advanced web application vulnerabilities
get to a professional level in web application penetration testing
get to a professional level in web application bug bounty
get prepared for the Burp Suite Certified Practitioner (BSCP) certification
145+ ethical hacking & security videos
Burp practitioner labs solved and explained step by step
SQL injection
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
Clickjacking
DOM-based vulnerabilities
Cross-origin resource sharing (CORS)
XML external entity (XXE) injection
Server-side request forgery (SSRF)
HTTP request smuggling
OS command injection
Server-side template injection
Directory traversal
Access control vulnerabilities
Authentication
WebSockets
Web cache poisoning
Insecure deserialization
Information disclosure
Business logic vulnerabilities
HTTP Host header attacks
OAuth authentication
File upload vulnerabilities
JWT
Essential skills
Prototype pollution
Introduction
Introduction
SQL injection
SQL injection UNION attack, determining the number of columns returned by the qu
SQL injection UNION attack, finding a column containing text
SQL injection UNION attack, retrieving data from other tables
SQL injection UNION attack, retrieving multiple values in a single column
SQL injection attack, querying the database type and version on Oracle
SQL injection attack, querying the database type and version on MySQL and MS
SQL injection attack, listing the database contents on non-Oracle databases
SQL injection attack, listing the database contents on Oracle
Blind SQL injection with conditional responses
Blind SQL injection with conditional errors
Blind SQL injection with time delays
Blind SQL injection with time delays and information retrieval
Blind SQL injection with out-of-band interaction
Blind SQL injection with out-of-band data exfiltration
SQL injection with filter bypass via XML encoding
Cross-site scripting (XSS)
DOM XSS in document.write sink using source location.search inside a select elem
DOM XSS in AngularJS expression with angle brackets and double quotes HTML-enc.
Reflected DOM XSS
Stored DOM XSS
Exploiting cross-site scripting to steal cookies
Exploiting cross-site scripting to capture passwords
Exploiting XSS to perform CSRF
Reflected XSS into HTML context with most tags and attributes blocked
Reflected XSS into HTML context with all tags blocked except custom ones
Reflected XSS with some SVG markup allowed
Reflected XSS in canonical link tag
Reflected XSS into a JavaScript string with single quote and backslash escaped
Reflected XSS into a JavaScript string with angle brackets and double quotes esc
Stored XSS into onclick event with angle brackets and double quotes HTML-encoded
Reflected XSS into a template literal with angle brackets, single, double quotes
Cross-site request forgery (CSRF)
CSRF where token validation depends on request method
CSRF where token validation depends on token being present
CSRF where token is not tied to user session
CSRF where token is tied to non-session cookie
CSRF where token is duplicated in cookie
SameSite Lax bypass via method override
SameSite Strict bypass via client-side redirect
SameSite Strict bypass via sibling domain
SameSite Lax bypass via cookie refresh
CSRF where Referer validation depends on header being present
CSRF with broken Referer validation
Clickjacking
Exploiting clickjacking vulnerability to trigger DOM-based XSS
Multistep clickjacking
DOM-based vulnerabilities
DOM XSS using web messages
DOM XSS using web messages and a JavaScript URL
DOM XSS using web messages and JSON.parse
DOM-based open redirection
DOM-based cookie manipulation
Cross-origin resource sharing (CORS)
CORS vulnerability with trusted insecure protocols
XML external entity (XXE) injection
Blind XXE with out-of-band interaction
Blind XXE with out-of-band interaction via XML parameter entities
Exploiting blind XXE to exfiltrate data using a malicious external DTD
Exploiting blind XXE to retrieve data via error messages
Exploiting XInclude to retrieve files
Exploiting XXE via image file upload
Server-side request forgery (SSRF)
SSRF with blacklist-based input filter
SSRF with filter bypass via open redirection vulnerability
Blind SSRF with out-of-band detection
HTTP request smuggling
HTTP request smuggling, basic CL.TE vulnerability
HTTP request smuggling, basic TE.CL vulnerability
HTTP request smuggling, obfuscating the TE header
HTTP request smuggling, confirming a CL.TE vulnerability via differential resp.
