1. Web Security Academy
  2. All materials
  3. Detailed

All learning materials - detailed

Clickjacking (UI redressing)
     What is clickjacking?
     How to construct a basic clickjacking attack
     Clickjacking with prefilled form input
     Frame busting scripts
     Combining clickjacking with a DOM XSS attack
     Multistep clickjacking
     How to prevent clickjacking attacks
          X-Frame-Options
          Content Security Policy (CSP)
HTTP request smuggling
     What is HTTP request smuggling?
     What happens in an HTTP request smuggling attack?
     How do HTTP request smuggling vulnerabilities arise?
     How to perform an HTTP request smuggling attack
          CL.TE vulnerabilities
          TE.CL vulnerabilities
          TE.TE behavior: obfuscating the TE header
     How to prevent HTTP request smuggling vulnerabilities
     Finding HTTP request smuggling vulnerabilities
          Finding HTTP request smuggling vulnerabilities using timing techniques
               Finding CL.TE vulnerabilities using timing techniques
               Finding TE.CL vulnerabilities using timing techniques
          Confirming HTTP request smuggling vulnerabilities using differential responses
               Confirming CL.TE vulnerabilities using differential responses
               Confirming TE.CL vulnerabilities using differential responses
     Exploiting HTTP request smuggling vulnerabilities
          Using HTTP request smuggling to bypass front-end security controls
          Revealing front-end request rewriting
          Capturing other users' requests
          Using HTTP request smuggling to exploit reflected XSS
          Using HTTP request smuggling to turn an on-site redirect into an open redirect
          Using HTTP request smuggling to perform web cache poisoning
          Using HTTP request smuggling to perform web cache deception
Cross-site request forgery (CSRF)
     What is CSRF?
     What is the impact of a CSRF attack?
     How does CSRF work?
     How to construct a CSRF attack
     How to deliver a CSRF exploit
     Preventing CSRF attacks
     Common CSRF vulnerabilities
          Validation of CSRF token depends on request method
          Validation of CSRF token depends on token being present
          CSRF token is not tied to the user session
          CSRF token is tied to a non-session cookie
          CSRF token is simply duplicated in a cookie
     Referer-based defenses against CSRF
          Validation of Referer depends on header being present
          Validation of Referer can by circumvented
     Defending against CSRF with SameSite cookies
     XSS vs CSRF
          What is the difference between XSS and CSRF?
          Can CSRF tokens prevent XSS attacks?
     CSRF tokens
          What are CSRF tokens?
          How should CSRF tokens be generated?
          How should CSRF tokens be transmitted?
          How should CSRF tokens be validated?
Server-side request forgery (SSRF)
     What is SSRF?
     What is the impact of SSRF attacks?
     Common SSRF attacks
          SSRF attacks against the server itself
          SSRF attacks against other back-end systems
     Circumventing common SSRF defenses
          SSRF with blacklist-based input filters
          SSRF with whitelist-based input filters
          Bypassing SSRF filters via open redirection
     Blind SSRF vulnerabilities
     Finding hidden attack surface for SSRF vulnerabilities
          Partial URLs in requests
          URLs within data formats
          SSRF via the Referer header
     Blind SSRF vulnerabilities
          What is blind SSRF?
          What is the impact of blind SSRF vulnerabilities?
          How to find and exploit blind SSRF vulnerabilities
XML external entity (XXE) injection
     What is XML external entity injection?
     How do XXE vulnerabilities arise?
     What are the types of XXE attacks?
     Exploiting XXE to retrieve files
     Exploiting XXE to perform SSRF attacks
     Blind XXE vulnerabilities
     Finding hidden attack surface for XXE injection
          XInclude attacks
          XXE attacks via file upload
          XXE attacks via modified content type
     How to find and test for XXE vulnerabilities
     How to prevent XXE vulnerabilities
     XML entities
          What is XML?
          What are XML entities?
          What is document type definition?
          What are XML custom entities?
          What are XML external entities?
     Finding and exploiting blind XXE vulnerabilities
          What is blind XXE?
          Detecting blind XXE using out-of-band (OAST) techniques
          Exploiting blind XXE to exfiltrate data out-of-band
          Exploiting blind XXE to retrieve data via error messages
          Exploiting blind XXE by repurposing a local DTD
               Locating an existing DTD file to repurpose
SQL injection
     What is SQL injection (SQLi)?
     What is the impact of a successful SQL injection attack?
