Login
Products
Solutions
Research
Academy
Daily Swig
Support
Support Center
Documentation
Releases
Extensibility
BApp Store
Training
Products
Solutions
Research
Academy
Support
Support Center
Documentation
Releases
Extensibility
BApp Store
Training
About
Blog
Login
Careers
Legal
Contact
Home
Daily Swig
Web Security Academy
All materials
Detailed
All learning materials - detailed
Insecure deserialization
What is serialization?
Serialization vs deserialization
What is insecure deserialization?
How do insecure deserialization vulnerabilities arise?
What is the impact of insecure deserialization?
How to exploit insecure deserialization vulnerabilities
How to prevent insecure deserialization vulnerabilities
Exploiting insecure deserialization vulnerabilities
How to identify insecure deserialization
PHP serialization format
Java serialization format
Manipulating serialized objects
Modifying object attributes
Modifying data types
Using application functionality
Magic methods
Injecting arbitrary objects
Gadget chains
Working with pre-built gadget chains
Working with documented gadget chains
Creating your own exploit
PHAR deserialization
Exploiting deserialization using memory corruption
Authentication
What is authentication?
What is the difference between authentication and authorization?
How do authentication vulnerabilities arise?
What is the impact of vulnerable authentication?
Vulnerabilities in authentication mechanisms
Preventing attacks on your own authentication mechanisms
Vulnerabilities in password-based login
Brute-force attacks
Brute-forcing usernames
Brute-forcing passwords
Username enumeration
Flawed brute-force protection
Account locking
User rate limiting
HTTP basic authentication
Vulnerabilities in multi-factor authentication
Two-factor authentication tokens
Bypassing two-factor authentication
Flawed two-factor verification logic
Brute-forcing 2FA verification codes
Vulnerabilities in other authentication mechanisms
Keeping users logged in
Resetting user passwords
Sending passwords by email
Resetting passwords using a URL
Password reset poisoning
Changing user passwords
Authentication lab usernames
Authentication lab passwords
How to secure your authentication mechanisms
Take care with user credentials
Don't count on users for security
Prevent username enumeration
Implement robust brute-force protection
Triple-check your verification logic
Don't forget supplementary functionality
Implement proper multi-factor authentication
Server-side template injection
What is server-side template injection?
What is the impact of server-side template injection?
How do server-side template injection vulnerabilities arise?
Constructing a server-side template injection attack
Detect
Identify
Exploit
How to prevent server-side template injection vulnerabilities
Exploiting server-side template injection vulnerabilities
Read
Learn the basic template syntax
Read about the security implications
Look for known exploits
Explore
Developer-supplied objects
Create a custom attack
Constructing a custom exploit using an object chain
Constructing a custom exploit using developer-supplied objects
Web cache poisoning
What is web cache poisoning?
How does a web cache work?
What is the impact of a web cache poisoning attack?
Constructing a web cache poisoning attack
Identify and evaluate unkeyed inputs
Param Miner
Elicit a harmful response from the back-end server
Get the response cached
Exploiting web cache poisoning vulnerabilities
How to prevent web cache poisoning vulnerabilities
Exploiting web cache poisoning vulnerabilities
Using web cache poisoning to deliver an XSS attack
Using web cache poisoning to exploit unsafe handling of resource imports
Using web cache poisoning to exploit cookie-handling vulnerabilities
Using multiple headers to exploit web cache poisoning vulnerabilities
Exploiting responses that expose too much information
Cache-control directives
Vary header
Using web cache poisoning to exploit DOM-based vulnerabilities
Chaining web cache poisoning vulnerabilities
SQL injection
What is SQL injection (SQLi)?
What is the impact of a successful SQL injection attack?
