Getting Help
Lab Environment Setup
SQL Injection
-
SQL Injection | Complete Guide (65:41)
-
Lab #1 SQL injection vulnerability in WHERE clause allowing retrieval of hidden data (29:06)
-
Lab #2 SQL injection vulnerability allowing login bypass (33:17)
-
Lab #3 SQLi UNION attack determining the number of columns returned by the query (33:59)
-
Lab #4 SQL injection UNION attack, finding a column containing text (29:08)
-
Lab #5 SQL injection UNION attack, retrieving data from other tables (24:45)
-
Lab #6 SQL injection UNION attack, retrieving multiple values in a single column (29:24)
-
Lab #7 SQL injection attack, querying the database type and version on Oracle (26:50)
-
Lab #8 SQLi attack, querying the database type and version on MySQL & Microsoft (22:16)
-
Lab #9 SQL injection attack, listing the database contents on non Oracle databases (45:18)
-
Lab #10 SQL injection attack, listing the database contents on Oracle (40:24)
-
Lab #11 Blind SQL injection with conditional responses (48:38)
-
Lab #12 Blind SQL injection with conditional errors (44:58)
-
Lab #13 Blind SQL injection with time delays (19:08)
-
Lab #14 Blind SQL injection with time delays and information retrieval (35:37)
-
Note - Changes to Burp Collaborator
-
Lab #15 Blind SQL injection with out-of-band interaction (10:19)
-
Lab #16 Blind SQL injection with out of band data exfiltration (8:17)
-
Lab #17 SQL injection with filter bypass via XML encoding (7:14)
-
Lab #18 Visible error-based SQL injection (14:46)
Authentication Vulnerabilities
-
Authentication Vulnerabilities | Complete Guide (29:35)
-
Lab #1 Username enumeration via different responses (6:02)
-
Lab #2 2FA simple bypass (11:46)
-
Lab #3 Password reset broken logic (13:10)
-
Lab #4 Username enumeration via subtly different responses (9:23)
-
Lab #5 Username enumeration via response timing (13:58)
-
Lab #6 Broken brute-force protection, IP block (14:20)
-
Lab #7 Username enumeration via account lock (9:41)
-
Lab #8 2FA broken logic (9:36)
-
Lab #9 Brute-forcing a stay-logged-in cookie (17:13)
-
Lab #10 Offline password cracking (11:59)
-
Lab #11 Password reset poisoning via middleware (8:28)
-
Lab #12 Password brute-force via password change (25:08)
-
Lab #13 Broken brute-force protection, multiple credentials per request (16:46)
-
Lab #14 2FA bypass using a brute-force attack (9:54)
Directory Traversal
-
Directory Traversal | Complete Guide (21:05)
-
Lab #1 File path traversal, simple case (13:58)
-
Lab #2 File path traversal, traversal sequences blocked with absolute path bypass (10:55)
-
Lab #3 File path traversal, traversal sequences stripped non-recursively (14:26)
-
Lab #4 File path traversal, traversal sequences stripped with superfluous URL-decode (12:19)
-
Lab #5 File path traversal, validation of start of path (10:28)
-
Lab #6 File path traversal, validation of file extension with null byte bypass (9:54)
OS Command Injection
-
Command Injection | Complete Guide (29:58)
-
Lab #1 OS command injection, simple case (18:03)
-
Lab #2 Blind OS command injection with time delays (19:32)
-
Lab #3 Blind OS command injection with output redirection (25:51)
-
Note - Changes to Burp Collaborator
-
Lab #4 Blind OS command injection with out-of-band interaction (6:35)
-
Lab #5 Blind OS command injection with out-of-band data exfiltration (7:33)
Business Logic Vulnerabilities
-
Business Logic Vulnerabilities | Complete Guide (17:30)
-
Lab #1 Excessive trust in client-side controls (24:40)
-
Lab #2 High-level logic vulnerability (25:55)
