Secure Coding
Academy
Master application security through 80 hands-on modules across 8 categories. Each module includes interactive lessons, quizzes, and real code exercises — no account required.
No modules found
Try a different search term
Core OWASP
10 modules
SQL Injection
Learn how attackers manipulate database queries and how parameterized queries stop them cold.
Cross-Site Scripting (XSS)
Understand how attackers inject scripts into web pages and master the output encoding that stops them.
Command Injection
Discover how attackers escape to the OS shell and the safe API calls that prevent shell interpretation.
Path Traversal
Learn how ../../../ sequences escape intended directories and how to lock down file access.
Insecure Deserialization
See how deserializing untrusted data can lead to RCE and learn safe alternatives.
Hardcoded Secrets
Discover why embedding credentials in code is catastrophic and how to manage secrets properly.
Server-Side Request Forgery (SSRF)
Understand how attackers use your server as a proxy to access internal services — and how to stop them.
Weak Input Validation
Master allowlist-based validation and understand why client-side checks are never enough.
Prototype Pollution (JavaScript)
Discover how attackers poison JavaScript's prototype chain to add properties to all objects — and how to write merge functions that cannot be exploited.
Cryptographic Failures
Understand why MD5 and SHA-1 are broken for passwords, how to use bcrypt and Argon2 correctly, and what TLS misconfigurations expose you to.
Injection
10 modules
NoSQL Injection
Discover how MongoDB operator injection bypasses authentication and how typed schemas prevent it.
LDAP Injection
Understand how unsanitized LDAP filter strings enable authentication bypass and directory enumeration.
XPath Injection
Learn how attackers exploit XML query strings and how parameterized XPath stops data extraction.
HTTP Response Splitting
Learn how CRLF injection in HTTP headers enables cache poisoning, XSS, and session hijacking.
Log Injection
See how attackers forge log entries to hide malicious activity and how structured logging prevents it.
Email Header Injection
Learn how attackers abuse form fields to inject CC and BCC headers for spam relay.
CSV/Formula Injection
Understand how spreadsheet formulas injected via CSV exports can execute commands on end-user machines.
HTML Injection
Understand how injected HTML markup enables phishing overlays and UI redressing even without JavaScript.
CSS Injection
Learn how injected CSS can exfiltrate sensitive data and render phishing overlays on legitimate pages.
HTTP Parameter Pollution
See how duplicate query parameters confuse server-side logic and enable filter bypass attacks.
Auth & AuthZ
10 modules
Broken Authentication
Understand common authentication flaws like credential stuffing, weak tokens, and missing lockout policies.
Session Fixation
Learn how attackers plant a known session ID before login and why regenerating it on auth is critical.
JWT Vulnerabilities
Explore JWT attacks including the none algorithm bypass, algorithm confusion, and weak secret exploitation.
OAuth 2.0 Misconfigurations
Understand redirect_uri bypass, missing state parameters, and token leakage that compromise OAuth flows.
Insecure Password Reset
Identify guessable reset tokens, token reuse flaws, and user enumeration in password reset flows.
Brute Force & Rate Limiting
Learn the attacks that exploit missing rate limits and implement layered defenses against automated credential attacks.
Privilege Escalation
Learn how attackers access admin functions as regular users when server-side role checks are missing.
Insecure Default Credentials
Understand the risks of default credentials left in production and how to enforce secure configuration.
SAML Vulnerabilities
Understand XML signature wrapping attacks and comment injection that bypass SAML authentication.
Account Enumeration
Learn how different error messages reveal valid usernames and how generic responses stop information leakage.
Cryptography
8 modules
Weak Password Hashing
Learn why MD5 and SHA1 fail for password storage and how bcrypt and argon2 resist offline cracking.
ECB Mode Encryption
See why ECB mode leaks patterns in encrypted data and why CBC and GCM modes with random IVs are essential.
Timing Side-Channel Attacks
Understand how response time differences leak secret data and how constant-time comparison stops them.
Certificate Validation Bypass
Learn why disabling TLS certificate verification creates MITM vulnerabilities in production code.
Insecure Randomness
Learn why Math.random() and rand() are predictable for security tokens and how to use cryptographic randomness.
Key Management Failures
Learn the dangers of hard-coded keys, keys in source control, and how to use secrets managers properly.
Padding Oracle Attacks
Understand how CBC padding errors leak decryption information and why authenticated encryption prevents it.
Hash Length Extension
Learn how Merkle-Damgard hashes are vulnerable to length extension and why HMAC is the correct MAC primitive.
