Course Overview
Learn how to hack web applications, automate your exploits in python and defend web applications against real world attacks! For each vulnerability type, we dive into the technical details and then gain hands-on experience by solving labs that model real-world vulnerabilities.
The course covers the following server-side vulnerabilities:
- SQL Injection
- Authentication Vulnerabilities
- Directory Traversal
- Command Injection
- Business Logic Vulnerabilities
- Information Disclosure
- Access Control Vulnerabilities
- File Upload Vulnerabilities
- Server-Side Request Forgery (SSRF)
- XXE Injection
The course covers the following client-side vulnerabilities:
- Cross-Site Scripting (XSS)
- Cross-site request forgery (CSRF)
- Cross-origin resource sharing (CORS)
- Clickjacking
- DOM-based Vulnerabilities
- WebSocket Vulnerabilities
The course covers the following advanced vulnerabilities:
- JWT Attacks
- HTTP Host Header Attacks
Course Prerequisites:
- Basic knowledge of computers (i.e. how to use the internet).
- Basic knowledge of web fundamentals (HTTP requests, methods, cookies, status codes, etc.).
-
Basic knowledge of Python Scripting.
COURSE CURRICULUM - 50+ HOURS
Introduction
Available in
days
days
after you enroll
Getting Help
Available in
days
days
after you enroll
Lab Environment Setup
Available in
days
days
after you enroll
SQL Injection
Available in
days
days
after you enroll
- SQL Injection | Complete Guide (65:41)
- Lab #1 SQL injection vulnerability in WHERE clause allowing retrieval of hidden data (29:06)
- Lab #2 SQL injection vulnerability allowing login bypass (33:17)
- Lab #3 SQLi UNION attack determining the number of columns returned by the query (33:59)
- Lab #4 SQL injection UNION attack, finding a column containing text (29:08)
- Lab #5 SQL injection UNION attack, retrieving data from other tables (24:45)
- Lab #6 SQL injection UNION attack, retrieving multiple values in a single column (29:24)
- Lab #7 SQL injection attack, querying the database type and version on Oracle (26:50)
- Lab #8 SQLi attack, querying the database type and version on MySQL & Microsoft (22:16)
- Lab #9 SQL injection attack, listing the database contents on non Oracle databases (45:18)
- Lab #10 SQL injection attack, listing the database contents on Oracle (40:24)
- Lab #11 Blind SQL injection with conditional responses (48:38)
- Lab #12 Blind SQL injection with conditional errors (44:58)
- Lab #13 Blind SQL injection with time delays (19:08)
- Lab #14 Blind SQL injection with time delays and information retrieval (35:37)
- Note - Changes to Burp Collaborator
- Lab #15 Blind SQL injection with out-of-band interaction (10:19)
- Lab #16 Blind SQL injection with out of band data exfiltration (8:17)
- Lab #17 SQL injection with filter bypass via XML encoding (7:14)
- Lab #18 Visible error-based SQL injection (14:46)
Authentication Vulnerabilities
Available in
days
days
after you enroll
- Authentication Vulnerabilities | Complete Guide (29:35)
- Lab #1 Username enumeration via different responses (6:02)
- Lab #2 2FA simple bypass (11:46)
- Lab #3 Password reset broken logic (13:10)
- Lab #4 Username enumeration via subtly different responses (9:23)
- Lab #5 Username enumeration via response timing (13:58)
- Lab #6 Broken brute-force protection, IP block (14:20)
- Lab #7 Username enumeration via account lock (9:41)
- Lab #8 2FA broken logic (9:36)
- Lab #9 Brute-forcing a stay-logged-in cookie (17:13)
- Lab #10 Offline password cracking (11:59)
- Lab #11 Password reset poisoning via middleware (8:28)
- Lab #12 Password brute-force via password change (25:08)
- Lab #13 Broken brute-force protection, multiple credentials per request (16:46)
- Lab #14 2FA bypass using a brute-force attack (9:54)
Directory Traversal
Available in
days
days
after you enroll
- Directory Traversal | Complete Guide (21:05)
- Lab #1 File path traversal, simple case (13:58)
- Lab #2 File path traversal, traversal sequences blocked with absolute path bypass (10:55)
- Lab #3 File path traversal, traversal sequences stripped non-recursively (14:26)
- Lab #4 File path traversal, traversal sequences stripped with superfluous URL-decode (12:19)