-
Lab #3 Inconsistent security controls (6:34)
-
Lab #4 Flawed enforcement of business rules (29:08)
-
Lab #5 Low-level logic flaw (14:10)
-
Lab #6 Inconsistent handling of exceptional input (15:20)
-
Lab #7 Weak isolation on dual-use endpoint (22:32)
-
Lab #8 Insufficient workflow validation (20:04)
-
Lab #9 Authentication bypass via flawed state machine (17:59)
-
Lab #10 Infinite money logic flaw (41:17)
-
Lab #11 Authentication bypass via encryption oracle (18:47)
Information Disclosure
-
Information Disclosure | Complete Guide (29:12)
-
Lab #1 Information disclosure in error messages (9:41)
-
Lab #2 Information disclosure on debug page (11:20)
-
Lab #3 Source code disclosure via backup files (11:18)
-
Lab #4 Authentication bypass via information disclosure (10:56)
-
Lab #5 Information disclosure in version control history (4:32)
Access Control Vulnerabilities
-
Broken Access Control | Complete Guide (38:05)
-
Lab #1 Unprotected admin functionality (15:06)
-
Lab #2 Unprotected admin functionality with unpredictable URL (22:56)
-
Lab #3 User role controlled by request parameter (23:42)
-
Lab #4 User role can be modified in user profile (21:39)
-
Lab #5 URL-based access control can be circumvented (15:23)
-
Lab #6 Method-based access control can be circumvented (17:23)
-
Lab #7 User ID controlled by request parameter (21:24)
-
Lab #8 User ID controlled by request parameter, with unpredictable user IDs (29:18)
-
Lab #9 User ID controlled by request parameter with data leakage in redirect (21:36)
-
Lab #10 User ID controlled by request parameter with password disclosure (27:13)
-
Lab #11 Insecure direct object references (22:44)
-
Lab #12 Multi-step process with no access control on one step (16:25)
-
Lab #13 Referer-based access control (14:15)
File Upload Vulnerabilities
-
File Upload Vulnerabilities | Complete Guide (26:12)
-
Lab #1 Remote code execution via web shell upload (27:53)
-
Lab #2 Web shell upload via Content-Type restriction bypass (23:08)
-
Lab #3 Web shell upload via path traversal (26:54)
-
Lab #4 Web shell upload via extension blacklist bypass (30:11)
-
Lab #5 Web shell upload via obfuscated file extension (23:42)
-
Lab #6 Remote code execution via polyglot web shell upload (7:29)
-
Lab #7 Web shell upload via race condition (13:15)
Server-Side Request Forgery (SSRF)
-
Server-Side Request Forgery (SSRF) | Complete Guide (45:31)
-
Lab #1 Basic SSRF against the local server (21:31)
-
Lab #2 Basic SSRF against another back-end system (26:53)
-
Lab #3 SSRF with blacklist-based input filter (20:08)
-
Lab #4 SSRF with whitelist-based input filter (21:04)
-
Lab #5 SSRF with filter bypass via open redirection vulnerability (18:36)
-
Note - Changes to Burp Collaborator
-
Lab #6 Blind SSRF with out-of-band detection (6:01)
-
Lab #7 Blind SSRF with Shellshock exploitation (12:41)
XXE Injection
-
XXE Injection | Complete Guide (48:12)
-
Lab #1 Exploiting XXE using external entities to retrieve files (10:28)
-
Lab #2 Exploiting XXE to perform SSRF attacks (11:33)
-
Note - Changes to Burp Collaborator
-
Lab #3 Blind XXE with out-of-band interaction (5:53)
-
Lab #4 Blind XXE with out-of-band interaction via XML parameter entities (6:35)
-
Lab #5 Exploiting blind XXE to exfiltrate data using a malicious external DTD (16:54)
-
Lab #6 Exploiting blind XXE to retrieve data via error messages (12:14)
-
Lab #7 Exploiting XInclude to retrieve files (12:41)
-
Lab #8 Exploiting XXE via image file upload (23:48)
-