Web Attacks
12 modules
Cross-Site Request Forgery
Learn how forged cross-origin form submissions hijack authenticated sessions and how CSRF tokens stop them.
Clickjacking
Learn how transparent iframe overlays trick users into clicking hidden elements and how frame headers prevent it.
Open Redirect
Understand how unvalidated redirect parameters enable phishing attacks and OAuth token theft.
Host Header Injection
Learn how attacker-controlled Host headers poison password reset links and web caches.
Mass Assignment
Understand how over-posting user-controlled fields like isAdmin can elevate privileges through unguarded model binding.
Business Logic Flaws
Discover how price manipulation, negative quantities, and workflow bypass defeat security when logic lives client-side.
DOM-based XSS
Learn how JavaScript sources like location.hash feed dangerous sinks like innerHTML to enable client-side XSS.
PostMessage Security
Learn how insecure postMessage handlers without origin validation enable cross-origin data theft and XSS.
WebSocket Security
Understand WebSocket-specific attacks including missing authentication and cross-site WebSocket hijacking.
Web Cache Poisoning
Learn how unkeyed HTTP headers in cached responses let attackers serve malicious content to all users.
Subresource Integrity
Learn how CDN script tampering can be prevented with the integrity attribute and cryptographic hash verification.
Content Security Policy
Master CSP directives, understand common bypasses like unsafe-inline and JSONP, and implement a strict nonce-based policy.
API Security
8 modules
CORS Misconfiguration
Learn how wildcard CORS and reflected Origin headers allow cross-origin requests to read sensitive API responses.
API Key Exposure
Learn how API keys leak through JavaScript bundles, git history, and query strings, and how to keep them server-side.
Excessive Data Exposure
Learn why returning full database objects and filtering client-side exposes sensitive fields to API consumers.
GraphQL Security
Understand GraphQL introspection exposure, missing field-level authorization, and query depth attacks.
REST API Security
Cover REST API fundamentals: authentication on all endpoints, HTTP verb restrictions, and authorization checks.
Insecure API Versioning
Learn how deprecated API versions left accessible expose old vulnerabilities that bypass current security controls.
Webhook Security
Learn how missing webhook signature validation and SSRF via webhook URLs compromise server security.
SOAP/XML Security
Understand XXE vulnerabilities in SOAP services and how schema validation prevents XML injection attacks.
Infrastructure
8 modules
Missing Security Headers
Learn which HTTP security headers protect against common attacks and how to set them via middleware.
TLS/SSL Misconfigurations
Understand how weak TLS versions and cipher suites expose encrypted traffic to decryption attacks.
Debug Mode in Production
Learn how debug mode exposes stack traces, environment variables, and internal paths to attackers.
Verbose Error Messages
See how stack traces, SQL errors, and internal paths leak system information that attackers use to target exploits.
Directory Listing Enabled
Understand how web server auto-index exposes file structures to attackers and how to disable it.
Server Misconfiguration
Cover common web server misconfigurations including default pages, unnecessary services, and permissive file permissions.
Docker Security
Learn how running containers as root, privileged mode, and secrets in ENV create container escape risks.
Infrastructure-as-Code Security
Learn how open S3 buckets, unrestricted security groups, and hardcoded passwords in Terraform create cloud breaches.
Supply Chain
8 modules
Vulnerable Dependencies
Learn how CVEs in third-party packages and transitive dependencies create exploitable attack surfaces.
Dependency Confusion
Learn how publishing higher-version public packages with internal names tricks package managers into installing malicious code.
Package Typosquatting
Learn how malicious packages with names similar to popular libraries steal credentials on developer machines.
Secrets in Source Code
Understand why API keys committed to git are permanently compromised and how to prevent and remediate them.
Container Image Security
Learn how using latest tags, unverified base images, and layer secrets create security risks in container deployments.
CI/CD Pipeline Security
Understand how secrets leak in CI logs, malicious PR attacks, and why OIDC tokens replace long-lived credentials.
Software Composition Analysis
Learn how untracked OSS licenses and missing SBOMs create legal risk and blind spots in vulnerability management.
Supply Chain Attacks
Study SolarWinds, XZ Utils, and build tool compromises to understand SLSA framework and build provenance.
Built for security-aware developers
The Academy complements Offensive360's SAST platform. When our scanner flags a vulnerability in your code, the Academy teaches you exactly why the pattern is dangerous and how to remediate it — not just for this file, but for every file you write going forward.