# PortSwigger - Web Security Academy

@PortSwigger Ltd

## Web Security Academy The Web Security Academy is a free online training center for web application security. It includes content from PortSwigger's in-house research team, experienced academics, encouraging theoretical and practical study with truly effective laboratories.
* [Web Security Academy main page](https://portswigger.net/web-security/dashboard) * [BurpSuite Documentation](https://portswigger.net/burp/documentation/desktop) ## Install & Configure Burp Suite * [Burp Suite Configuration](https://dev-angelist.gitbook.io/burp-suite-configuration/) * [Getting Started Guide](https://portswigger.net/web-security/getting-started) ### Quick Method In my case I installed Burp Suite Community Edition and Chromium on my main machine (Debian OS), by starting BurpSuite and clicking on Proxy -> Intercept -> Open Browser (orange button) it is possible to have Chromium already set for use and communicating directly with Burp.
*** ## Learning Paths As suggested into HexDump BSCP Technical Guide there's not the methodology and the order of you path is subjective, you can use the existing learning paths, proceed with individual modules, do all the lab apprentice first etc, below is the table relating to a possible personalized study path:

https://portswigger.net/web-security/learning-paths

MODULETYPECOMPLEXITYSTATUS
1Informatin DisclosureServer-SideLowtrue
2Essential SkillsAdvancedLowtrue
3SQL InjectionServer-SideLowfalse
4Command InjectionServer-SideLowfalse
5Path TraversalServer-SideLowfalse
6XXE InjectionServer-SideLowfalse
7File Upload VulnerabilitiesServer-SideLowfalse
8Server-Side Request Forgery (SSRF)Server-SideLowfalse
9AuthenticationServer-SideLowfalse
10Access ControlServer-SideLowfalse
11ClickjackingClient-SideLowfalse
12Web LLM attacksAdvancedLowfalse
13Cross-site scripting (XSS)Client-SideMediumfalse
14Cross-site request forgery (CSRF)Client-SideMediumfalse
15Cross-origin resource sharing (CORS)Client-SideMediumfalse
16DOM-based vulnerabilitiesClient-SideMediumfalse
17Server-Side Template InjectionAdvancedMediumfalse
18Business Logic VulnerabilitiesServer-SideMediumfalse
19HTTP Host Header AttacksAdvancedMediumfalse
20Prototype PollutionAdvancedMediumfalse
21WebSocketsClient-SideMediumfalse
22JWT attacksAdvancedMediumtrue
23GraphQL API VulnerabilitiesAdvancedMediumfalse
24Insecure DeserializationAdvancedMediumfalse
25OAuth AuthenticationAdvancedHighfalse
26Race ConditionsServer-SideHighfalse
27HTTP Request SmugglingAdvancedHighfalse
28Web Cache PoisoningAdvancedHighfalse
29Web Cache DeceptionServer-SideHighfalse
Personally, i'm using a mixed approach. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dev-angelist.gitbook.io/writeups-and-walkthroughs/portswigger-web-security-academy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.