Lab #9 Exploiting XXE to retrieve data by repurposing a local DTD (23:51)
Cross-Site Scripting (XSS)
-
Cross-Site Scripting (XSS) | Complete Guide (40:03)
-
Lab #1 Reflected XSS into HTML context with nothing encoded (3:47)
-
Lab #2 Stored XSS into HTML context with nothing encoded (5:06)
-
Lab #3 DOM XSS in document.write sink using source location.search (7:46)
-
Lab #4 DOM XSS in innerHTML sink using source location.search (6:03)
-
Lab #5 DOM XSS in jQuery anchor href attribute sink using location.search source (7:09)
-
Lab #6 DOM XSS in jQuery selector sink using a hashchange event (10:14)
-
Lab #7 Reflected XSS into attribute with angle brackets HTML-encoded (5:05)
-
Lab #8 Stored XSS into anchor href attribute with double quotes HTML-encoded (5:50)
-
Lab #9 Reflected XSS into a JavaScript string with angle brackets HTML encoded (5:54)
-
Lab #10 DOM XSS in document.write sink using source location.search inside a select element (8:18)
-
Lab #11 DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded (4:30)
-
Lab #12 Reflected DOM XSS (7:46)
-
Lab #13 Stored DOM XSS (8:08)
-
Lab #14 Exploiting cross-site scripting to steal cookies (9:21)
-
Lab #15 Exploiting cross-site scripting to capture passwords (10:01)
-
Lab #16 Exploiting XSS to perform CSRF (12:08)
-
Lab #17 Reflected XSS into HTML context with most tags and attributes blocked (10:57)
-
Lab #18 Reflected XSS into HTML context with all tags blocked except custom ones (10:23)
-
Lab #19 Reflected XSS with some SVG markup allowed (6:34)
-
Lab #20 Reflected XSS in canonical link tag (7:26)
-
Lab #21 Reflected XSS into a JavaScript string with single quote and backslash escaped (4:32)
-
Lab #22 Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped (5:36)
-
Lab #23 Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped (7:40)
-
Lab #24 Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped (3:19)
Cross-Site Request Forgery (CSRF)
-
Cross-Site Request Forgery (CSRF) | Complete Guide (47:02)
-
Note - Changes to Python Simple Server
-
Lab #1 CSRF vulnerability with no defenses (22:22)
-
Lab #2 CSRF where token validation depends on request method (20:33)
-
Lab #3 CSRF where token validation depends on token being present (14:29)
-
Lab #4 CSRF where token is not tied to user session (18:01)
-
Lab #5 CSRF where token is tied to non-session cookie (27:32)
-
Lab #6 CSRF where token is duplicated in cookie (21:05)
-
Lab #7 CSRF where Referer validation depends on header being present (19:53)
-
Lab #8 CSRF with broken Referer validation (18:14)
-
Lab #9 SameSite Lax bypass via method override (7:51)
-
Lab #10 SameSite Strict bypass via client-side redirect (12:45)
-
Lab #11 SameSite Strict bypass via sibling domain (24:10)
-
Lab #12 SameSite Lax bypass via cookie refresh (18:29)
Cross-origin Resource Sharing (CORS)
-
Cross-Origin Resource Sharing (CORS) | Complete Guide (50:49)
-
Lab #1 CORS vulnerability with basic origin reflection (15:13)
-
Lab #2 CORS vulnerability with trusted null origin (19:08)
-
Lab #3 CORS vulnerability with trusted insecure protocols (23:32)
-
Lab #4 CORS vulnerability with internal network pivot attack (35:21)
Clickjacking
-
Clickjacking | Complete Guide (33:15)
-
Lab #1 Basic clickjacking with CSRF token protection (9:42)
-
Lab #2 Clickjacking with form input data prefilled from a URL parameter (10:04)
-
Lab #3 Clickjacking with a frame buster script (8:38)
-
Lab #4 Exploiting clickjacking vulnerability to trigger DOM-based XSS (11:27)
-
Lab #5 Multistep clickjacking (10:27)
What's Next?
