Login
Products
Solutions
Testers
Organizations
Developers
Vulnerability Scanner
Research
Academy
Daily Swig
Support
Products
Solutions
Testers
Organizations
Developers
Vulnerability Scanner
Research
Academy
Support
Getting Started
Documentation
Knowledge Base
Training
Troubleshooting
Extensibility
BApp Store
Release Notes
About
Blog
Login
Careers
Legal
Contact
Home
Daily Swig
Web Security Academy
All materials
Detailed
All learning materials - detailed
Access control vulnerabilities and privilege escalation
What is access control?
Vertical access controls
Horizontal access controls
Context-dependent access controls
Examples of broken access controls
Vertical privilege escalation
Horizontal privilege escalation
Horizontal to vertical privilege escalation
Insecure direct object references
Access control vulnerabilities in multi-step processes
Referer-based access control
Location-based access control
How to prevent access control vulnerabilities
Access control security models
What are access control security models?
Programmatic access control
Discretionary access control (DAC)
Mandatory access control (MAC)
Role-based access control (RBAC)
Insecure direct object references (IDOR)
What are insecure direct object references (IDOR)?
IDOR examples
IDOR vulnerability with direct reference to database objects
IDOR vulnerability with direct reference to static files
Cross-origin resource sharing (CORS)
What is CORS (cross-origin resource sharing)?
Same-origin policy
Relaxation of the same-origin policy
Vulnerabilities arising from CORS configuration issues
Server-generated ACAO header from client-specified Origin header
Errors parsing Origin headers
Whitelisted null origin value
Exploiting XSS via CORS trust relationships
Breaking TLS with poorly configured CORS
Intranets and CORS without credentials
How to prevent CORS-based attacks
Proper configuration of cross-domain requests
Only allow trusted sites
Avoid whitelisting null
Avoid wildcards in internal networks
CORS is not a substitute for server-side security policies
Same-origin policy (SOP)
What is the same-origin policy?
Why is the same-origin policy necessary?
How is the same-origin policy implemented?
CORS and the Access-Control-Allow-Origin response header
What is the Access-Control-Allow-Origin response header?
Implementing simple cross-origin resource sharing
Handling cross-origin resource requests with credentials
Relaxation of CORS specifications with wildcards
Pre-flight checks
Does CORS protect against CSRF?
Clickjacking (UI redressing)
What is clickjacking?
How to construct a basic clickjacking attack
Clickjacking with prefilled form input
Frame busting scripts
Combining clickjacking with a DOM XSS attack
Multistep clickjacking
How to prevent clickjacking attacks
X-Frame-Options
Content Security Policy (CSP)
Testing for WebSockets security vulnerabilities
WebSockets
Manipulating WebSocket traffic
Intercepting and modifying WebSocket messages
Replaying and generating new WebSocket messages
Manipulating WebSocket connections
WebSockets security vulnerabilities
Manipulating WebSocket messages to exploit vulnerabilities
Manipulating the WebSocket handshake to exploit vulnerabilities
Using cross-site WebSockets to exploit vulnerabilities
How to secure a WebSocket connection
What are WebSockets?
What is the difference between HTTP and WebSockets?
How are WebSocket connections established?
What do WebSocket messages look like?
Cross-site WebSocket hijacking
What is cross-site WebSocket hijacking?
What is the impact of cross-site WebSocket hijacking?
Performing a cross-site WebSocket hijacking attack
SQL injection
What is SQL injection (SQLi)?
What is the impact of a successful SQL injection attack?
SQL injection examples
Retrieving hidden data
Subverting application logic
Retrieving data from other database tables
Examining the database
Blind SQL injection vulnerabilities
How to detect SQL injection vulnerabilities
SQL injection in different parts of the query
Second-order SQL injection
Database-specific factors
How to prevent SQL injection
SQL injection UNION attacks
Determining the number of columns required in an SQL injection UNION attack
Finding columns with a useful data type in an SQL injection UNION attack
Using an SQL injection UNION attack to retrieve interesting data
Retrieving multiple values within a single column
Examining the database in SQL injection attacks
Querying the database type and version
Listing the contents of the database
Equivalent to information schema on Oracle
Blind SQL injection
What is blind SQL injection?