HTTP request smuggling, confirming a TE.CL vulnerability via differential respon
Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE
Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL
Exploiting HTTP request smuggling to reveal front-end request rewriting
Exploiting HTTP request smuggling to capture other users’ requests
Exploiting HTTP request smuggling to deliver reflected XSS
Response queue poisoning via H2.TE request smuggling
OS command injection
Blind OS command injection with time delays
Blind OS command injection with output redirection
Blind OS command injection with out-of-band interaction
Blind OS command injection with out-of-band data exfiltration
Server-side template injection
Basic server-side template injection
Basic server-side template injection (code context)
Server-side template injection using documentation
Server-side template injection in an unknown language with a documented exploit
Server-side template injection with information disclosure via user-supplied obj
Directory traversal
File path traversal, traversal sequences blocked with absolute path bypass
File path traversal, traversal sequences stripped non-recursively
File path traversal, traversal sequences stripped with superfluous URL-decode
File path traversal, validation of start of path
File path traversal, validation of file extension with null byte bypass
Access control vulnerabilities
URL-based access control can be circumvented
Method-based access control can be circumvented
Multi-step process with no access control on one step
Referer-based access control
Authentication
Username enumeration via subtly different responses
Username enumeration via response timing
Broken brute-force protection, IP block
Username enumeration via account lock
2FA broken logic
Brute-forcing a stay-logged-in cookie
Offline password cracking
Password reset poisoning via middleware
Password brute-force via password change
WebSockets
Manipulating the WebSocket handshake to exploit vulnerabilities
Cross-site WebSocket hijacking
Web cache poisoning
Web cache poisoning with an unkeyed header
Web cache poisoning with an unkeyed cookie
Web cache poisoning with multiple headers
Targeted web cache poisoning using an unknown header
Web cache poisoning via an unkeyed query string
Web cache poisoning via an unkeyed query parameter
Parameter cloaking
Web cache poisoning via a fat GET request
URL normalization
Insecure deserialization
Modifying serialized data types
Using application functionality to exploit insecure deserialization
Arbitrary object injection in PHP
Exploiting Java deserialization with Apache Commons
Exploiting PHP deserialization with a pre-built gadget chain
Exploiting Ruby deserialization using a documented gadget chain
Information disclosure
Information disclosure in version control history
Business logic vulnerabilities
Low-level logic flaw
Inconsistent handling of exceptional input
Weak isolation on dual-use endpoint
Insufficient workflow validation
Authentication bypass via flawed state machine
Infinite money logic flaw
Authentication bypass via encryption oracle
HTTP Host header attacks
Web cache poisoning via ambiguous requests
Routing-based SSRF
SSRF via flawed request parsing
Host validation bypass via connection state attack
OAuth authentication
Forced OAuth profile linking
OAuth account hijacking via redirect_uri
Stealing OAuth access tokens via an open redirect
SSRF via OpenID dynamic client registration
File upload vulnerabilities
Web shell upload via path traversal
Web shell upload via extension blacklist bypass
Web shell upload via obfuscated file extension
Remote code execution via polyglot web shell upload
JWT
JWT authentication bypass via weak signing key
JWT authentication bypass via jwk header injection
JWT authentication bypass via jku header injection
JWT authentication bypass via kid header path traversal
Essential skills
Discovering vulnerabilities quickly with targeted scanning
Prototype pollution
DOM XSS via client-side prototype pollution
DOM XSS via an alternative prototype pollution vector
Client-side prototype pollution via flawed sanitization
Client-side prototype pollution in third-party libraries
Client-side prototype pollution via browser APIs
Privilege escalation via server-side prototype pollution
Detecting server-side prototype pollution without polluted property reflection
Bypassing flawed input filters for server-side prototype pollution
Remote code execution via server-side prototype pollution