SQL injection examples
Retrieving hidden data
Subverting application logic
Retrieving data from other database tables
Examining the database
Blind SQL injection vulnerabilities
How to detect SQL injection vulnerabilities
SQL injection in different parts of the query
Second-order SQL injection
Database-specific factors
How to prevent SQL injection
SQL injection UNION attacks
Determining the number of columns required in an SQL injection UNION attack
Finding columns with a useful data type in an SQL injection UNION attack
Using an SQL injection UNION attack to retrieve interesting data
Retrieving multiple values within a single column
Examining the database in SQL injection attacks
Querying the database type and version
Listing the contents of the database
Equivalent to information schema on Oracle
Blind SQL injection
What is blind SQL injection?
Exploiting blind SQL injection by triggering conditional responses
Inducing conditional responses by triggering SQL errors
Exploiting blind SQL injection by triggering time delays
Exploiting blind SQL injection using out-of-band (OAST) techniques
How to prevent blind SQL injection attacks?
SQL injection cheat sheet
String concatenation
Substring
Comments
Database version
Database contents
Conditional errors
Batched (or stacked) queries
Time delays
Conditional time delays
DNS lookup
DNS lookup with data exfiltration
Cross-site scripting
What is cross-site scripting (XSS)?
How does XSS work?
What are the types of XSS attacks?
Reflected cross-site scripting
Stored cross-site scripting
DOM-based cross-site scripting
What can XSS be used for?
Impact of XSS vulnerabilities
How to find and test for XSS vulnerabilities
Content security policy
Dangling markup injection
How to prevent XSS attacks
Common questions about cross-site scripting
Reflected XSS
What is reflected cross-site scripting?
Impact of reflected XSS attacks
Reflected XSS in different contexts
How to find and test for reflected XSS vulnerabilities
Common questions about reflected cross-site scripting
Cross-site scripting contexts
XSS between HTML tags
XSS in HTML tag attributes
XSS into JavaScript
Terminating the existing script
Breaking out of a JavaScript string
Making use of HTML-encoding
XSS in JavaScript template literals
XSS in the context of the AngularJS sandbox
AngularJS sandbox
What is the AngularJS sandbox?
How does the AngularJS sandbox work?
How does an AngularJS sandbox escape work?
How does an AngularJS CSP bypass work?
How to prevent AngularJS injection
Cross-site scripting (XSS) cheat sheet
Event handlers
Event handlers that do not require user interaction
Event handlers that do require user interaction
Restricted characters
Frameworks
Protocols
Other useful attributes
Special tags
Encoding
Obfuscation
Client-side template injection
Vuejs reflected
AngularJS sandbox escapes reflected
DOM based AngularJS sandbox escapes
AngularJS CSP bypasses
Scriptless attacks
Dangling markup
Polyglots
WAF bypass global objects
Impossible labs
Classic vectors (XSS crypt)
Stored XSS
What is stored cross-site scripting?
Impact of stored XSS attacks
Stored XSS in different contexts
How to find and test for stored XSS vulnerabilities
DOM-based XSS
What is DOM-based cross-site scripting?
How to test for DOM-based cross-site scripting
Testing HTML sinks
Testing JavaScript execution sinks
Exploiting DOM XSS with different sources and sinks
DOM XSS combined with reflected and stored data
Which sinks can lead to DOM-XSS vulnerabilities?
How to prevent DOM-XSS vulnerabilities
Exploiting cross-site scripting vulnerabilities
Exploiting cross-site scripting to steal cookies
Exploiting cross-site scripting to capture passwords
Exploiting cross-site scripting to perform CSRF
Content security policy
What is CSP (content security policy)?
Mitigating XSS attacks using CSP
Mitigating dangling markup attacks using CSP
Bypassing CSP with policy injection
Protecting against clickjacking using CSP
Dangling markup injection
What is dangling markup injection?
How to prevent dangling markup attacks
How to prevent XSS
Encode data on output
Validate input on arrival
Whitelisting vs blacklisting
Allowing "safe" HTML
How to prevent XSS using a template engine
How to prevent XSS in PHP
How to prevent XSS client-side in JavaScript
How to prevent XSS in jQuery
Mitigating XSS using content security policy (CSP)
Cross-site request forgery (CSRF)
What is CSRF?