Exploiting blind SQL injection by triggering conditional responses
Inducing conditional responses by triggering SQL errors
Exploiting blind SQL injection by triggering time delays
Exploiting blind SQL injection using out-of-band (OAST) techniques
How to prevent blind SQL injection attacks?
SQL injection cheat sheet
String concatenation
Substring
Comments
Database version
Database contents
Conditional errors
Batched (or stacked) queries
Time delays
Conditional time delays
DNS lookup
DNS lookup with data exfiltration
Cross-site scripting
What is cross-site scripting (XSS)?
How does XSS work?
What are the types of XSS attacks?
Reflected cross-site scripting
Stored cross-site scripting
DOM-based cross-site scripting
What can XSS be used for?
Impact of XSS vulnerabilities
How to find and test for XSS vulnerabilities
Content security policy
Dangling markup injection
How to prevent XSS attacks
Common questions about cross-site scripting
Reflected XSS
What is reflected cross-site scripting?
Impact of reflected XSS attacks
Reflected XSS in different contexts
How to find and test for reflected XSS vulnerabilities
Common questions about reflected cross-site scripting
Cross-site scripting contexts
XSS between HTML tags
XSS in HTML tag attributes
XSS into JavaScript
Terminating the existing script
Breaking out of a JavaScript string
Making use of HTML-encoding
XSS in JavaScript template literals
XSS in the context of the AngularJS sandbox
AngularJS sandbox
What is the AngularJS sandbox?
How does the AngularJS sandbox work?
How does an AngularJS sandbox escape work?
How does an AngularJS CSP bypass work?
How to prevent AngularJS injection
Cross-site scripting (XSS) cheat sheet
Event handlers
Event handlers that do not require user interaction
Event handlers that do require user interaction
Restricted characters
Frameworks
Protocols
Other useful attributes
Special tags
Encoding
Obfuscation
Client-side template injection
AngularJS sandbox escapes reflected
DOM based AngularJS sandbox escapes
AngularJS CSP bypasses
Scriptless attacks
Dangling markup
Polyglots
Classic vectors (XSS crypt)
Stored XSS
What is stored cross-site scripting?
Impact of stored XSS attacks
Stored XSS in different contexts
How to find and test for stored XSS vulnerabilities
DOM-based XSS
What is DOM-based cross-site scripting?
How to test for DOM-based cross-site scripting
Testing HTML sinks
Testing JavaScript execution sinks
Exploiting DOM XSS with different sources and sinks
DOM XSS combined with reflected and stored data
Exploiting cross-site scripting vulnerabilities
Exploiting cross-site scripting to steal cookies
Exploiting cross-site scripting to capture passwords
Exploiting cross-site scripting to perform CSRF
Content security policy
What is CSP (content security policy)?
Mitigating XSS attacks using CSP
Mitigating dangling markup attacks using CSP
Bypassing CSP with policy injection
Protecting against clickjacking using CSP
Dangling markup injection
What is dangling markup injection?
How to prevent dangling markup attacks
How to prevent XSS
Encode data on output
Validate input on arrival
Whitelisting vs blacklisting
Allowing "safe" HTML
How to prevent XSS using a template engine
How to prevent XSS in PHP
How to prevent XSS client-side in JavaScript
How to prevent XSS in jQuery
Mitigating XSS using content security policy (CSP)
Cross-site request forgery (CSRF)
What is CSRF?
What is the impact of a CSRF attack?
How does CSRF work?
