Unlock enhanced API scanning with Burp Suite Enterprise Edition  –  Learn more
NEW

Web Security Academy Learning Paths

Our carefully curated pathways provide a structured approach to learning web security, empowering you to advance at your own pace while ensuring a deep understanding of the subject matter.

Web Security Academy Learning Paths

All learning paths

Sign in or create a free account to access our interactive, deliberately vulnerable labs, and track your learning progress.

API testing

This learning path teaches you how to test APIs that aren't fully used by the website front-end. You'll learn key API recon skills to help you discover more attack surface. In addition, you'll learn how to identify server-side parameter pollution vulnerabilities that may impact internal APIs.


Web LLM attacks

This learning path teaches you how to perform attacks using Large Language Models (LLMs). You'll learn how to construct attacks that take advantage of an LLM's access to data, API, and user information that you would not be able to access directly.


Cross-site request forgery (CSRF)

This learning path covers CSRF (Cross-Site Request Forgery). You'll learn about some common CSRF vulnerabilities, and how to prevent them.


Clickjacking (UI redressing)

This learning path deals with clickjacking attacks. You'll learn the fundamentals of clickjacking, how to construct basic attacks, and implement server-side and client-side defense strategies.


GraphQL API vulnerabilities

This learning path explores common vulnerabilities associated with GraphQL APIs due to implementation and design flaws. You'll learn how to find GraphQL endpoints, bypass some common defenses, and exploit a range of GraphQL API vulnerabilities.


Cross-origin resource sharing (CORS)

This learning path provides an in-depth understanding of CORS, including common examples of CORS-based attacks and how to protect against these attacks.


NoSQL injection

This learning path covers the detection, exploitation, and prevention of NoSQL injection vulnerabilities. You'll explore the differences between NoSQL and SQL injection, learn how to perform NoSQL syntax injection, and how to use NoSQL operators to manipulate queries.


Race conditions

This learning path covers race conditions, a common vulnerability in web applications where concurrent processes lead to unintended behavior. You'll learn how to identify, exploit, and prevent race conditions, leveraging tools like Burp Suite's Repeater and the Turbo Intruder extension.


SQL injection

This learning path explores authentication vulnerabilities, which have a critical impact on security. You'll learn about vulnerabilities in common authentication mechanisms and strategies for robust authentication.


Authentication vulnerabilities

This learning path explores authentication vulnerabilities, which have a critical impact on security. You'll learn about common mechanisms and vulnerabilities, and strategies for robust authentication.


Server-side request forgery (SSRF) attacks

This learning path teaches you about server-side request forgery (SSRF). You'll learn about its impact, common techniques used in attacks, and how to defend against them.


Prototype pollution

This learning path introduces you to prototype pollution vulnerabilities in JavaScript. You'll learn what prototype pollution is, how it can be exploited, and how to prevent it in your applications.


Server-side vulnerabilities

This learning path introduces you to a range of common server-side vulnerabilities. This is perfect if you're new to web security and want to get an overview of the kinds of vulnerabilities that exist, as well as how an attacker might identify and exploit them in real-world systems.


File upload vulnerabilities

In this learning path, you'll explore how simple file upload functions can become a vector for severe attacks. You'll learn how to bypass common defense mechanisms to upload a web shell, enabling full control over a vulnerable web server.


Path traversal

This learning path covers path traversal vulnerabilities. You'll learn how to carry out path traversal attacks and circumvent common obstacles. You'll also learn how to prevent path traversal attacks.


WebSockets vulnerabilities

This learning path covers the identification and exploitation of security vulnerabilities specific to WebSockets in web applications.


Web cache deception

This learning path covers web cache deception vulnerabilities. You'll learn how to identify discrepancies between how the origin server and cache handle requests and how to leverage the discrepancies to create path confusion.