WebSecAcademy Profile Banner
Web Security Academy Profile
Web Security Academy

@WebSecAcademy

Followers
128K
Following
147
Media
159
Statuses
1K

Free web security training from @PortSwigger

Joined April 2018
Don't wanna be here? Send us removal request.
@WebSecAcademy
Web Security Academy
10 hours
Preventing CORS-based attacks starts with correct configuration. Many sites still leave sensitive resources exposed due to missteps. Here are 5 ways to protect your apps against CORS-based attacks 👇. 1️⃣ Proper configuration of cross-origin requests. Always define the exact
Tweet media one
0
1
13
@WebSecAcademy
Web Security Academy
2 days
[APPRENTICE LAB] Exploiting Path Mapping for Web Cache Deception. When the cache server and origin server interpret URL paths differently, you can trick the cache into storing sensitive responses and then serve them to other users. In this lab, you’ll:.🔸 Discover how path
0
8
69
@WebSecAcademy
Web Security Academy
2 days
RT @albinowax: Want to make the most of the upcoming "HTTP/1.1 Must Die" research drop? We've just updated the countdown page with links to….
0
10
0
@WebSecAcademy
Web Security Academy
4 days
[APPRENTICE LAB] CORS Vulnerability with Basic Origin Reflection. If the server reflects your Origin and sets Access-Control-Allow-Credentials: true, you may be able to exfiltrate sensitive data with a simple XMLHttpRequest. In this lab, you’ll:.🔸 Abuse CORS to read
0
15
104
@WebSecAcademy
Web Security Academy
4 days
Just getting started in security?. Find friends, support, tips and more on Discord:
Tweet media one
0
3
20
@WebSecAcademy
Web Security Academy
5 days
Learning Path: Cross-site Request Forgery (CSRF). This learning path walks you through common pitfalls, bypasses, and how to exploit (and defend against) CSRF vulnerabilities. You’ll learn:.🔶 How CSRF works and how it's exploited.🔶 How to construct and deliver CSRF attacks.🔶
Tweet media one
1
7
39
@WebSecAcademy
Web Security Academy
6 days
Ambiguous URLs are behind many SSRF, CORS, and redirect flaws, but most bypasses are scattered and undocumented. This cheat sheet consolidates payloads, encodings, and IP tricks into one place to assist your testing. Check it out:
2
79
412
@WebSecAcademy
Web Security Academy
7 days
Explain CORS like I'm five.
Tweet media one
6
12
103
@WebSecAcademy
Web Security Academy
8 days
Changing the request method is an easy way to test how servers respond to different HTTP verbs. Just right-click in Repeater and hit “Change request method.”. 💡 Great for checking if CSRF protections apply only to POST requests.
1
25
177
@WebSecAcademy
Web Security Academy
9 days
Learning Path: NoSQL Injection. In this hands-on learning path, you'll explore how NoSQL databases can be exploited using injection techniques similar to SQLi - despite structural differences. You’ll learn:.🔶 Key types of NoSQL injection and how they work.🔶 How to exploit
Tweet media one
0
12
66
@WebSecAcademy
Web Security Academy
11 days
Solo hacking is fun. Hacking with others is really fun. Join us on Discord:
Tweet media one
1
1
21
@WebSecAcademy
Web Security Academy
11 days
[PRACTITIONER LAB] CSRF where token validation depends on request method. If CSRF defenses only apply to POST requests, they are easily bypassed. In this lab, you'll exploit an implementation flaw where CSRF tokens are ignored in GET requests allowing full control of user
1
13
101
@WebSecAcademy
Web Security Academy
12 days
Last month we asked you to explain a vulnerability to us as if we were five years old. @stokfredrik replied with this awesome answer ✌️. But vuln was he explaining?
Tweet media one
13
7
113
@WebSecAcademy
Web Security Academy
13 days
What's a Burp Suite trick that you wish you knew sooner?.
9
3
63
@WebSecAcademy
Web Security Academy
14 days
[APPRENTICE LAB] DOM XSS in document[.]write sink using source location[.]search. Directly assigning user input to document.write introduces DOM-based XSS vector, allowing attackers to inject and execute arbitrary scripts in the browser context. This lab walks you through
0
13
114
@WebSecAcademy
Web Security Academy
15 days
Still building SQL queries with user input?. That’s how breaches start. Here are 5 rules to keep you safe👇. 1️⃣ Never concatenate untrusted input into SQL queries. Using input like this opens the door for injection:.SELECT * FROM products WHERE category = '"+ input + "'
Tweet media one
0
15
69
@WebSecAcademy
Web Security Academy
16 days
Sick of learning how to hack by yourself? . Join us on Discord server:
Tweet media one
1
0
28
@WebSecAcademy
Web Security Academy
18 days
[APPRENTICE LAB] SQL injection vulnerability allowing login bypass. If an application doesn’t sanitize inputs, it’s open for attackers. In this lab, you'll learn how to exploit insecure login forms using classic SQL injection. Try now:
1
20
123
@WebSecAcademy
Web Security Academy
18 days
Ever heard of time-based SQL injection?. These SQL sleep commands help you confirm blind injection by watching how long the database takes to respond 👇. Try this lab to see this in action:
Tweet media one
1
22
79
@WebSecAcademy
Web Security Academy
22 days
RT @albinowax: When HTTP/1.1 Must Die lands at DEFCON we’ll publish a @WebSecAcademy lab with a new class of desync attack. One week later,….
0
65
0