SETH
Sign in to enroll in this course.
> About this course
> Course Modules
HTTP protocol, DNS, TCP/IP, cookies, sessions, and browser rendering - the foundation for everything that follows.
Linux CLI, Docker, virtual machines, and networking - build your offensive security environment from scratch.
Burp Suite, browser dev tools, CLI recon tools, and CyberChef - your offensive toolkit.
Your first client-side vulnerability - reflected XSS, context-dependent injection, and basic payloads.
The most dangerous injection attack - Union-based, error-based SQLi, and your first database extraction.
Reading arbitrary files from the server - directory traversal, normalization quirks, and encoding bypasses.
Leaked secrets, exposed source code, debug endpoints, and verbose errors - finding what should be hidden.
Brute-force attacks, credential stuffing, password reset poisoning, and cookie security fundamentals.
Insecure direct object references, horizontal/vertical privilege escalation, and forced browsing.
LFI, RFI, PHP wrappers, log poisoning, and filter chains - from file read to remote code execution.
Blind injection, time-based extraction, second-order SQLi, WAF bypass, and sqlmap mastery.
Persistent XSS, DOM source-to-sink analysis, file upload XSS, and filter evasion techniques.
Forged requests, token bypasses, SameSite cookie attacks, and CSRF chaining with other vulnerabilities.
Internal service access, cloud metadata theft, blind SSRF, protocol smuggling, and filter bypasses.
Web shells, extension bypass, MIME manipulation, image exploits, archive attacks, and polyglot files.
Algorithm confusion, JWK injection, kid parameter attacks, and JWT cracking.
Session fixation, hijacking, remember-me token attacks, and MFA bypass techniques.
Direct and blind command injection, metacharacters, out-of-band exfiltration, and OS-specific techniques.
HTTP response header injection, CRLF injection, Host header attacks, and email header injection.
In-band and blind XXE, XXE in file uploads, parameter entities, and XXE-to-SSRF chains.
Detection methodology, Jinja2/Twig/Freemarker exploitation, and sandbox escape techniques.
PHP object injection, Java gadget chains, Python pickle, .NET and Node.js deserialization exploits.
CL.TE, TE.CL, HTTP/2 smuggling, request tunneling, and response queue poisoning.
TOCTOU bugs, limit-overrun attacks, single-packet technique, and payment race conditions.
Client-side and server-side pollution, gadget chains, and DOM clobbering interaction.
Unkeyed inputs, cache key manipulation, web cache deception, and CDN-specific bypasses.
OAuth misconfigurations, PKCE downgrade, SAML signature wrapping, and auth protocol exploitation.
Mutation XSS, blind XSS, CSP bypasses, polyglot payloads, and XSS in PDF generators.
MongoDB injection, LDAP, XPath, XSLT, SSI, HQL/ORM, and LaTeX injection attacks.
Price manipulation, workflow bypass, payment logic, state machines, and CAPTCHA bypass.
REST flaws, GraphQL attacks, gRPC security, mass assignment, rate limiting bypass, and OWASP API Top 10.
Encoding bypasses, parser differentials, proxy quirks, and WAF-specific evasion techniques.
Padding oracle, hash length extension, ECB/CBC exploitation, timing attacks, and weak token generation.
Clickjacking, postMessage, WebSocket hijacking, CORS exploitation, and service worker abuse.
PHP loose comparison, JS type coercion, Unicode normalization bypass, and IDN homograph attacks.
Dangling CNAME takeover, subdomain chaining, and duplicate parameter exploitation.
HTML-to-PDF SSRF, LaTeX injection, ImageMagick exploits, FFmpeg SSRF, and polyglot files.
CSS exfiltration, DNS tunneling, timing side-channels, and out-of-band extraction methods.
Combining low-severity bugs into critical chains, WAF bypass chains, and real-world case studies.
Web shell pivoting, container awareness, data harvesting, persistence, and impact reporting.
Source code review, black-box testing, web application fuzzing, and vulnerability research workflow.
Dependency confusion, typosquatting, malicious packages, and frontend supply chain security.
Microservices, serverless exploitation, WebAssembly, SPA attacks, and GraphQL federation.
Advanced Burp features, essential extensions, Intruder attack types, and writing custom extensions.
Time management, team coordination, challenge triage, write-up methodology, and competition platforms.