Web Security Academy

Too many beginners are making this mistake! Using AI for hacking is powerful, but it is 100x more powerful when wielded by someone who knows how to hack. Learn the basics, and then use AI to augment yourself.

Meet Kamil. He's an Application Security Engineer from the Czech Republic. He learned English, and then learned to hack using Web Security Academy. He gives some great advice for beginners in this article. Here's a snippet: "Don't get overwhelmed with the amount of labs, it took me more than six months to solve everything. You don't need to hurry, just take your time and try to solve at least a few labs every other week or so. You will progress naturally, and it's always fun to learn something new. My methodology was to pick up a topic and stick to it, trying to finish all the labs in that topic before moving to another one." Read more about Kamil's journey 👇 portswigger.net/web-security/g…

Most cybersecurity training and certifications cost thousands of dollars. Web Security Academy training is absolutely free, and the "Burp Suite Certified Practitioner" certification is just $99. And our labs are really, really good. What are you waiting for? Start learning now 👨‍💻💡 portswigger.net/web-security

When it's midnight but you're this close 🤏 to completing a lab

One of the most common vulnerabilities in web applications is excessive trust in client-side controls. Disabling a button on the web app doesn't mean that the server won't still process the request that the button would have sent. Sharpen your ability to find and exploit these bugs with our free lab 🧪🤓 portswigger.net/web-security/l…

🚨NEW LAB! Exploiting an AI powered security scanner to perform destructive actions. Watch the video walkthrough and follow along for here (free) 👇 portswigger.net/web-security/l…

Password brute-forcing doesn't always need to happen on a login field! 🚨 In this lab walkthrough, we brute-force a password by abusing "change password" functionality. Play along here 👇 portswigger.net/web-security/a…

Apps behind reverse proxies can't use the visiting IP address as a source of truth, because the actual request to the webserver comes through the proxy, not directly from the browser. To fix this, many reverse proxies add a HTTP header with the source IP as the value (typically X-Forwarded-For). This can sometimes be spoofed by simply adding that HTTP header ourselves. Follow along with this lab walkthrough here 👇 portswigger.net/web-security/w…

The most common question we get is "I want to learn to hack, where do I start?". The answer, of course, is the Portswigger Web Security Academy. But *where* in Web Security Academy? You should start on the "Server-Side Vulnerabilities" learning path. This is an apprentice-level learning path, designed for beginners, and it covers some of the most fundamental vulnerability types. What are you waiting for? 👇 portswigger.net/web-security/l…

Confused about where to begin your web‑security journey? Our curated server-side vulnerabilities Learning Path makes that decision easy. Built for new hackers and developers, it guides you step‑by‑step through the most commonly exploited server‑side vulnerabilities with hands‑on labs. Learn the theory you need, then apply it immediately in realistic exercises. Start today and level up your web‑security skills the practical way. portswigger.net/web-security/l…

Have you ever cracked a password? 🔑 In this lab we use an XSS to steal Carlos' password, which contains an encrypted password, and then we crack it to gain access to his account! Follow along with me here: portswigger.net/web-security/a…

When an application is vulnerable to SQL injection, attackers can leverage the UNION keyword to extract data from additional tables within the database. What is UNION keyword used for? UNION is used in SQL to combine the results of two or more SELECT queries into a single result set. Here is how it works: Example SQL Query: `SELECT a, b FROM table1 UNION SELECT c, d FROM table2` For the above query to work, the following needs to be true: - Both queries return the same number of columns. - The data types in each column are compatible. Once true, both the tables will be output as a single result. Find out how the UNION keyword can be used to figure out the number of columns and data type in a database! Check out our SQL Injection course for more 👇 portswigger.net/web-security/l…

Full account takeover via 2FA bypass! Follow along as we perform a 2FA bypass against Carlos' account. Sign up and navigate here to access the free lab: portswigger.net/web-security/a…

On live targets, password reset flows are an *excellent* target. Any bug in the flow can result in a full account takeover and getting them right is surprisingly complex. Walk with me through exploiting some broken logic in a password reset flow. Follow along here: portswigger.net/web-security/a…

Create. Save. Upload. ⬆️🗃️ Will Carlos be mad? Probably. If we can access this within an executable web server directory, the PHP script will fetch the contents of Carlos's secret. This is known as a file upload vulnerability. It occurs when a server fails to validate the file name, type, or content, and lets you bypass restrictions to upload arbitrary files (like web shells), transforming a simple upload feature into a direct path for RCE. Try it on our file upload labs! 👇 portswigger.net/web-security/f…

Here's how to deliver reflected XSS through a HTTP request smuggling vulnerability! 👇 Try this Practitioner lab now: portswigger.net/web-security/r…

Burp Suite's "Decoder" is great for URL encoding - but there is a much faster way to do it!

Do you know what mass assignment is? When you submit data to a website, the backend often maps those inputs directly to an object or model. Normally, you only see and send the fields the frontend exposes (like username and password). But if the backend doesn't protect certain attributes (say, an is_admin flag that exists in the object but isn't exposed in the frontend), an attacker can add that hidden field to the API request using a proxy tool (e.g., Burp) and send is_admin as true. If the server blindly accepts all incoming fields, it'll set that attribute to true and grant unintended privileges. You're discovering hidden attributes in the object that you can write to - with a bit of luck, these attributes let you do things you shouldn't be able to do. Learn more about mass assignment with a hands-on lab👇 portswigger.net/web-security/a…

You see others solving expert-level labs and posting writeups with complex exploit chains. And you're still struggling with the apprentice labs. That's fine. Those people also struggled with the apprentice labs once. They just did it before you followed them. Web security has a steep learning curve at the start because you need to understand HTTP, HTML, JavaScript, and server-side logic before the attacks make sense. Every new concept you learn makes the next one easier. It compounds. If you solved one lab today, even with hints, you know more than you did yesterday. Stick with it.

Server-side template injection (SSTI) occurs when your input gets embedded into a template, so the template engine executes your input as code on the server. To test for it, try submitting {{7*7}} into a reflected input field. If it is rendered as "49" instead of {{7*7}} in the response, then the template engine evaluated your input. Template engines have different syntax, so you'll need to try different variations. For example, if the server uses Freemarker, you'd need to try ${7*7}. Practice your SSTI skills here 👇 portswigger.net/web-security/s…