Structured courses for beginners. Learn the theory, answer questions, hack the lab.
Learn how attackers inject malicious scripts into websites and how to find them yourself.
Before you hack anything, you need to understand how the web works under the hood. HTTP, requests, responses, status codes, ports, cookies, sessions — all of it.
Understand how websites verify who you are — passwords, sessions, tokens, OAuth, and MFA. Essential knowledge before attacking any auth system.
Most vulnerabilities today live in APIs, not web pages. Learn how REST APIs and GraphQL work, how they're authenticated, and what to look for when testing them.
Your browser's built-in DevTools are one of the most powerful hacking tools you have. Learn to use them like a pro — no installs required.
Learn how attackers manipulate database queries through unsanitised input — and bypass logins, extract data, and own the backend.
Learn how to access other users' data by manipulating object references — one of the most common and impactful vulnerabilities in web applications.
sqlmap finds and exploits SQL injection vulnerabilities automatically. Point it at a login form and watch it do in seconds what would take hours by hand.
When attackers steal a database, they get hashes — not passwords. hashcat cracks them by trying millions of passwords per second until the hash matches.
Hidden admin panels, forgotten backup files, undocumented API routes — ffuf finds them by brute-forcing paths that are never linked from the site.
curl lets you make raw HTTP requests from the terminal — no browser needed. Add headers, change methods, strip auth tokens, and see exactly what the server sends back.
Weak login flows, no rate limiting, insecure password resets — learn how authentication systems fail and how to find and exploit those failures.
Default credentials, exposed admin panels, verbose error messages, open cloud storage — misconfiguration is the #1 finding on real pentests.
File upload features are one of the most dangerous attack surfaces. Learn how attackers bypass extension checks and upload webshells to execute code on servers.
Make the server fetch URLs on your behalf — reaching internal services, cloud metadata APIs, and systems that are completely inaccessible from the internet.
The application works exactly as coded — but the code doesn't match how the business should work. Negative prices, skipping steps, discount stacking.
When web apps pass user input to a system shell, attackers can append their own OS commands. The result is direct code execution on the server.
The industry standard list of the most critical web application security risks. Learn what each category means and where the vulnerabilities you have studied fit in.
Passwords stored in plaintext, sensitive data sent over HTTP, weak encryption keys, MD5 where bcrypt should be. Learn what goes wrong when applications mishandle cryptography.
Every library, framework, and plugin your application uses is a potential attack surface. Learn how attackers exploit known CVEs in outdated dependencies and how to check for them.
Trick a logged-in user's browser into making a request to another site without them knowing. The browser sends the session cookie automatically — and the server thinks it's a real request.
Attackers count on not being noticed. When applications do not log security events or nobody watches the logs, breaches go undetected for months. Learn what should be logged and why.
JSON Web Tokens are everywhere — and frequently misconfigured. Learn the full attack surface: weak secrets, the none algorithm, algorithm confusion, and key injection.
Apps that read files based on user-supplied filenames can be tricked into reading any file on the server. Learn how ../ sequences escape the intended directory.
No lockout. No rate limiting. A 4-digit PIN. Learn how brute force attacks work against real login systems and build the mindset for testing authentication.
Account numbers are sequential. The server never checks ownership. One request away from reading every customer's balance and transaction history.
The transfer API accepts the amount from the client. Send a negative number and the money flows the wrong way.
FirstBank signs JWTs with a weak secret. Crack it with hashcat, forge a token with role: admin, and access accounts that aren't yours.
LLMs follow instructions — including instructions hidden inside user input. Learn how attackers hijack AI systems by injecting commands that override the developer's system prompt.
Safety filters trained into LLMs can be bypassed without touching the code. Learn the classic jailbreak techniques — DAN, fictional framing, the grandma exploit — and why they work.
When an AI reads external content — web pages, emails, documents — an attacker can hide instructions inside that content. The AI reads it and obeys. The user never sees the injection.
Bypass login systems by injecting MongoDB query operators — no SQL knowledge required.
Find every subdomain, IP, and live host a target owns. The starting point of every bug bounty engagement.
Find hidden paths, admin panels, backup files, and exposed configs that developers forgot to lock down.
Identify what software a target runs — frameworks, versions, databases — and match it to known CVEs.
Find leaked API keys, hardcoded credentials, and sensitive data hidden in git history, GitHub repos, and exposed config files.
Use Google search operators to find exposed admin panels, config files, login pages, and sensitive data indexed by search engines.
Use the world's most powerful internet scanner to find exposed databases, open ports, default credentials, and misconfigured cloud services.
Master the most powerful vulnerability scanner in modern bug bounty — templates, tags, custom detection, and full pipeline integration.
Master the three tools every bug bounty hunter runs on every target — every flag, every mode, and how they work together.
The complete playbook — from picking a program and reading scope to chaining findings, writing reports, and getting paid.
Learn how template engines become weapons when user input reaches the template renderer — from math expressions to full remote code execution.
Learn how attackers abuse XML parsers to read server files, perform SSRF, and exfiltrate data — a vulnerability hiding in every API that accepts XML.
Learn how to exploit GraphQL APIs — introspection abuse, BOLA/IDOR, batching attacks, and field suggestions to map hidden data.
Learn how developers accidentally expose internal object fields through JSON body assignment — and how attackers use it to escalate privileges and manipulate data.
Learn how session management fails — predictable session IDs, session fixation, missing cookie flags, and sessions that survive logout.
Learn how misconfigured Cross-Origin Resource Sharing headers let any website silently steal authenticated user data from APIs.
Learn how OAuth authorization flows break under redirect_uri manipulation, missing state parameters, and authorization code interception.
Learn how password reset flows break — Host header poisoning redirects reset links to attacker servers, and predictable tokens are brute forced in seconds.
Learn how two-factor authentication fails — skipping the MFA step entirely via direct API access, and brute forcing weak OTP codes with no rate limiting.
Learn how unvalidated redirect parameters let attackers redirect users to malicious sites — and how chaining with OAuth creates critical token theft.
Learn how sending simultaneous requests exploits TOCTOU flaws — redeeming coupons multiple times, buying out-of-stock items, and bypassing rate limits.
Clone a login page, craft a convincing IT security alert, trick an operations manager into handing over her credentials, and access her company dashboard.