Think like an attacker
Good code makes things work, security thinks about how to break them. Mindset, ethics, legality and the OWASP Top 10.
Threat modeling
Attack surface, who attacks what, defense in depth: why a single barrier is never enough.
SQL injection
The attack that empties a database, for real. Parameterized queries in PHP and Go, and why escaping is not enough.
Cross-site scripting (XSS)
Reflected, stored, DOM: injecting JS into the victim. Output encoding, textContent vs innerHTML.
Command injection
Running a system command or reading a forbidden file through unvalidated input. Allowlists and safe APIs.
Broken access control
OWASP's number one: IDOR, privilege escalation, and the golden rule: always check on the server.
Authentication & passwords
Why md5 is a mistake, bcrypt/Argon2, brute force and rate limiting, MFA basics.
Secure sessions & cookies
HttpOnly, Secure, SameSite, session fixation: what really travels and how a session gets stolen.
Cross-site request forgery (CSRF)
Making the victim act without knowing. The synchronizer token as the real defense, SameSite as defense in depth.
CORS & the same-origin policy
What CORS really does, why it is NOT server-side security and does not stop CSRF.
Security headers & CSP
Content-Security-Policy nonce + strict-dynamic, HSTS, X-Frame-Options: hardening the browser without false comfort.
Applied cryptography
Hashing vs encryption, HTTPS/TLS, secrets and .env, and the rule: never roll your own crypto.
Dependencies & supply chain
A flaw in a dependency is your flaw. composer audit, npm audit, integrity and trust.
Logging, errors & deployment
Logging without leaking data, handling errors without revealing everything, and the OWASP 2025 go-live checklist.
Going further · Level 2
Six specific attacks beyond the core Top 10, each with its own lab: path traversal, upload, SSRF, template injection, deserialization, and AI application security.
Path traversal
Escaping the intended folder with ../../ to read a forbidden file. Allowlist and canonical path.
File upload
Dropping a shell.php and taking the server. Allowlist, real content, storage where nothing executes.
SSRF
Forcing the server to request internal targets, up to cloud credentials. Allowlist and private ranges blocked.
Template injection (SSTI)
When {{7*7}} returns 49: input compiled as a template leads to RCE. Input is data.
Insecure deserialization
A serialized cookie becomes a trapped object that runs code. JSON, never unserialize on input.
AI app security
Prompt injection hijacks an LLM. Least privilege, human in the loop, untrusted output.
What you will learn
Spot and fix the OWASP Top 10 2025 flaws in your code
Understand SQL injection, XSS and CSRF from attack to fix
Secure authentication, sessions, cookies and passwords
Configure CORS, security headers and CSP without a false sense of security
This course shows attacks so you learn to defend against them. Only test these techniques on your own systems or on dedicated (authorized) training platforms. Attacking a third-party system without written authorization is illegal.