What is the impact of a CSRF attack?
How does CSRF work?
How to construct a CSRF attack
How to deliver a CSRF exploit
Preventing CSRF attacks
Common CSRF vulnerabilities
Validation of CSRF token depends on request method
Validation of CSRF token depends on token being present
CSRF token is not tied to the user session
CSRF token is tied to a non-session cookie
CSRF token is simply duplicated in a cookie
Referer-based defenses against CSRF
Validation of Referer depends on header being present
Validation of Referer can be circumvented
Defending against CSRF with SameSite cookies
XSS vs CSRF
What is the difference between XSS and CSRF?
Can CSRF tokens prevent XSS attacks?
CSRF tokens
What are CSRF tokens?
How should CSRF tokens be generated?
How should CSRF tokens be transmitted?
How should CSRF tokens be validated?
XML external entity (XXE) injection
What is XML external entity injection?
How do XXE vulnerabilities arise?
What are the types of XXE attacks?
Exploiting XXE to retrieve files
Exploiting XXE to perform SSRF attacks
Blind XXE vulnerabilities
Finding hidden attack surface for XXE injection
XInclude attacks
XXE attacks via file upload
XXE attacks via modified content type
How to find and test for XXE vulnerabilities
How to prevent XXE vulnerabilities
XML entities
What is XML?
What are XML entities?
What is document type definition?
What are XML custom entities?
What are XML external entities?
Finding and exploiting blind XXE vulnerabilities
What is blind XXE?
Detecting blind XXE using out-of-band (OAST) techniques
Exploiting blind XXE to exfiltrate data out-of-band
Exploiting blind XXE to retrieve data via error messages
Exploiting blind XXE by repurposing a local DTD
Locating an existing DTD file to repurpose
Clickjacking (UI redressing)
What is clickjacking?
How to construct a basic clickjacking attack
Clickjacking with prefilled form input
Frame busting scripts
Combining clickjacking with a DOM XSS attack
Multistep clickjacking
How to prevent clickjacking attacks
X-Frame-Options
Content Security Policy (CSP)
Cross-origin resource sharing (CORS)
What is CORS (cross-origin resource sharing)?
Same-origin policy
Relaxation of the same-origin policy
Vulnerabilities arising from CORS configuration issues
Server-generated ACAO header from client-specified Origin header
Errors parsing Origin headers
Whitelisted null origin value
Exploiting XSS via CORS trust relationships
Breaking TLS with poorly configured CORS
Intranets and CORS without credentials
How to prevent CORS-based attacks
Proper configuration of cross-domain requests
Only allow trusted sites
Avoid whitelisting null
Avoid wildcards in internal networks
CORS is not a substitute for server-side security policies
Same-origin policy (SOP)
What is the same-origin policy?
Why is the same-origin policy necessary?
How is the same-origin policy implemented?
CORS and the Access-Control-Allow-Origin response header
What is the Access-Control-Allow-Origin response header?
Implementing simple cross-origin resource sharing
Handling cross-origin resource requests with credentials
Relaxation of CORS specifications with wildcards
Pre-flight checks
Does CORS protect against CSRF?
Server-side request forgery (SSRF)
What is SSRF?
What is the impact of SSRF attacks?
Common SSRF attacks
SSRF attacks against the server itself
SSRF attacks against other back-end systems
Circumventing common SSRF defenses
SSRF with blacklist-based input filters
SSRF with whitelist-based input filters
Bypassing SSRF filters via open redirection
Blind SSRF vulnerabilities
Finding hidden attack surface for SSRF vulnerabilities
Partial URLs in requests
URLs within data formats
SSRF via the Referer header
Blind SSRF vulnerabilities
What is blind SSRF?
