API Security
Learn to identify and prevent API security vulnerabilities including broken authentication, object-level authorization flaws, and injection attacks.
For vibe coders who want to ship secure code
Security Learning Center
Learn to identify and prevent security vulnerabilities. Each guide explains how attacks work and how to protect your applications.
Business Logic Vulnerabilities
Learn how attackers exploit flaws in application workflows and business rules to bypass security controls and manipulate system behavior.
Cross-Site Scripting (XSS)
Learn about XSS attacks including reflected, stored, and DOM-based variants. Master prevention with output encoding and Content Security Policy.
GraphQL Security
Learn about GraphQL-specific vulnerabilities including introspection attacks, query batching abuse, alias-based DoS, and how to secure GraphQL APIs.
Insecure Direct Object Reference (IDOR)
Learn how IDOR vulnerabilities allow attackers to access other users' data by manipulating object references. Covers horizontal and vertical privilege escalation, detection, and access control implementation.
Prototype Pollution
Learn how prototype pollution vulnerabilities in JavaScript can poison entire applications, enabling XSS on clients and RCE on servers.
Race Conditions
Learn how race conditions and TOCTOU vulnerabilities allow attackers to exploit timing windows between security checks and actions.
Security Misconfiguration
Learn how security misconfigurations expose applications through default credentials, debug endpoints, excessive permissions, and missing security headers. Covers hardening and prevention strategies.
Serverless Security
Learn about AWS Lambda and serverless function vulnerabilities including injection attacks, IAM misconfigurations, and credential theft techniques.
Web Cache Poisoning
Learn how web cache poisoning exploits CDNs and caching proxies to serve malicious content to all users visiting a cached page.
WebSocket Security
Learn about WebSocket vulnerabilities including Cross-Site WebSocket Hijacking (CSWSH), origin validation bypass, and how to secure real-time communication channels.
XML External Entity (XXE)
Learn how XXE vulnerabilities in XML parsers enable file disclosure, SSRF, and denial of service attacks through malicious external entities.