Explore Lessons
Interactive lessons covering the most common web security vulnerabilities.
- New
AI: Prompt Injection
- Prompt injection represents an easy way for an attacker to introduce unexpected behavior in a machine learning model.
- New
AI: Data Extraction Attacks
- Your machine learning model may be leaking sensitive data without you knowing it.
- New
AI: Bias and Unreliability
- Machine learning is prone to bias and unreliability, and you need to put in safeguards to protect against that.
Broken Access Control
- All resources on your site need to have access control implemented, even if they aren't intended to be discoverable by a user.
Buffer Overflows
- An attacker can use buffer overflows to take your site offline or to inject malicious code
Clickjacking
- As an application author, you need to be sure your users aren't having their clicks stolen by attackers.
Command Execution
- If your application calls out to the OS, you need to be sure command strings are securely constructed.
Cross-Site Request Forgery
- If an attacker can forge HTTP requests to your site, they may be able to trick your users into triggering unintended actions.
Denial of Service Attacks
- Sometimes attackers don't need to hack your website, they just want to make it unavailable to others.
Directory Traversal
- Ensure file paths are safely interpreted, or hackers can access sensitive files on your server.
DNS Poisoning
- If upstream DNS caches have been poisoned, attackers may be intercepting traffic before it even gets to you.
Downgrade Attacks
- Attackers may be able to intercept, read and manipulate HTTPS traffic if you fail to specify a modern version of TLS.
Email Spoofing
- Email spoofing is the sending of email messages with a forged "from" address.
File Upload Vulnerabilities
- File uploads are an easy way for an attacker to inject malicious code into your application.
Host Header Poisoning
- It's dangerous to rely on the value supplied in Host header of an HTTP request.
Information Leakage
- Revealing system information helps an attacker learn about your tech stack.
Insecure Design
- Security begins before you start writing code.
Lax Security Settings
- Improper security settings are a common cause of vulnerabilities.
Logging and Monitoring
- Comprehensive logging and monitoring will tell you what your site is doing at runtime, which is key to spotting security events.
Malvertising
- Embedded adverts are a common target for hackers.
Mass Assignment
- Automatically unpacking data from the HTTP request can sometimes be too easy.
Open Redirects
- Most web-applications make use of redirects. If your site forwards to URLs supplied in a query string, you could be enabling phishing attacks.
Password Mismanagement
- Safe treatment of passwords is essential to a secure authentication system - yet many websites get this wrong.
Privilege Escalation
- Privilege escalation occurs when an attacker exploits a vulnerability to impersonate another user or gain extra permissions.
Prototype Pollution
- If an attacker can access and modify prototype objects in JavaScript, you are in danger.
Regex Injection
- Regular expressions are frequently used in web-development, but can be abused by attackers.
Remote Code Execution
- If an attacker can smuggle code into your web-server process, you have a serious problem.
Session Fixation
- Insecure treatment of session IDs can leave your users vulnerable to having their session hijacked.
SQL Injection
- If you are vulnerable to SQL Injection, attackers can run arbitrary commands against your database.
SSL Stripping
- If only some actions on your website require HTTPS, an attacker may be able to steal credentials for your users.
Server-Side Request Forgery
- An attacker can use SSRF vulnerabilities to probe your internal network
Subdomain Squatting
- Attackers will steal dangling subdomains to deliver malware and perform phishing attack.
Toxic Dependencies
- Third-party libraries could be introducing vulnerabilities or malicious code into your system.
Unencrypted Communication
- Insufficient encryption can make you vulnerable to monster-in-the-middle attacks.
User Enumeration
- Leaking username information on your site makes things much easier for hackers.
Weak Session IDs
- Guessable session IDs make your website vulnerable to session hijacking.
XML Bombs
- Unsafe treatment of XML macros can make your server vulnerable to attack from specially crafted XML files.
XML External Entities
- Unsafe treatment of external references in XML allows an attacker to probe your file system for sensitive information.
DOM-based XSS
- If you make use of URI fragments in your site, you need to ensure they cannot be abused to inject malicious JavaScript.
Reflected XSS
- When building a website, you need to be sure you do not accidentally create a channel that allows malicious JavaScript to be bounced off your server.
Cross-Site Scripting
- If your site allows users to add content, you need to be sure that attackers cannot inject malicious JavaScript.
Cross-Site Script Inclusion
- If you are putting sensitive data in your JavaScript files an attacker is probably stealing it.