These are lessons that are part of our upcoming DevSecOps course
Learn to fill out a threat modeling spreadsheet, using the STRIDE and DREAD frameworks.
Learn the basics about Docker and Docker security best practices including scanning your Dockerfiles for vulnerabilities, hardening your containers, and how to handle secrets.
Static Application Security Testing (SAST)
Learn how to integrate Static Application Security Testing (SAST) into your CI pipeline to build more secure applications
Learn how to integrate commit hooks into your git commit process.
These lessons are based on vulnerabilities found in real applications from HackerOne's bug bounty program.Learn More
Highly wormable clickjacking vulnerability in Twitter player card.
XXE in Site Audit function exposing file and directory contents.
Remote Code Execution
RCE by command injection to 'gm convert' in image crop functionality.
SQL Injection with SQLMap
Complex SQL Injection in www.drivegrab.com
XSS using PostMessage
Stealing contact form data on hackerone.com using Marketo Forms XSS.
Included Public Vulnerabilities
HackEDU has sandboxes with public vulnerabilities to learn real world offensive and defensive security techniques in a safe and legal environment.Learn More
Capital One Breach
Reviews the 2019 Capital One breach, covering WAF configuration, Server Side Request Forgery, Instance Metadata Services, and secure data storage in S3.
This sandbox replicates a public Remote Code Execution (RCE) vulnerability in Drupal (CVE-2018-7600).
This sandbox replicates a public Remote Code Execution (RCE) vulnerability in Apache Struts 2 (CVE-2018-11776).
MySpace "Samy" Worm
Learn about the infamous XSS Samy Worm.
This sandbox replicates public vulnerabilities with archive software.