- Lab #5 File path traversal, validation of start of path (10:28)
- Lab #6 File path traversal, validation of file extension with null byte bypass (9:54)
OS Command Injection
Available in
days
days
after you enroll
- Command Injection | Complete Guide (29:58)
- Lab #1 OS command injection, simple case (18:03)
- Lab #2 Blind OS command injection with time delays (19:32)
- Lab #3 Blind OS command injection with output redirection (25:51)
- Note - Changes to Burp Collaborator
- Lab #4 Blind OS command injection with out-of-band interaction (6:35)
- Lab #5 Blind OS command injection with out-of-band data exfiltration (7:33)
Business Logic Vulnerabilities
Available in
days
days
after you enroll
- Business Logic Vulnerabilities | Complete Guide (17:30)
- Lab #1 Excessive trust in client-side controls (24:40)
- Lab #2 High-level logic vulnerability (25:55)
- Lab #3 Inconsistent security controls (6:34)
- Lab #4 Flawed enforcement of business rules (29:08)
- Lab #5 Low-level logic flaw (14:10)
- Lab #6 Inconsistent handling of exceptional input (15:20)
- Lab #7 Weak isolation on dual-use endpoint (22:32)
- Lab #8 Insufficient workflow validation (20:04)
- Lab #9 Authentication bypass via flawed state machine (17:59)
- Lab #10 Infinite money logic flaw (41:17)
- Lab #11 Authentication bypass via encryption oracle (18:47)
Information Disclosure
Available in
days
days
after you enroll
- Information Disclosure | Complete Guide (29:12)
- Lab #1 Information disclosure in error messages (9:41)
- Lab #2 Information disclosure on debug page (11:20)
- Lab #3 Source code disclosure via backup files (11:18)
- Lab #4 Authentication bypass via information disclosure (10:56)
- Lab #5 Information disclosure in version control history (4:32)
Access Control Vulnerabilities
Available in
days
days
after you enroll
- Broken Access Control | Complete Guide (38:05)
- Lab #1 Unprotected admin functionality (15:06)
- Lab #2 Unprotected admin functionality with unpredictable URL (22:56)
- Lab #3 User role controlled by request parameter (23:42)
- Lab #4 User role can be modified in user profile (21:39)
- Lab #5 URL-based access control can be circumvented (15:23)
- Lab #6 Method-based access control can be circumvented (17:23)
- Lab #7 User ID controlled by request parameter (21:24)
- Lab #8 User ID controlled by request parameter, with unpredictable user IDs (29:18)
- Lab #9 User ID controlled by request parameter with data leakage in redirect (21:36)
- Lab #10 User ID controlled by request parameter with password disclosure (27:13)
- Lab #11 Insecure direct object references (22:44)
- Lab #12 Multi-step process with no access control on one step (16:25)
- Lab #13 Referer-based access control (14:15)
File Upload Vulnerabilities
Available in
days
days
after you enroll
- File Upload Vulnerabilities | Complete Guide (26:12)
- Lab #1 Remote code execution via web shell upload (27:53)
- Lab #2 Web shell upload via Content-Type restriction bypass (23:08)
- Lab #3 Web shell upload via path traversal (26:54)
- Lab #4 Web shell upload via extension blacklist bypass (30:11)
- Lab #5 Web shell upload via obfuscated file extension (23:42)
- Lab #6 Remote code execution via polyglot web shell upload (7:29)
- Lab #7 Web shell upload via race condition (13:15)
Server-Side Request Forgery (SSRF)
Available in
days
days
after you enroll
- Server-Side Request Forgery (SSRF) | Complete Guide (45:31)
- Lab #1 Basic SSRF against the local server (21:31)
- Lab #2 Basic SSRF against another back-end system (26:53)
- Lab #3 SSRF with blacklist-based input filter (20:08)
- Lab #4 SSRF with whitelist-based input filter (21:04)
- Lab #5 SSRF with filter bypass via open redirection vulnerability (18:36)
- Note - Changes to Burp Collaborator
- Lab #6 Blind SSRF with out-of-band detection (6:01)
- Lab #7 Blind SSRF with Shellshock exploitation (12:41)
XXE Injection
Available in
days
days
after you enroll
- XXE Injection | Complete Guide (48:12)
- Lab #1 Exploiting XXE using external entities to retrieve files (10:28)
- Lab #2 Exploiting XXE to perform SSRF attacks (11:33)
- Note - Changes to Burp Collaborator
- Lab #3 Blind XXE with out-of-band interaction (5:53)
- Lab #4 Blind XXE with out-of-band interaction via XML parameter entities (6:35)
