Our carefully curated pathways provide a structured approach to learning web security, empowering you to advance at your own pace while ensuring a deep understanding of the subject matter.
This learning path teaches you how to test APIs that aren't fully used by the website front-end. You'll learn key API recon skills to help you discover more attack surface. In addition, you'll learn how to identify server-side parameter pollution vulnerabilities that may impact internal APIs.
This learning path teaches you how to perform attacks using Large Language Models (LLMs). You'll learn how to construct attacks that take advantage of an LLM's access to data, API, and user information that you would not be able to access directly.
This learning path covers CSRF (Cross-Site Request Forgery). You'll learn about some common CSRF vulnerabilities, and how to prevent them.
This learning path deals with clickjacking attacks. You'll learn the fundamentals of clickjacking, how to construct basic attacks, and implement server-side and client-side defense strategies.
This learning path explores common vulnerabilities associated with GraphQL APIs due to implementation and design flaws. You'll learn how to find GraphQL endpoints, bypass some common defenses, and exploit a range of GraphQL API vulnerabilities.
This learning path provides an in-depth understanding of CORS, including common examples of CORS-based attacks and how to protect against these attacks.
This learning path covers the detection, exploitation, and prevention of NoSQL injection vulnerabilities. You'll explore the differences between NoSQL and SQL injection, learn how to perform NoSQL syntax injection, and how to use NoSQL operators to manipulate queries.
This learning path covers race conditions, a common vulnerability in web applications where concurrent processes lead to unintended behavior. You'll learn how to identify, exploit, and prevent race conditions, leveraging tools like Burp Suite's Repeater and the Turbo Intruder extension.
This learning path explores authentication vulnerabilities, which have a critical impact on security. You'll learn about common mechanisms and vulnerabilities, and strategies for robust authentication.
This learning path teaches you about server-side request forgery (SSRF). You'll learn about its impact, common techniques used in attacks, and how to defend against them.
This learning path introduces you to prototype pollution vulnerabilities in JavaScript. You'll learn what prototype pollution is, how it can be exploited, and how to prevent it in your applications.
This learning path introduces you to a range of common server-side vulnerabilities. This is perfect if you're new to web security and want to get an overview of the kinds of vulnerabilities that exist, as well as how an attacker might identify and exploit them in real-world systems.
In this learning path, you'll explore how simple file upload functions can become a vector for severe attacks. You'll learn how to bypass common defense mechanisms to upload a web shell, enabling full control over a vulnerable web server.
This learning path covers path traversal vulnerabilities. You'll learn how to carry out path traversal attacks and circumvent common obstacles. You'll also learn how to prevent path traversal attacks.
This learning path covers the identification and exploitation of security vulnerabilities specific to WebSockets in web applications.
This learning path covers web cache deception vulnerabilities. You'll learn how to identify discrepancies between how the origin server and cache handle requests and how to leverage the discrepancies to create path confusion.
This learning path introduces SQL injection (SQLi), a critical web vulnerability. You'll learn how to detect and exploit SQLi to uncover hidden data and manipulate application behavior, as well as essential techniques to secure applications against SQLi attacks.