🧠

Learning Track · 20 modules

Attacker Mindset — Web

Why each web vuln class exists — trust boundaries, grammar confusion, authorization drift. Mindset first, tools second.

Why this track

Why each web vuln class exists — trust boundaries, grammar confusion, authorization drift. Mindset first, tools second. This track walks you from fundamentals through advanced techniques across 20 practitioner modules — the same body of knowledge senior security professionals build over years, structured for self-paced progression with India-specific context throughout.

Prerequisite: See module 1 for entry context. Most modules are self-contained but follow the suggested sequence for best results.

Modules

16.5 h

Total time

Free modules

∞

Quiz retries

Difficulty mix

Beginner · 1 Intermediate · 12 Advanced · 6 Expert · 1

Module sequence

Trust Boundaries — Where Every Web Vuln Begins

Every web vuln is a trust-boundary bug. Learn to see boundaries before learning to exploit them.

Beginner 60 min →

Why Injection Still Happens — A Grammar Problem

Injection isn't about bad input. It's attackers smuggling tokens into an interpreter's grammar.

Intermediate 75 min →

Why Auth Checks Fail — Missing Gates Everywhere

Authentication is one gate. Authorization is every gate after. Most breaches live in the latter.

Intermediate 75 min →

Business Logic — Where Scanners Fail

Business logic bugs are legal sequences of actions producing illegal outcomes. Understand the product to find them.

Advanced 90 min →

Why SSRF Is Still Critical in 2026

Every URL parameter where the server fetches. Cloud metadata turned SSRF from inconvenience to catastrophe.

Advanced 90 min →

Why XSS Persists — Context Is Everything

Framework defaults cover one HTML context. Every other context — URL, CSS, JSON-in-script — is fresh attack surface.

Advanced 90 min →

File Upload — Three Attacks in One

Upload = attack at parsing + storage + serving. All three have their own rules, and mistakes compound.

Advanced 90 min →

APIs — Your Mobile App Is Public Attack Surface

Every endpoint your mobile or SPA calls is exposed to the internet. Shadow endpoints, version drift, mass assignment.

Advanced 90 min →

Session Tokens — Where Auth Bugs Live After Login

Developers focus on login; attackers target sessions. Theft, rotation, revocation, and the edge cases that break.

Advanced 90 min →

M10

The Framework-Assumption Gap

'The framework handles it' is the most dangerous phrase in modern web security. Escape hatches, third-party integrations, and non-REST transports.

Expert 90 min →

M11

Why Validation at Multiple Layers

Defence in depth is a phrase. Multi-layer validation is its application. Client-side validation catches user mistakes. Edge validation (WAF) catches bulk attacks. Server-side validation enforces business rules. Database constraints catch the rest. Each catches what the others miss. Skip a layer = bypass that layer’s coverage entirely. The mistake: assuming “the WAF catches it” or […]

Intermediate 15 →

M12

The Cookie Confusion Cascade

Cookies are the most-misunderstood browser feature. Domain attribute, path, SameSite, Secure, HttpOnly, Partitioned — each affects when the browser sends the cookie. Combinations produce surprising behaviour. Examples that catch defenders off guard: cookie set on parent domain visible to subdomain (intentional, abuseable); SameSite=Lax allows top-level navigation cookies (CSRF window); Partitioned cookies behave differently per top-level […]

Intermediate 15 →

M13

Browser Origin Boundaries

Same-Origin Policy is the bedrock of web security. But “origin” has nuances: scheme matters, port matters, path doesn’t. Subdomains aren’t same-origin (they’re same-site, different concept). CORS is opt-in cross-origin. It carries credentials only with explicit allow. Access-Control-Allow-Origin: * with credentials is invalid. Many implementations get this wrong. postMessage crosses origins by design. Receiver must validate […]

Intermediate 15 →

M14

Authentication vs Authorization Split

Authentication: who are you. Authorization: what can you do. Most security education conflates them. Most bugs live in the gap. An authenticated user is not authorized for everything they ask. Authorization is per-resource, per-action, often per-attribute. IDOR exists because authn is correct but authz is missing. The mindset: at every endpoint, two questions: “is this […]

Intermediate 15 →

M15

State Machines Have More Edges Than You Think

Every web app is a state machine. Order = pending → paid → shipped → delivered. State transitions have rules. The rules have gaps. Attackers enumerate edges adversarially: can I go from pending to delivered, skipping paid? Can I cancel after shipped? Can I trigger paid → paid (double payment processing)? The mindset: draw the […]

Intermediate 15 →

M16

The Three Types of Web Sessions

“Session” is overloaded: browser session (open tabs), server session (data keyed by session ID), application session (the user’s logical workflow). Each has different lifetime; each has different invalidation rules. The bug pattern: developer thinks “user logged out, session ended.” Browser session ended. Server session may persist. JWT may still be valid. OAuth refresh token still […]

Intermediate 15 →

M17

Why HTTP Headers Are Programmable Trust

Application code routinely trusts HTTP headers. X-Forwarded-For for client IP. Host for routing. Origin for CORS. Each is attacker-controllable in some path. If your code does if (request.headers["X-Admin-Override"] == "true"), you’ve created a backdoor. If your code trusts X-Forwarded-For without validating the immediate peer, you’ve created an IP-spoofing primitive. The mindset: each header your code […]

Intermediate 15 →

M18

CDN as Attack Surface

CDN was once a passive cache. Now: edge functions, header rewriting, cache key manipulation, custom routing. Each is a new attack surface. Cache poisoning, cache deception, edge-function privilege escalation, header injection between CDN and origin — all bug classes that didn’t exist when CDN was just static-asset cache. The mindset: list every CDN feature you […]

Intermediate 15 →

M19

The 5 Trust Boundaries in Every Web App

Trust boundaries are where one component trusts data from another. Each crossing is a place to validate. Most apps have at least 5: Browser to server (the obvious one — input validation) Server to database (parameterised queries) Server to upstream API (output validation, response-content trust) Server to cache (cache-key collisions, deserialisation) Server to message queue […]

Intermediate 15 →

M20

Reading Other People’s Code With Suspicion

Most code review looks for “does it work?” Security code review asks “does it work for inputs the author didn’t imagine?” The questions: What does the author assume about input format? What language quirk could surprise this code? What if this is concurrent? What if the dependency does something unexpected? What if the user’s session […]

Intermediate 15 →

Common questions about this track

How long will this track take me? +

Most learners finish in 4-8 weeks at a sustainable 4-5 hours per week. Modules are self-paced so you can move faster or slower as life allows.

Do I need prior experience? +

Module 1 sets the entry baseline. The first module is always free; if it feels approachable, the track is for you.

Will this prepare me for industry certifications? +

Most modules align with the body of knowledge tested by senior security certifications. The Academy is not a cert-prep course but produces working knowledge that transfers to any cert exam in the same domain.

Ready to start?

Begin with Module 1. Work through at your own pace. Free modules require no signup — everything else unlocks with a free RingSafe Academy account.

Start Module 1 → View pricing tiers 🗺️ Explore Skill Map