What is the impact of blind SSRF vulnerabilities?
How to find and exploit blind SSRF vulnerabilities
HTTP request smuggling
What is HTTP request smuggling?
What happens in an HTTP request smuggling attack?
How do HTTP request smuggling vulnerabilities arise?
How to perform an HTTP request smuggling attack
CL.TE vulnerabilities
TE.CL vulnerabilities
TE.TE behavior: obfuscating the TE header
How to prevent HTTP request smuggling vulnerabilities
Finding HTTP request smuggling vulnerabilities
Finding HTTP request smuggling vulnerabilities using timing techniques
Finding CL.TE vulnerabilities using timing techniques
Finding TE.CL vulnerabilities using timing techniques
Confirming HTTP request smuggling vulnerabilities using differential responses
Confirming CL.TE vulnerabilities using differential responses
Confirming TE.CL vulnerabilities using differential responses
Exploiting HTTP request smuggling vulnerabilities
Using HTTP request smuggling to bypass front-end security controls
Revealing front-end request rewriting
Capturing other users' requests
Using HTTP request smuggling to exploit reflected XSS
Using HTTP request smuggling to turn an on-site redirect into an open redirect
Using HTTP request smuggling to perform web cache poisoning
Using HTTP request smuggling to perform web cache deception
OS command injection
What is OS command injection?
Executing arbitrary commands
Useful commands
Blind OS command injection vulnerabilities
Detecting blind OS command injection using time delays
Exploiting blind OS command injection by redirecting output
Exploiting blind OS command injection using out-of-band (OAST) techniques
Ways of injecting OS commands
How to prevent OS command injection attacks
Directory traversal
What is directory traversal?
Reading arbitrary files via directory traversal
Common obstacles to exploiting file path traversal vulnerabilities
How to prevent a directory traversal attack
Access control vulnerabilities and privilege escalation
What is access control?
Vertical access controls
Horizontal access controls
Context-dependent access controls
Examples of broken access controls
Vertical privilege escalation
Horizontal privilege escalation
Horizontal to vertical privilege escalation
Insecure direct object references
Access control vulnerabilities in multi-step processes
Referer-based access control
Location-based access control
How to prevent access control vulnerabilities
Access control security models
What are access control security models?
Programmatic access control
Discretionary access control (DAC)
Mandatory access control (MAC)
Role-based access control (RBAC)
Insecure direct object references (IDOR)
What are insecure direct object references (IDOR)?
IDOR examples
IDOR vulnerability with direct reference to database objects
IDOR vulnerability with direct reference to static files
Testing for WebSockets security vulnerabilities
WebSockets
Manipulating WebSocket traffic
Intercepting and modifying WebSocket messages
Replaying and generating new WebSocket messages
Manipulating WebSocket connections
WebSockets security vulnerabilities
Manipulating WebSocket messages to exploit vulnerabilities
Manipulating the WebSocket handshake to exploit vulnerabilities
Using cross-site WebSockets to exploit vulnerabilities
How to secure a WebSocket connection
What are WebSockets?
What is the difference between HTTP and WebSockets?
How are WebSocket connections established?
What do WebSocket messages look like?
Cross-site WebSocket hijacking
What is cross-site WebSocket hijacking?
What is the impact of cross-site WebSocket hijacking?
Performing a cross-site WebSocket hijacking attack
DOM-based vulnerabilities
What is the DOM?
Taint-flow vulnerabilities
What is taint flow?
Common sources
Which sinks can lead to DOM-based vulnerabilities?
How to prevent DOM-based taint-flow vulnerabilities
DOM clobbering
Controlling the web-message source
What is the impact of DOM-based web-message vulnerabilities?
How to construct an attack using web messages as the source
Origin verification
Which sinks can lead to DOM-based web-message vulnerabilities?
DOM-based open redirection
What is DOM-based open redirection?
What is the impact of DOM-based open redirection?
