Portswigger
I began this note in July 2025 as part of my personal journey to enhance my web security skills, with the ultimate goal of preparing for the Burp Suite Certified Practitioner (BSCP) exam. Along the way, I found that breaking down complex security concepts into structured learning paths made the process much more effective—and enjoyable.
This site documents my progress through various web security topics, inspired by platforms like the Web Security Academy. Each path focuses on a specific vulnerability or attack vector, combining theoretical understanding with hands-on testing.
Whether you're also working toward certification, sharpening your offensive security skills, or just getting started in the field, I hope these learning paths can support your journey the same way they’ve supported mine.
Below is the list of all the learning paths I'm currently working through or planning to cover. Each includes a summary of what you'll learn and a link to dive deeper into the topic.
Master detection, exploitation, and prevention of SQL injection vulnerabilities—foundational for any security tester.
Learn to exploit path traversal to access unauthorized files and understand various mitigation strategies.
Examine insecure file upload handling and learn techniques to bypass filters and gain remote access.
A broad overview of common server-side issues—ideal for newcomers to web security.
Explore how SSRF can be used to access internal services and sensitive data, and how to defend against it.
Covers classic and modern CSRF vulnerabilities, real-world attack examples, and how to prevent them.
Study how JavaScript objects can be manipulated via insecure merges or assignments, leading to critical flaws.
Dive into login mechanisms, bypass techniques, and ways to build secure authentication flows.
Understand concurrency-based vulnerabilities and how to detect/exploit them using Burp Suite and Turbo Intruder.
Learn the differences between SQL and NoSQL injections, and how to exploit NoSQL-based applications.
Learn how to test APIs beyond the visible front-end. Covers API reconnaissance and server-side parameter pollution.
Identify and exploit misconfigured GraphQL implementations, with techniques to bypass common protections.
Last updated