Web Security Academy Learning Paths

Our carefully curated pathways provide a structured approach to learning web security, empowering you to advance at your own pace while ensuring a deep understanding of the subject matter.

Web Security Academy Learning Paths

All learning paths

Sign in or create a free account to access our interactive, deliberately vulnerable labs, and track your learning progress.

Server-side vulnerabilities

This learning path introduces you to a range of common server-side vulnerabilities. This is perfect if you're new to web security and want to get an overview of the kinds of vulnerabilities that exist, as well as how an attacker might identify and exploit them in real-world systems.

SQL injection

This learning path teaches you how to find and exploit SQL injection, a classic vulnerability responsible for many high-profile data breaches. This path is suitable regardless of whether you're completely new to SQL injection or want to improve your existing knowledge and skills.

API testing

This learning path teaches you how to test APIs that aren't fully used by the website front-end. You'll learn key API recon skills to help you discover more attack surface. In addition, you'll learn how to identify server-side parameter pollution vulnerabilities that may impact internal APIs.

Web LLM attacks

This learning path teaches you how to perform attacks using Large Language Models (LLMs). You'll learn how to construct attacks that take advantage of an LLM's access to data, API, and user information that you would not be able to access directly.

Cross-site request forgery (CSRF)

This learning path covers CSRF (Cross-Site Request Forgery). You'll learn about some common CSRF vulnerabilities, and how to prevent them.

File upload vulnerabilities

In this learning path, you'll explore how simple file upload functions can become a vector for severe attacks. You'll learn how to bypass common defense mechanisms to upload a web shell, enabling full control over a vulnerable web server.

Clickjacking (UI redressing)

This learning path deals with clickjacking attacks. You'll learn the fundamentals of clickjacking, how to construct basic attacks, and implement server-side and client-side defense strategies.

GraphQL API vulnerabilities

This learning path explores common vulnerabilities associated with GraphQL APIs due to implementation and design flaws. You'll learn how to find GraphQL endpoints, bypass some common defenses, and exploit a range of GraphQL API vulnerabilities.

Cross-origin resource sharing (CORS)

This learning path provides an in-depth understanding of CORS, including common examples of CORS-based attacks and how to protect against these attacks.

Path traversal

This learning path covers path traversal vulnerabilities. You'll learn how to carry out path traversal attacks and circumvent common obstacles. You'll also learn how to prevent path traversal attacks.

NoSQL injection

This learning path covers the detection, exploitation, and prevention of NoSQL injection vulnerabilities. You'll explore the differences between NoSQL and SQL injection, learn how to perform NoSQL syntax injection, and how to use NoSQL operators to manipulate queries.

Race conditions

This learning path covers race conditions, a common vulnerability in web applications where concurrent processes lead to unintended behavior. You'll learn how to identify, exploit, and prevent race conditions, leveraging tools like Burp Suite's Repeater and the Turbo Intruder extension.