How to construct a CSRF attack
How to deliver a CSRF exploit
Preventing CSRF attacks
Common CSRF vulnerabilities
Validation of CSRF token depends on request method
Validation of CSRF token depends on token being present
CSRF token is not tied to the user session
CSRF token is tied to a non-session cookie
CSRF token is simply duplicated in a cookie
Referer-based defenses against CSRF
Validation of Referer depends on header being present
Validation of Referer can by circumvented
Defending against CSRF with SameSite cookies
XSS vs CSRF
What is the difference between XSS and CSRF?
Can CSRF tokens prevent XSS attacks?
CSRF tokens
What are CSRF tokens?
How should CSRF tokens be generated?
How should CSRF tokens be transmitted?
How should CSRF tokens be validated?
XML external entity (XXE) injection
What is XML external entity injection?
How do XXE vulnerabilities arise?
What are the types of XXE attacks?
Exploiting XXE to retrieve files
Exploiting XXE to perform SSRF attacks
Blind XXE vulnerabilities
Finding hidden attack surface for XXE injection
XInclude attacks
XXE attacks via file upload
XXE attacks via modified content type
How to find and test for XXE vulnerabilities
How to prevent XXE vulnerabilities
XML entities
What is XML?
What are XML entities?
What is document type definition?
What are XML custom entities?
What are XML external entities?
Finding and exploiting blind XXE vulnerabilities
What is blind XXE?
Detecting blind XXE using out-of-band (OAST) techniques
Exploiting blind XXE to exfiltrate data out-of-band
Exploiting blind XXE to retrieve data via error messages
Exploiting blind XXE by repurposing a local DTD
Locating an existing DTD file to repurpose
Server-side request forgery (SSRF)
What is SSRF?
What is the impact of SSRF attacks?
Common SSRF attacks
SSRF attacks against the server itself
SSRF attacks against other back-end systems
Circumventing common SSRF defenses
SSRF with blacklist-based input filters
SSRF with whitelist-based input filters
Bypassing SSRF filters via open redirection
Blind SSRF vulnerabilities
Finding hidden attack surface for SSRF vulnerabilities
Partial URLs in requests
URLs within data formats
SSRF via the Referer header
Blind SSRF vulnerabilities
What is blind SSRF?
What is the impact of blind SSRF vulnerabilities?
How to find and exploit blind SSRF vulnerabilities
HTTP request smuggling
What is HTTP request smuggling?
What happens in an HTTP request smuggling attack?
How do HTTP request smuggling vulnerabilities arise?
How to perform an HTTP request smuggling attack
CL.TE vulnerabilities
TE.CL vulnerabilities
TE.TE behavior: obfuscating the TE header
How to prevent HTTP request smuggling vulnerabilities
Finding HTTP request smuggling vulnerabilities
Finding HTTP request smuggling vulnerabilities using timing techniques
Finding CL.TE vulnerabilities using timing techniques
Finding TE.CL vulnerabilities using timing techniques
Confirming HTTP request smuggling vulnerabilities using differential responses
Confirming CL.TE vulnerabilities using differential responses
Confirming TE.CL vulnerabilities using differential responses
Exploiting HTTP request smuggling vulnerabilities
Using HTTP request smuggling to bypass front-end security controls
Revealing front-end request rewriting
Capturing other users' requests
Using HTTP request smuggling to exploit reflected XSS
Using HTTP request smuggling to turn an on-site redirect into an open redirect
Using HTTP request smuggling to perform web cache poisoning
Using HTTP request smuggling to perform web cache deception
OS command injection
What is OS command injection?
Executing arbitrary commands
Useful commands
Blind OS command injection vulnerabilities
Detecting blind OS command injection using time delays
Exploiting blind OS command injection by redirecting output
Exploiting blind OS command injection using out-of-band (OAST) techniques
Ways of injecting OS commands
How to prevent OS command injection attacks
Directory traversal
What is directory traversal?
Reading arbitrary files via directory traversal
Common obstacles to exploiting file path traversal vulnerabilities
How to prevent a directory traversal attack
Want to track your progress and have a more personalized learning experience? (It's free!)
Sign up
Login