This repository contains detailed notes, labs, and walkthroughs from the PortSwigger Web Security Academy and other web application penetration testing resources.
It is designed for anyone interested in:
- Web Application Penetration Testing
- Bug Bounty Hunting
- Burp Suite Certified Practitioner
- Learning practical security testing methodologies
Note: New topics are continuously being added. Stay tuned for updates!
Authentication (13 Labs β )
- Lab 1 β Username enumeration via different responses
- Lab 2 β 2FA simple bypass
- Lab 3 β Password reset broken logic
- Lab 4 β Username enumeration via subtly different responses
- Lab 5 β Username enumeration via response timing
- Lab 6 β Broken brute-force protection, IP block
- Lab 7 β Username enumeration via account lock
- Lab 8 β 2FA broken logic
- Lab 9 β Brute-forcing a stay-logged-in cookie
- Lab 10 β Offline password cracking
- Lab 11 β Password reset poisoning via middleware
- Lab 12 β Password brute-force via password change
- Lab 13 β Broken brute-force protection, multiple credentials per request (EXPERT LEVEL)
Business Logic Vulnerabilities (10 Labs β )
- Lab 1 β Excessive trust in client-side controls
- Lab 2 β High-level logic vulnerability
- Lab 3 β Inconsistent security controls
- Lab 4 β Flawed enforcement of business rules
- Lab 5 β Low-level logic flaw (integer overflow)
- Lab 6 β Inconsistent handling of exceptional input
- Lab 7 β Weak isolation on dual-use endpoint
- Lab 8 β Insufficient workflow validation
- Lab 9 β Authentication bypass via flawed state machine
- Lab 10 β Infinite money logic flaw (automation recommended)
Information Disclosure (5 Labs β )
Race Conditions (5 Labs β )
Broken Authentication / Access Control Labs (13 Labs β )
- Lab 1 β Unprotected admin functionality
- Lab 2 β Unprotected admin functionality with unpredictable URL
- Lab 3 β User role controlled by request parameter
- Lab 4 β User role can be modified in user profile
- Lab 5 β User ID controlled by request parameter
- Lab 6 β User ID controlled by request parameter (GUIDs)
- Lab 7 β User ID controlled by request parameter (data leakage in redirect)
- Lab 8 β User ID controlled by request parameter (password disclosure)
- Lab 9 β Insecure direct object references (IDOR)
- Lab 10 β URL-based access control can be circumvented
- Lab 11 β Method-based access control can be circumvented
- Lab 12 β Multi-step process with no access control on one step
- Lab 13 β Referer-based access control
SSRF β Server-side Request Forgery (7 Labs β )
- Lab 1 β Basic SSRF against the local server
- Lab 2 β Basic SSRF against another back-end system
- Lab 3 β Blind SSRF with out-of-band detection
- Lab 4 β SSRF with blacklist-based input filter (bypass techniques)
- Lab 5 β SSRF with filter bypass via open redirection
- Lab 6 β Blind SSRF with Shellshock exploitation (Expert)
- Lab 7 β SSRF with whitelist-based input filter (advanced bypasses)
SQL injection
Path traversal
Command injection
File upload vulnerabilities
XXE injection
NoSQL injection
API testing
Web cache deception
Cross-Site Request Forgery (CSRF) β Client-Side Attacks (12 Labs β )
- Lab 1 β CSRF vulnerability with no defenses
- Lab 2 β CSRF where token validation depends on request method
- Lab 3 β CSRF where token validation depends on token being present
- Lab 4 β CSRF where token is not tied to user session
- Lab 5 β CSRF where token is tied to non-session cookie (cookie-setting trick)
- Lab 6 β CSRF where token is duplicated in cookie (double-submit)
- Lab 7 β SameSite Lax bypass via method override (_method spoofing)
- Lab 8 β SameSite Strict bypass via client-side redirect (path traversal + method spoof)
- Lab 9 β SameSite Strict bypass via sibling domain (CSWSH / WebSocket exfiltration)
- Lab 10 β SameSite Lax bypass via cookie refresh (OAuth / session regen trick)
- Lab 11 β CSRF where Referer validation depends on header presence (no-referrer trick)
- Lab 12 β CSRF with broken Referer validation (Referer manipulation / pushState trick)
Cross-Origin Resource Sharing (CORS) β Client-Side Attacks (3 Labs β )
Cross-Site Scripting (XSS) (27 Labs Completed)
- Lab 1 β Reflected XSS into HTML context with nothing encoded
- Lab 2 β Stored XSS into HTML context with nothing encoded
- Lab 3 β DOM XSS in document write sink using source location search
- Lab 4 β DOM XSS in innerHTML sink using source location.search
- Lab 5 β DOM XSS in jQuery anchor href attribute sink using location.search source
- Lab 6 β DOM XSS in jQuery selector sink using a hashchange event
- Lab 7 β Reflected XSS into attribute with angle brackets HTML-encoded
- Lab 8 β Stored XSS into anchor href attribute with double quotes HTML-encoded
- Lab 9 β Reflected XSS into a JavaScript string with angle brackets HTML encoded
- Lab 10 β DOM XSS in document.write sink using source location.search inside a select element
- Lab 11 β DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
- Lab 12 β Reflected DOM XSS
- Lab 13 β Stored DOM XSS
- Lab 14 β Reflected XSS into HTML context with most tags and attributes blocked
- Lab 15 β Reflected XSS into HTML context with all tags blocked except custom ones
- Lab 16 β Reflected XSS with some SVG markup allowed
- Lab 17 β Reflected XSS in canonical link tag
- Lab 18 β Reflected XSS into a JavaScript string with single quote and backslash escaped
- Lab 19 β Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
- Lab 20 β Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
- Lab 21 β Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
- Lab 22 β Exploiting cross-site scripting to steal cookies
- Lab 23 β Exploiting cross-site scripting to capture passwords
- Lab 24 β Exploiting XSS to bypass CSRF defenses
- Lab 25 β Reflected XSS with AngularJS sandbox escape without strings
- Lab 26 β Reflected XSS protected by very strict CSP, with dangling markup attack
Clickjacking
DOM-based vulnerabilities
WebSockets
| Platform | Link |
|---|---|
| Website | dollarboysushil.com |
| @dollarboysushil | |
| Sushil Poudel | |
| GitHub | dollarboysushil |
| YouTube | dollarboysushil |
This project is licensed under the MIT License.
Happy Hacking! π