Learning library

All courses

Multi-lesson tracks organised by vulnerability class. Every lesson includes a live simulation you can break, fix, and learn from.

6 courses · 71 lessons

SQL Injection

A 20-lesson hands-on course on the most prevalent web vulnerability. Each lesson includes a live, interactive sandbox and a step-by-step diagram you can break.

20 lessons

fund1SQL Injection: FundamentalsBeginner12m fund2SQL Injection: How databases workBeginner10m fund3SQL Injection: Why it's possibleBeginner10m fund4SQL Injection: Authentication bypassIntermediate16m core5SQL Injection: Comment injectionBeginner8m core6SQL Injection: UNION-based extractionIntermediate18m core7SQL Injection: Error-based extractionIntermediate14m core8SQL Injection: Blind injection overviewIntermediate12m deep9SQL Injection: Boolean-based blindIntermediate14m deep10SQL Injection: Time-based blindAdvanced16m deep11SQL Injection: Database enumerationIntermediate16m deep12SQL Injection: Extracting dataIntermediate18m def13SQL Injection: Finding it in the wildAdvanced18m def14SQL Injection: Secure coding practicesBeginner12m def15SQL Injection: Prepared statementsIntermediate14m def16SQL Injection: ORM securityIntermediate13m def17SQL Injection: WAF & detectionAdvanced20m caps18SQL Injection: Real-world case studiesIntermediate22m caps19SQL Injection: Modern challengesAdvanced18m caps20SQL Injection: Review & practiceIntermediate25m

Cross Site Scripting

From reflected alert() to full account takeover. Understand how unescaped user input turns the browser into an execution host.

12 lessons

fund1XSS: The Browser is the DatabaseBeginner12m fund2Reflected XSSBeginner10m fund3Stored XSSBeginner10m core4DOM-based XSSIntermediate12m def5XSS DefenseIntermediate14m core6XSS Payload TechniquesIntermediate14m core7Blind XSSAdvanced14m deep8Context-Based XSS EscapesAdvanced15m deep9CSP Bypass TechniquesAdvanced16m def10XSS Detection & AuditingAdvanced14m caps11XSS Case StudiesIntermediate18m caps12XSS Review & PracticeIntermediate22m

Access Control

When the server trusts the client to say who they are. IDOR, privilege escalation, path traversal — the missing check that leaks everything.

12 lessons

fund1IDOR: The Missing CheckBeginner10m fund2Path TraversalBeginner10m fund3Privilege EscalationIntermediate12m core4Mass AssignmentIntermediate10m def5Access Control HardeningIntermediate14m fund6API Access ControlIntermediate12m core7JWT AttacksIntermediate14m core8CSRFIntermediate13m deep9Rate Limit & Auth BypassAdvanced14m def10Session ManagementIntermediate14m caps11Access Control Case StudiesIntermediate18m caps12Access Control Review & PracticeIntermediate22m

Ssrf

From a single URL parameter to the entire cloud metadata service. Understand how server-side request forgery turns the server into a proxy for internal attacks.

8 lessons

fund1SSRF: The Server Makes the RequestBeginner12m fund2Finding SSRF in the WildBeginner10m core3Cloud Metadata AttacksIntermediate14m core4Internal Network PivotIntermediate14m core5Blind SSRFAdvanced14m deep6SSRF Bypass TechniquesAdvanced16m def7SSRF DefenseIntermediate14m caps8SSRF Review & PracticeIntermediate22m

API Security

REST, GraphQL, and the flaws that live in the contract itself. Broken object auth, excessive data exposure, mass assignment — the OWASP API Security Top 10 in practice.

11 lessons

fund1API Security OverviewBeginner12m fund2API ReconnaissanceBeginner12m core3Broken Object Level AuthorizationIntermediate14m core4Broken AuthenticationIntermediate14m core5Excessive Data ExposureIntermediate12m deep6API Mass AssignmentAdvanced12m deep7API Rate Limiting & AbuseAdvanced14m def8API Automated Security TestingIntermediate14m def9API Security HardeningIntermediate14m caps10API Security Review & PracticeIntermediate22m deep11GraphQL Security Deep DiveAdvanced16m

WEB Protocols

HTTP/1.1 to HTTP/3, DNS, TLS, CDN, CORS, WebSockets — the plumbing that powers every web application. Understand how the web actually works under the hood.

8 lessons

fund1HTTP/1.1 FundamentalsBeginner14m fund2HTTP/2 & HTTP/3Beginner14m core3DNS Deep DiveBeginner14m core4TLS & SSLIntermediate16m deep5CDN & CachingBeginner14m deep6CORS & Same-Origin PolicyIntermediate14m def7WebSockets & Real-TimeIntermediate14m caps8Web Protocols ReviewBeginner20m