Web Security Academy 🏫

Working through PortSwigger's Web Security Academy and experimenting with Burp Suite and Kali.

Topics

Client-side

• Cross-origin resource sharing (CORS)
• Cross-site request forgery (CSRF)
• Cross-site scripting (XSS)

Server-side

• Access control
• Authentication
• Business logic vulnerabilities
• Command injection
• Directory traversal
• File upload vulnerabilities
• Information disclosure
• Server-side request forgery (SSRF)
• SQL injection
• XML external entity (XXE) injection

Testing

• OWASP Web Security Testing Guide
• OWASP Application Security Verification Standard

License

The content of this repo are study notes based on PortSwigger's Web Security Academy. They hold all rights to any content that is not my own.

Setup

# Install Homebrew, VirtualBox, Vagrant and create a Kali VM
curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh | bash
brew bundle
vagrant up

Optionally, configure Chromium to trust the Burp CA certificate:

1. In the VM, open Burp's integrated Chromium browser.
2. Go to http://burpsuite and download the cacert.der certificate.
3. Go to chrome://settings/certificates and select Authorities.
4. Click Import, select cacert.der, and trust for web identies.