Over 150 topics in Secure Development Training, delivered in English, Spanish, Simplified Chinese, and Korean

HackEDU covers the OWASP Top 10 web, API Security, and Mobile Security (Android and iOS), publicly-disclosed vulnerabilities, hacking challenges, coding challenges, and other security topics. Custom content can be added.

Languages and Frameworks

















Topics include:

SQL Injection
NoSQL Injection
Command Injection
Remote Code Execution
Reflected XSS
Stored XSS
Broken Authentication and Session Management
Authentication Rate Limits
Weak Session Management
Password Handling and Storage
Session Invalidation
Cross-Site Request Forgery
Broken Access Control
Account Enumeration
Security Misconfiguration
Information Leakage
Sensitive Data Exposure
Encryption Best Practices
Insufficient Logging & Monitoring
Using Components with Known Vulnerabilities
Insecure Deserialization
XML External Entities
JSON Web Token (JWT) Authentication Security
OAuth Implementation Vulnerabilities
Stack Overflow
Heap Overflow
Format String
Mass Assignment
Broken Function Level Authorization
Lack of Resources and Rate Limiting
Improper Assets Management
Broken Object Level Authorization
API Security Misconfiguration
Excessive Data Exposure

General Security

These are lessons that are part of our upcoming DevSecOps course

Threat Modeling

Learn to fill out a threat modeling spreadsheet, using the STRIDE and DREAD frameworks.

Docker Security

Learn the basics about Docker and Docker security best practices including scanning your Dockerfiles for vulnerabilities, hardening your containers, and how to handle secrets.

Static Application Security Testing (SAST)

Learn how to integrate Static Application Security Testing (SAST) into your CI pipeline to build more secure applications

Commit Hooks

Learn how to integrate commit hooks into your git commit process.

Advanced Lessons

These lessons are based on vulnerabilities found in real applications from HackerOne's bug bounty program.

Learn More


Highly wormable clickjacking vulnerability in Twitter player card.

Blind XXE

XXE in Site Audit function exposing file and directory contents.

Remote Code Execution

RCE by command injection to 'gm convert' in image crop functionality.

SQL Injection with SQLMap

Complex SQL Injection in www.drivegrab.com

XSS using PostMessage

Stealing contact form data on hackerone.com using Marketo Forms XSS.

Included Public Vulnerabilities

HackEDU has sandboxes with public vulnerabilities to learn real world offensive and defensive security techniques in a safe and legal environment.

Learn More

Capital One Breach

Reviews the 2019 Capital One breach, covering WAF configuration, Server Side Request Forgery, Instance Metadata Services, and secure data storage in S3.


This sandbox replicates a public Remote Code Execution (RCE) vulnerability in Drupal (CVE-2018-7600).


This sandbox replicates a public Remote Code Execution (RCE) vulnerability in Apache Struts 2 (CVE-2018-11776).

MySpace "Samy" Worm

Learn about the infamous XSS Samy Worm.

Zip Slip

This sandbox replicates public vulnerabilities with archive software.

Dozens of Challenges

HackEDU has challenges to further engage and gamify the learning process.

Coding Challenges

Defensive challenges where you find and fix a vulnerability in code to score points for the leaderboard.

Hacking Challenges

Offensive challenges where you exploit a web app using the techniques you learn in our lessons to score points.


What I've learned already since signing up for HackEDU has proven priceless in terms of protecting one of our major clients against data theft. This week I've been cleaning up several broken authentication issues on their site using the info I've learned just from the course!

Kevin K., Software Development Company

Wow, really great product! Great learning platform, far and away better than anything out there now.

Adam B., S&P 500 Company

Exploiting and then fixing the code is great. Hands on and eye opening, love it.

Jason L., Financial Services Company

Really love the fact that you can live patch the application. I really like how easy this makes it to see and understand the problem.

E S., Fortune 500 Company

Sign Up Today

The course, challenges, and practices are available for one year.

Access new secure coding training content as it is released.

Join Now