Which sinks can lead to DOM-based open-redirection vulnerabilities?
How to prevent DOM-based open-redirection vulnerabilities
DOM-based cookie manipulation
What is DOM-based cookie manipulation?
What is the impact of a DOM-based cookie-manipulation attack?
Which sinks can lead to DOM-based cookie-manipulation vulnerabilities?
How to prevent DOM-based cookie-manipulation vulnerabilities
DOM-based JavaScript injection
What is DOM-based JavaScript injection?
What is the impact of a DOM-based JavaScript-injection attack?
Which sinks can lead to DOM-based JavaScript-injection vulnerabilities?
How to prevent DOM-based JavaScript-injection vulnerabilities
DOM-based document-domain manipulation
What is DOM-based document-domain manipulation?
Which sinks can lead to DOM-based document-domain manipulation vulnerabilities?
How to prevent DOM-based document-domain manipulation vulnerabilities
DOM-based WebSocket-URL poisoning
What is DOM-based WebSocket-URL poisoning?
What is the impact of WebSocket-URL poisoning?
Which sinks can lead to WebSocket-URL poisoning vulnerabilities?
How to prevent DOM-based WebSocket-URL poisoning vulnerabilities
DOM-based link manipulation
What is DOM-based link manipulation?
What is the impact of a DOM-based link-manipulation attack?
Which sinks can lead to DOM-based link-manipulation vulnerabilities?
How to prevent DOM-based link-manipulation vulnerabilities
Web-message manipulation
What is DOM-based web-message manipulation?
Which sinks can lead to DOM-based web-message manipulation vulnerabilities?
How to prevent DOM-based web-message manipulation
DOM-based Ajax request-header manipulation
What is DOM-based Ajax request-header manipulation?
What is the impact of DOM-based Ajax request-header manipulation?
Which sinks can lead to DOM-based Ajax request-header manipulation vulnerabilities?
How to prevent DOM-based Ajax request-header manipulation
DOM-based local file-path manipulation
What is DOM-based local file-path manipulation?
What is the impact of DOM-based local file-path manipulation?
Which sinks can lead to DOM-based local file-path manipulation vulnerabilities?
How to prevent DOM-based local file-path manipulation vulnerabilities
DOM-based client-side SQL injection
What is DOM-based client-side SQL injection?
What is the impact of DOM-based client-side SQL injection?
Which sinks can lead to DOM-based client-side SQL-injection vulnerabilities?
How to prevent DOM-based client-side SQL-injection vulnerabilities
DOM-based HTML5-storage manipulation
What is DOM-based HTML5-storage manipulation?
Which sinks can lead to DOM-based HTML5-storage manipulation vulnerabilities?
How to prevent DOM-based HTML5-storage manipulation vulnerabilities
DOM-based client-side XPath injection
What is DOM-based XPath injection?
What is the impact of DOM-based XPath injection?
Which sinks can lead to XPath-injection vulnerabilities?
How to prevent DOM-based XPath-injection vulnerabilities
DOM-based client-side JSON injection
What is DOM-based JSON injection?
What is the impact of a DOM-based JSON-injection attack?
Which sinks can lead to DOM-based JSON-injection vulnerabilities?
How to prevent client-side JSON-injection vulnerabilities?
DOM-data manipulation
What is DOM-data manipulation?
What is the impact of DOM-data manipulation?
Which sinks can lead to DOM-data manipulation vulnerabilities?
How to prevent DOM-data manipulation vulnerabilities
DOM-based denial of service
What is DOM-based denial of service?
Which sinks can lead to DOM-based denial-of-service vulnerabilities?
How to prevent DOM-based denial-of-service vulnerabilities
DOM clobbering
What is DOM clobbering?
How to exploit DOM-clobbering vulnerabilities
How to prevent DOM-clobbering attacks
Want to track your progress and have a more personalized learning experience? (It's free!)
Sign up
Login