# Start Here A hands-on training guide for security teams and developers to learn application security through practical code examples. ## What This Guide Covers This training material teaches **26 common web application vulnerabilities** using real-world code examples. Each vulnerability is presented through a side-by-side comparison of vulnerable and secure code, making it easy to understand both the problem and the solution. ## Learning Approach **See the Vulnerability** → Every guide starts with a vulnerable code example that contains a real security flaw **Understand the Exploit** → Learn how attackers exploit the vulnerability to compromise applications or access sensitive data **Apply the Fix** → Step-by-step instructions show how to remediate the vulnerability with secure coding practices **Detect It Early** → Each vulnerability includes a [Semgrep](https://semgrep.dev/) rule template to integrate into your SAST scanning and CI/CD pipelines ## Who This Is For * **Security teams** training developers on secure coding practices * **Application security engineers** learning to identify and remediate vulnerabilities * **Development teams** improving their security knowledge through practical examples * **Security champions** teaching peers about common web security issues ## What's Included 26 vulnerabilities organized into 5 categories: * **Injection Vulnerabilities** (6) - SQL, SSTI, XPath, XXE, Request Smuggling, Deserialization * **Input-based Vulnerabilities** (3) - XSS, CSP Misconfiguration, HTTP Parameter Pollution * **Origin-related Vulnerabilities** (3) - CSRF, SSRF, CORS Misconfiguration * **Access-related Vulnerabilities** (6) - IDOR, Auth Code Interception, Session Hijacking, TLS Issues, JWT Vulnerabilities * **Logic & Timing Vulnerabilities** (3) - Business Logic Flaws, Type Juggling, Timing Attacks ## Note This guide focuses on practical code-level vulnerabilities. It is not exhaustive but covers the most common web application security issues encountered in modern development. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.appsecmanual.com/intro/readme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.