- Lab #5 Exploiting blind XXE to exfiltrate data using a malicious external DTD (16:54)
- Lab #6 Exploiting blind XXE to retrieve data via error messages (12:14)
- Lab #7 Exploiting XInclude to retrieve files (12:41)
- Lab #8 Exploiting XXE via image file upload (23:48)
- Lab #9 Exploiting XXE to retrieve data by repurposing a local DTD (23:51)
Cross-Site Scripting (XSS)
Available in
days
days
after you enroll
- Cross-Site Scripting (XSS) | Complete Guide (40:03)
- Lab #1 Reflected XSS into HTML context with nothing encoded (3:47)
- Lab #2 Stored XSS into HTML context with nothing encoded (5:06)
- Lab #3 DOM XSS in document.write sink using source location.search (7:46)
- Lab #4 DOM XSS in innerHTML sink using source location.search (6:03)
- Lab #5 DOM XSS in jQuery anchor href attribute sink using location.search source (7:09)
- Lab #6 DOM XSS in jQuery selector sink using a hashchange event (10:14)
- Lab #7 Reflected XSS into attribute with angle brackets HTML-encoded (5:05)
- Lab #8 Stored XSS into anchor href attribute with double quotes HTML-encoded (5:50)
- Lab #9 Reflected XSS into a JavaScript string with angle brackets HTML encoded (5:54)
- Lab #10 DOM XSS in document.write sink using source location.search inside a select element (8:18)
- Lab #11 DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded (4:30)
- Lab #12 Reflected DOM XSS (7:46)
- Lab #13 Stored DOM XSS (8:08)
- Lab #14 Exploiting cross-site scripting to steal cookies (9:21)
- Lab #15 Exploiting cross-site scripting to capture passwords (10:01)
- Lab #16 Exploiting XSS to perform CSRF (12:08)
- Lab #17 Reflected XSS into HTML context with most tags and attributes blocked (10:57)
- Lab #18 Reflected XSS into HTML context with all tags blocked except custom ones (10:23)
- Lab #19 Reflected XSS with some SVG markup allowed (6:34)
- Lab #20 Reflected XSS in canonical link tag (7:26)
- Lab #21 Reflected XSS into a JavaScript string with single quote and backslash escaped (4:32)
- Lab #22 Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped (5:36)
- Lab #23 Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped (7:40)
- Lab #24 Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped (3:19)
Cross-Site Request Forgery (CSRF)
Available in
days
days
after you enroll
- Cross-Site Request Forgery (CSRF) | Complete Guide (47:02)
- Note - Changes to Python Simple Server
- Lab #1 CSRF vulnerability with no defenses (22:22)
- Lab #2 CSRF where token validation depends on request method (20:33)
- Lab #3 CSRF where token validation depends on token being present (14:29)
- Lab #4 CSRF where token is not tied to user session (18:01)
- Lab #5 CSRF where token is tied to non-session cookie (27:32)
- Lab #6 CSRF where token is duplicated in cookie (21:05)
- Lab #7 CSRF where Referer validation depends on header being present (19:53)
- Lab #8 CSRF with broken Referer validation (18:14)
- Lab #9 SameSite Lax bypass via method override (7:51)
- Lab #10 SameSite Strict bypass via client-side redirect (12:45)
- Lab #11 SameSite Strict bypass via sibling domain (24:10)
- Lab #12 SameSite Lax bypass via cookie refresh (18:29)
Cross-origin Resource Sharing (CORS)
Available in
days
days
after you enroll
- Cross-Origin Resource Sharing (CORS) | Complete Guide (50:49)
- Lab #1 CORS vulnerability with basic origin reflection (15:13)
- Lab #2 CORS vulnerability with trusted null origin (19:08)
- Lab #3 CORS vulnerability with trusted insecure protocols (23:32)
- Lab #4 CORS vulnerability with internal network pivot attack (35:21)
Clickjacking
Available in
days
days
after you enroll
- Clickjacking | Complete Guide (33:15)
- Lab #1 Basic clickjacking with CSRF token protection (9:42)
- Lab #2 Clickjacking with form input data prefilled from a URL parameter (10:04)
- Lab #3 Clickjacking with a frame buster script (8:38)
- Lab #4 Exploiting clickjacking vulnerability to trigger DOM-based XSS (11:27)
- Lab #5 Multistep clickjacking (10:27)
DOM-based Vulnerabilities
Available in
days
days
after you enroll
- DOM-Based Vulnerabilities | Complete Guide (39:09)
- Lab #1 DOM XSS using web messages (6:09)
- Lab #2 DOM XSS using web messages and a JavaScript URL (5:59)
- Lab #3 DOM XSS using web messages and JSON.parse (6:42)
