Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
Web Application Penetration Testing · modules
From HTTP fundamentals to business-logic exploitation. The complete path.
Module 20 · Server-Side Template Injection (SSTI)
Why this module exists. SSTI almost always becomes RCE. The bug looks innocent — user input ends up in a template — and the impact is full server takeover. Modern frameworks make it harder, but every Indian SaaS that does email templating, custom report rendering, or user-customisable dashboards is exposed. The bug class in one […]
Module 15 · Insecure Deserialization
Java/.NET/Python/PHP/Ruby deserialization vulns, gadget chains, ysoserial, signed-data defense.
Module 16 · Race Conditions in Web Apps
TOCTOU, single-packet attacks, where races hide, Burp testing, transactional + idempotency-key defenses.
Module 17 · Prototype Pollution
JS prototype model, pollution sources, attack vectors (auth bypass, RCE chains), Object.create(null) defense.
Module 14 · HTTP Request Smuggling
CL.TE / TE.CL / TE.TE, HTTP/2 downgrade smuggling, exploitation impacts, detection via timing, defenses.
Module 3 · GraphQL Security
Introspection, depth/complexity attacks, aliasing brute force, mutation safety, persisted queries, subscriptions.
Module 13 · JWT Attacks
JSON Web Tokens (JWT) have become the default authentication token format in modern APIs. They’re compact, stateless, and when implemented correctly, secure. When implemented poorly, they’re a source of authentication bypass and privilege escalation. This module covers JWT structure, common attacks, and the concrete defences. JWT structure header.payload.signature # Base64-decoded example: Header: {"alg":"HS256","typ":"JWT"} Payload: {"sub":"priya","role":"admin","exp":1700000000} […]
Module 12 · File Upload Vulnerabilities
File upload features are everywhere — profile pictures, document uploads, attachments, imports. They’re also one of the most frequently-exploited vulnerability classes, capable of escalating from “user” to “RCE” in one click. This module covers the attack patterns and the layered defences. The attack surface Attacker uploads a file (malicious) Server saves file to disk Server […]
Module 11 · Cross-Site Request Forgery Deep Dive
Cross-Site Request Forgery (CSRF) tricks a user’s browser into submitting authenticated actions to a trusted site. Once ubiquitous, modern browsers and frameworks have made the baseline defence far stronger. But CSRF still appears — especially in legacy APIs and apps that mishandle authentication state. The core attack User is logged into bank.com (browser holds session […]
Module 10 · XML External Entity Injection (XXE)
XML External Entity (XXE) injection exploits XML parsers that process references to external entities. A classic vulnerability in XML-consuming applications — SOAP services, document upload features, SAML, configuration parsers. Can lead to file disclosure, SSRF, DoS, and RCE. How XXE works XML supports external entities — references to external resources. When a parser fetches the […]
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.