AppSecExplained
  • Index < START HERE
    • Support this space
    • My courses
    • My pentesting setup
    • How to get started from zero
    • Live stream schedule
  • 📽️Live Stream Content
    • Resource of the week
  • Fundamentals
    • HTTP
    • Web applications
      • Virtual hosting
      • Web application architecture
    • OWASP Top 10
    • Book recommendations
  • Enumeration
    • Methodology
      • DNS
        • Zone transfers
    • Content discovery / recon
      • Subdomains
      • Endpoints
      • Parameters
      • Spidering
  • Common vulns
    • SQL injection overview
      • Detection
      • Blind SQLi
      • Second-order SQLi
      • SQLi lab setup & writeups
    • NoSQL injection
    • JavaScript injection (XSS)
      • XSS Methodology
    • File Inclusion
      • Local file inclusion
        • Directory traversal
    • Command injection
    • XXE (XML external entity) injection
      • Blind XXE
    • Template injection
      • Server-side template injection
      • Client-side template injection
    • Authentication
      • Attacking password-based authentication
      • Attacking MFA
      • Authentication lab setup & writeups
    • Cross-Site Request Forgery (CSRF)
    • Insecure deserialization
      • PHP
      • Java
      • Python
      • .NET
    • Server-side request forgery (SSRF)
    • Insecure file upload
    • Clickjacking
    • Open redirect
    • Vulnerable components
    • Race conditions
      • Limit overrun
    • Prototype pollution
      • Client-side prototype pollution
    • APIs
      • API: BOLA
      • API: Broken authentication
      • BOPLA
      • API: BFLA
  • Bypassing controls
    • Rate limiting
    • WAF Bypasses
  • Scripts
    • Docker-compose.yml files
      • Wordpress
      • SQLi testing labs
    • PHP scripts
      • RCE Function Check
    • Wordlists
      • Single characters
      • SQLi
  • My writeups (CTF & BugBounty)
    • THM: Planet Express (Hard)
    • THM: StoreSuper (Medium)
    • CobraKai Dojo (Medium)
  • Code review
    • Getting started
  • Links worth your time
    • Practical API Hacking
    • Rana Khalil's Web Security Academy Course
    • Pentesterlab
    • Portswigger's Web Security Academy
    • TCM Security Discord
    • PentesterLand Writeups
  • Coming soon
    • Secure design principles
    • Threat modelling
    • Secure development lifecycle
    • Scanners
      • SAST
      • DAST
    • Tools dump
    • Live streams
Powered by GitBook
On this page

Was this helpful?

Index < START HERE

NextSupport this space

Last updated 11 months ago

Welcome

This site is still a work in progress! There will be gaps and there's of course a lot more to come so make sure to check back in soon!

My goal is to provide a somewhat living and up-to-date handbook for Web Application Hacking. In particular the checklists are designed not just to give you things to look for, but also spark ideas, and creative ways to find vulnerabilities.

This is a curated repository of my notes and experience over many years of testing web applications. I've stripped out the sensitive information and made it more accessible for those who are learning about web application security. I hope you find it useful in your journey.

Throughout this site, I try to promote ideas over specific payloads to help you solve problems and find security weaknesses that other testers or scanners may have missed.

Please feel free to connect with me! You can find me on LinkedIn, or Twitch.

https://www.linkedin.com/in/alex-olsen-47119322/
Please feel free to connect and message me if you have questions or feedback.
Page cover image
In a moment of weakness I signed up to Twitter.
LogoAppSecExplained - TwitchTwitch
I stream here from time to time :)