
     Reading arbitrary files via directory traversal
     Common obstacles to exploiting file path traversal vulnerabilities
     How to prevent a directory traversal attack