Manually review a web application for security issues using only your browsers developer tools. Hacking with just your browser, no tools or scripts.

Learn the various ways of discovering hidden or private content on a webserver that could lead to new vulnerabilities.

Learn the various ways of discovering subdomains to expand your attack surface of a target.

Learn how to defeat logins and other authentication mechanisms to allow you access to unpermitted areas.

Learn how to find and exploit IDOR vulnerabilities in a web application giving you access to data that you shouldn't have.

This room introduces file inclusion vulnerabilities, including Local File Inclusion (LFI), Remote File Inclusion (RFI), and directory traversal.

Learn how to exploit Server-Side Request Forgery (SSRF) vulnerabilities, allowing you to access internal server resources.

Learn how to detect and exploit XSS vulnerabilities, giving you control of other visitors' browsers.

Learn about race conditions and how they affect web application security.

Learn about a vulnerability allowing you to execute commands through a vulnerable app, and its remediations.

Learn how to detect and exploit SQL Injection vulnerabilities

Lock in what you learned with a recap. Earn points and keep your streak.

Need to know

How The Web Works

To become a better hacker it's vital to understand the underlying functions of the world wide web and what makes it work.

Next steps

Burp Suite

Burp Suite is the industry standard tool for web application hacking, and is essential in any web penetration test.

What are modules?

A learning pathway is made up of modules, and a module is made of bite-sized rooms (think of a room like a mini security lab).

Introduction to Web Hacking