     SQL injection examples
     Retrieving hidden data
     Subverting application logic
     Retrieving data from other database tables
     Examining the database
     Blind SQL injection vulnerabilities
     How to detect SQL injection vulnerabilities
     SQL injection in different parts of the query
     Second-order SQL injection
     Database-specific factors
     How to prevent SQL injection
     SQL injection UNION attacks
          Determining the number of columns required in an SQL injection UNION attack
          Finding columns with a useful data type in an SQL injection UNION attack
          Using an SQL injection UNION attack to retrieve interesting data
          Retrieving multiple values within a single column
     Examining the database in SQL injection attacks
          Querying the database type and version
          Listing the contents of the database
               Equivalent to information schema on Oracle
     Blind SQL injection
          What is blind SQL injection?
          Exploiting blind SQL injection by triggering conditional responses
          Inducing conditional responses by triggering SQL errors
          Exploiting blind SQL injection by triggering time delays
          Exploiting blind SQL injection using out-of-band (OAST) techniques
          How to prevent blind SQL injection attacks?
     SQL injection cheat sheet
          String concatenation
          Substring
          Comments
          Database version
          Database contents
          Conditional errors
          Batched (or stacked) queries
          Time delays
          Conditional time delays
          DNS lookup
          DNS lookup with data exfiltration
Cross-site scripting
     What is cross-site scripting (XSS)?
     How does XSS work?
     What are the types of XSS attacks?
     Reflected cross-site scripting
     Stored cross-site scripting
     DOM-based cross-site scripting
     What can XSS be used for?
     Impact of XSS vulnerabilities
     How to find and test for XSS vulnerabilities
     How to prevent XSS attacks
     Common questions about cross-site scripting
     Reflected XSS
          What is reflected cross-site scripting?
          Impact of reflected XSS attacks
          Reflected XSS in different contexts
          How to find and test for reflected XSS vulnerabilities
          Common questions about reflected cross-site scripting
     Cross-site scripting contexts
          XSS between HTML tags
          XSS in HTML tag attributes
          XSS into JavaScript
               Terminating the existing script
               Breaking out of a JavaScript string
               Making use of HTML-encoding
               XSS in JavaScript template literals
     XSS cheat sheet
          Event handlers
               Event handlers that do not require user interaction
               Event handlers that do require user interaction
          Protocols
          Other useful attributes
          Special tags
          Encoding
          Obfuscation
          Client-side template injection
               AngularJS sandbox escapes reflected
               DOM based AngularJS sandbox escapes
               AngularJS CSP bypasses
          Scriptless attacks
               Dangling markup
          Polyglots
          Classic vectors (XSS crypt)
     Stored XSS
          What is stored cross-site scripting?
          Impact of stored XSS attacks
          Stored XSS in different contexts
          How to find and test for stored XSS vulnerabilities
     DOM-based XSS
          What is DOM-based cross-site scripting?
          How to test for DOM-based cross-site scripting
               Testing HTML sinks
               Testing JavaScript execution sinks
          Exploiting DOM XSS with different sources and sinks
          DOM XSS combined with reflected and stored data
     Exploiting cross-site scripting vulnerabilities
          Exploiting cross-site scripting to steal cookies
          Exploiting cross-site scripting to capture passwords
          Exploiting cross-site scripting to perform CSRF
OS command injection
     What is OS command injection?
     Executing arbitrary commands
     Useful commands
     Blind OS command injection vulnerabilities
          Detecting blind OS command injection using time delays
          Exploiting blind OS command injection by redirecting output
          Exploiting blind OS command injection using out-of-band (OAST) techniques
     Ways of injecting OS commands
     How to prevent OS command injection attacks
Directory traversal
     What is directory traversal?
     Reading arbitrary files via directory traversal
     Common obstacles to exploiting file path traversal vulnerabilities
     How to prevent a directory traversal attack
Testing for WebSockets security vulnerabilities
     WebSockets
     Manipulating WebSocket traffic
          Intercepting and modifying WebSocket messages
          Replaying and generating new WebSocket messages
          Manipulating WebSocket connections
     WebSockets security vulnerabilities
          Manipulating WebSocket messages to exploit vulnerabilities
          Manipulating the WebSocket handshake to exploit vulnerabilities
          Using cross-site WebSockets to exploit vulnerabilities
     How to secure a WebSocket connection
     What are WebSockets?
          What is the difference between HTTP and WebSockets?
          How are WebSocket connections established?
          What do WebSocket messages look like?
     Cross-site WebSocket hijacking
          What is cross-site WebSocket hijacking?
          What is the impact of cross-site WebSocket hijacking?
          Performing a cross-site WebSocket hijacking attack