NEW

Web Security Academy Learning Paths

Our carefully curated pathways provide a structured approach to learning web security, empowering you to advance at your own pace while ensuring a deep understanding of the subject matter.

Web Security Academy Learning Paths

All learning paths

Sign in or create a free account to access our interactive, deliberately vulnerable labs, and track your learning progress.

PRACTITIONER

API testing

This learning path teaches you how to test APIs that aren't fully used by the website front-end. You'll learn key API recon skills to help you discover more attack surface. In addition, you'll learn how to identify server-side parameter pollution vulnerabilities that may impact internal APIs.

View path GET STARTED

PRACTITIONER

Web LLM attacks

This learning path teaches you how to perform attacks using Large Language Models (LLMs). You'll learn how to construct attacks that take advantage of an LLM's access to data, API, and user information that you would not be able to access directly.

View path GET STARTED

PRACTITIONER

Cross-site request forgery (CSRF)

This learning path covers CSRF (Cross-Site Request Forgery). You'll learn about some common CSRF vulnerabilities, and how to prevent them.

View path GET STARTED

PRACTITIONER

Clickjacking (UI redressing)

This learning path deals with clickjacking attacks. You'll learn the fundamentals of clickjacking, how to construct basic attacks, and implement server-side and client-side defense strategies.

View path GET STARTED

PRACTITIONER

GraphQL API vulnerabilities

This learning path explores common vulnerabilities associated with GraphQL APIs due to implementation and design flaws. You'll learn how to find GraphQL endpoints, bypass some common defenses, and exploit a range of GraphQL API vulnerabilities.

View path GET STARTED

PRACTITIONER

Cross-origin resource sharing (CORS)

This learning path provides an in-depth understanding of CORS, including common examples of CORS-based attacks and how to protect against these attacks.

View path GET STARTED

PRACTITIONER

NoSQL injection

This learning path covers the detection, exploitation, and prevention of NoSQL injection vulnerabilities. You'll explore the differences between NoSQL and SQL injection, learn how to perform NoSQL syntax injection, and how to use NoSQL operators to manipulate queries.

View path GET STARTED

PRACTITIONER

Race conditions

This learning path covers race conditions, a common vulnerability in web applications where concurrent processes lead to unintended behavior. You'll learn how to identify, exploit, and prevent race conditions, leveraging tools like Burp Suite's Repeater and the Turbo Intruder extension.

View path GET STARTED

PRACTITIONER

SQL injection

This learning path explores authentication vulnerabilities, which have a critical impact on security. You'll learn about vulnerabilities in common authentication mechanisms and strategies for robust authentication.

View path GET STARTED

PRACTITIONER

Authentication vulnerabilities

This learning path explores authentication vulnerabilities, which have a critical impact on security. You'll learn about common mechanisms and vulnerabilities, and strategies for robust authentication.

View path GET STARTED

PRACTITIONER

Server-side request forgery (SSRF) attacks

This learning path teaches you about server-side request forgery (SSRF). You'll learn about its impact, common techniques used in attacks, and how to defend against them.

View path GET STARTED

PRACTITIONER

Prototype pollution

This learning path introduces you to prototype pollution vulnerabilities in JavaScript. You'll learn what prototype pollution is, how it can be exploited, and how to prevent it in your applications.

View path GET STARTED

APPRENTICE

Server-side vulnerabilities

This learning path introduces you to a range of common server-side vulnerabilities. This is perfect if you're new to web security and want to get an overview of the kinds of vulnerabilities that exist, as well as how an attacker might identify and exploit them in real-world systems.

View path GET STARTED

PRACTITIONER

File upload vulnerabilities

In this learning path, you'll explore how simple file upload functions can become a vector for severe attacks. You'll learn how to bypass common defense mechanisms to upload a web shell, enabling full control over a vulnerable web server.

View path GET STARTED

PRACTITIONER

Path traversal

This learning path covers path traversal vulnerabilities. You'll learn how to carry out path traversal attacks and circumvent common obstacles. You'll also learn how to prevent path traversal attacks.

View path GET STARTED

PRACTITIONER

WebSockets vulnerabilities

This learning path covers the identification and exploitation of security vulnerabilities specific to WebSockets in web applications.

View path GET STARTED

PRACTITIONER

Web cache deception

This learning path covers web cache deception vulnerabilities. You'll learn how to identify discrepancies between how the origin server and cache handle requests and how to leverage the discrepancies to create path confusion.

View path GET STARTED