Web Application Security
Where most bug bounties are won.
The OWASP Top 10 and beyond - SQLi, XSS, SSRF, IDOR, auth flaws and more. Hands-on with Burp Suite against deliberately vulnerable apps, each mapped to a real disclosed report.
Web Application Security
Where most bug bounties are won. The OWASP Top 10 and beyond - hands-on with Burp Suite against deliberately vulnerable apps, mapped to real disclosed reports.
The OWASP Top 10
The map of web vulnerabilities - what each category means and how this module attacks them all.
HTTP & Burp Suite
Requests, responses, headers, cookies - and intercepting/modifying them with Burp Suite, your primary weapon.
Recon & Content Discovery
Map the attack surface: subdomains, directories, parameters, and hidden endpoints with ffuf, gobuster, and more.
SQL Injection
From a single quote to full database dump - error-based, union, and blind SQLi, plus sqlmap and prevention.
Cross-Site Scripting (XSS)
Reflected, stored, and DOM XSS - stealing sessions, building payloads, and why output encoding matters.
Cross-Site Request Forgery
Forcing authenticated actions, SameSite cookies, and how CSRF tokens defend (and fail).
Server-Side Request Forgery
Make the server fetch what you want - cloud metadata theft, internal port scanning, and SSRF filter bypasses.
IDOR & Broken Access Control
The #1 OWASP category - horizontal and vertical privilege escalation by tampering with object references.
Authentication & Session Attacks
Credential stuffing, weak resets, JWT flaws, session fixation, and OAuth pitfalls.
File Upload Vulnerabilities
Bypassing upload filters to plant a web shell - and how content-type, extension, and magic-byte checks fail.
OS Command Injection
When user input reaches a shell - detecting, exploiting, and chaining command injection to full RCE.
XML External Entities (XXE)
Abusing XML parsers to read local files, perform SSRF, and exfiltrate data out-of-band.