Start Here

A hands-on training guide for security teams and developers to learn application security through practical code examples.

What This Guide Covers

This training material teaches 26 common web application vulnerabilities using real-world code examples. Each vulnerability is presented through a side-by-side comparison of vulnerable and secure code, making it easy to understand both the problem and the solution.

Learning Approach

See the Vulnerability → Every guide starts with a vulnerable code example that contains a real security flaw

Understand the Exploit → Learn how attackers exploit the vulnerability to compromise applications or access sensitive data

Apply the Fix → Step-by-step instructions show how to remediate the vulnerability with secure coding practices

Detect It Early → Each vulnerability includes a Semgrep rule template to integrate into your SAST scanning and CI/CD pipelines

Who This Is For

• Security teams training developers on secure coding practices

• Application security engineers learning to identify and remediate vulnerabilities

• Development teams improving their security knowledge through practical examples

• Security champions teaching peers about common web security issues

What's Included

26 vulnerabilities organized into 5 categories:

• Injection Vulnerabilities (6) - SQL, SSTI, XPath, XXE, Request Smuggling, Deserialization

• Input-based Vulnerabilities (3) - XSS, CSP Misconfiguration, HTTP Parameter Pollution

• Origin-related Vulnerabilities (3) - CSRF, SSRF, CORS Misconfiguration

• Access-related Vulnerabilities (6) - IDOR, Auth Code Interception, Session Hijacking, TLS Issues, JWT Vulnerabilities

• Logic & Timing Vulnerabilities (3) - Business Logic Flaws, Type Juggling, Timing Attacks

Note

This guide focuses on practical code-level vulnerabilities. It is not exhaustive but covers the most common web application security issues encountered in modern development.