- Lab #4 DOM-based open redirection (7:56)
- Lab #5 DOM-based cookie manipulation (9:14)
- Lab #6 Exploiting DOM clobbering to enable XSS (31:53)
- Lab #7 Clobbering DOM attributes to bypass HTML filters (16:34)
WebSockets Vulnerabilities
Available in
days
days
after you enroll
JWT Attacks
Available in
days
days
after you enroll
- JWT Attacks | Complete Guide (57:24)
- Lab #1 JWT authentication bypass via unverified signature (35:55)
- Lab #2 JWT authentication bypass via flawed signature verification (38:05)
- Lab #3 JWT authentication bypass via weak signing key (14:10)
- Lab #4 JWT authentication bypass via jwk header injection (9:38)
- Lab #5 JWT authentication bypass via jku header injection (10:20)
- Lab #6 JWT authentication bypass via kid header path traversal (10:41)
- Lab #7 JWT authentication bypass via algorithm confusion (13:28)
- Lab #8 JWT authentication bypass via algorithm confusion with no exposed key (22:11)
HTTP Host Header Attacks
Available in
days
days
after you enroll
- HTTP Host Header Attacks | Complete Guide (19:35)
- Lab #1 Basic password reset poisoning (9:18)
- Lab #2 Host header authentication bypass (6:48)
- Lab #3 Web cache poisoning via ambiguous requests (19:34)
- Lab #4 Routing-based SSRF (12:36)
- Lab #5 SSRF via flawed request parsing (15:16)
- Lab #6 Host validation bypass via connection state attack (8:48)
- Lab #7 Password reset poisoning via dangling markup (17:23)
What's Next?
Available in
days
days
after you enroll
Pricing Option #1
Pricing Option #2
All-Access Membership Plan Starting at $29.99/month
Gain full access to all the modules in this course as well as our entire course catalog by enrolling in the All-Access Membership plan.
Meet the Instructor
ABOUT THE AUTHOR
Rana Khalil is an accomplished Application Security Engineer currently steering the digital safety ship in Canada's dynamic public and private sectors. With her cutting-edge expertise, she's not only securing applications, but also shaping the future of cybersecurity across the nation.
She holds a Bachelor's and Master’s degree in Computer Science and is OSCP certified. She has spoken about her research at various local and international conferences, and received several awards and honorable mentions for her contributions to the cybersecurity community.
Follow Rana on Social Media:
LinkedIn: https://www.linkedin.com/in/ranakhalil1/
Youtube: https://www.youtube.com/channel/UCKaK-XPQAbznwIISC...
Frequently Asked Questions (FAQ)
What is the refund policy?
All students are entitled to a 14-day refund from the date of purchase of the course. Please follow the instructions outlined in this link to submit a refund request.
Will I receive a certificate of completion after I finish the course?
Yes, we currently provide a certificate of completion. However, the course is designed to help aid students in the preparation for PortSwigger's Burp Suite Certified Practitioner certification. Therefore, students are encouraged to enrol in the certification if they feel they are ready.
Does the course include subtitles?
Yes, all of the lessons in this course feature auto-generated English, Arabic, Spanish, Portuguese, Hindi & French subtitles. We are currently in the process of having these subtitles reviewed by human experts to ensure their accuracy.
Does the One-Time Purchase option include all future updates to the course?
Yes, the one-time purchase option provides access to the course and all future updates to the course.
Is the course eligible for Continuing Professional Education (CPE) credits?
Yes, each certificate of completion specifies the total CPE credits earned.
How is this course different from the videos on Youtube and Udemy?
This course contains the same videos as Youtube and Udemy, with the exception that the course contains all the videos, whereas, Youtube only contains a portion of the videos and in Udemy, each module / topic of this course is a single course on Udemy.
Registering in the course gives you the following benefits:
- Access to all the module / topic videos.
- Access to a private discord channel where you can ask me questions and collaborate with other students.
- Early access to any future videos and updates.