Web Security Academy

Want to test your real-world instincts, not just follow hints? 🕵️‍♂️ Try a Mystery Lab: pick a difficulty + vuln class, then get a random target with zero spoilers. It’s you, the app, and your methodology. portswigger.net/web-security/m…

As companies rush to plug LLMs into everything, they’re accidentally opening massive backdoors. If you’re a beginner looking for the next big frontier in cybersecurity, this is it. Our Web LLM Attack course shows you how to exploit AI chatbots to leak data and bypass restrictions. This Web LLM Attack course will teach you: 🔶What LLMs are? 🔶Exploiting LLM APIs, functions, and plugins 🔶Prompt injection 🔶Leaking sensitive training data 🔶Defending against LLM attacks Learn it from here 👇 portswigger.net/web-security/l…

APIs are the backbone of most modern apps: mobile, SPAs, microservices, integrations. This learning path helps you build real API testing instincts, from recon and documentation analysis to finding hidden parameters, mass assignment, and server-side parameter pollution, with hands-on labs throughout. portswigger.net/web-security/l…

Hit a wall in a lab? Find your topic, get unstuck, keep going 💪 portswigger.net/web-security/a…

Bypass URL Validation with our cheatsheat 👇 portswigger.net/web-security/s…

Stop chasing rumors. Start learning from the source. 🕵️‍♂️ Get behind the curtain with the minds shaping the future of web security. Join the PortSwigger Discord, your seat at the table is waiting. discord.gg/portswigger

Are you a developer looking to secure your assets or an aspiring hacker? If you’re unsure where to begin, check out our Apprentice Learning Path, specially designed for complete beginners. We guide you through fundamental vulnerabilities and help you elevate your expertise step by step! portswigger.net/web-security/l…

AI applications are everywhere now. So are prompt injection vulnerabilities. If an LLM processes user input and has access to tools, APIs, or data, it's a target. If you're testing apps - now's the time to learn about LLM attacks! portswigger.net/web-security/l…

A year ago you didn't know what SSRF was. Six months ago you solved your first lab. Today you're chaining bugs in the wild. The path is the same for everyone. The only variable is whether you start. All courses are free. All labs are hands-on.

One of the biggest problems with cybersecurity training is that you already know what's vulnerable. In a real application, you don't know what (if anything) is vulnerable. It's a completely different game. That's why we have our "mystery labs". To test your hacker intuition 🥷 Try one now 👇 portswigger.net/web-security/m…

Completed all our labs? Feeling confident? It might be time to take our Burp Suite Certified Practitioner certification (BSCP). portswigger.net/web-security/c…

Ever heard of "mass assignment"? It's a vulnerability that allows you to update fields on the server-side that you shouldn't be able to touch - and it's way more common than you'd think! Follow along here: portswigger.net/web-security/a… Here's how it's done 👇

Rate limiting is often bypassable, it just depends how much effort you're willing to put in. Half the challenge is figuring out exactly what is being rate limited. Your IP? Your session? Your API key? Your device fingerprint? - If your IP is being limited, bypass it by using multiple IPs through AWS API gateway. - If your session is being limited, try reauthenticating before each request to get a new session. - If your API key is being limited, try generating a new API key every few requests - Device fingerprint? Spoof it! There's also HTTP/2 multiplexing. Read more about how Burp handles HTTP/2 below 🧐 portswigger.net/burp/documenta…

Everyone who wants to learn: 1️⃣ XSS ↪️ SSRF 🤔 OWASP 🪟 DOM XSS 🔐 Auth bypass 💉 SQL injection 📁 File upload vulns 📦 GraphQL Hacking 🧰 Burp Suite Mastery 🧠 Business Logic Flaws 💔 Broken Access Control 🏴‍☠️ Real Exploit Techniques 💥 Much, much, much, more I hope you found this account.

Stuck on a lab? Feeling frustrated? 🛑 Good. That's the feeling of your brain expanding. Take a breather then try this: > Re-read the documentation > Check the "Hint" if you must (we won't judge 😉) > Ask a friend > Look for a video walkthrough > Ask on our Discord (discord.gg/portswigger) But don't give up. The solution is one payload away. You've got this. 💪

Learn about GraphQL vulnerabilities! In this course, you’ll learn how to: 🔶 Master GraphQL introspection 🔶 Bypass GraphQL introspection defenses 🔶 Uncover misconfigurations and sensitive information 🔶 Utilise GraphQL resolvers to achieve unexpected outcomes ..and so much more! Click here for access 👇 portswigger.net/web-security/l…

Gain the knowledge of Prototype Pollution! Prototype pollution is a JavaScript vulnerability that lets an attacker introduce arbitrary properties to the global object prototypes. This manipulation allows the attacker to control the properties that are inherited by user-defined objects. For the COMPLETE guide, check out our FREE course with hands-on labs! In this course, you’ll learn: 🔶 How JavaScript prototype and inheritance works 🔶 Prototype pollution sources and sinks, gadgets 🔶 Client and server side prototype pollution 🔶 Prevention of prototype pollution ..and so much more! Click here for access 👇 portswigger.net/web-security/l…

Bypassing authentication by exploiting flawed signature verification in JWT sounds complicated. It's not though. Dedicate 10 minutes to this lab and you'll fully understand it 👇 portswigger.net/web-security/j…

The best time to start learning to hack was 10 years ago. The next best time to start learning to hack is right now. Sign up to our web hacking training - it's free. portswigger.net/web-security

Server-side parameter pollution is a bit of a tricky vulnerability class to get your head around. Hopefully this video will help! Watch me solve the lab and explain my thought process the entire way 🤝 You can follow along here 👉 portswigger.net/web-security/a…