Module 07 · Application Layer

Web Application Security

SQL injection taught you what happens when an application can't tell user input from a query. This module is the same story across the rest of the stack: the browser, the session, the shell. Three classic vulnerabilities — XSS, CSRF, and command injection — each one a different layer being asked to execute what someone else typed.

8
Attack Pages
07
Module
Live
Labs

The pattern repeats. SQL injection happens when user input flows into a query. Cross-site scripting happens when user input flows into HTML. Command injection happens when user input flows into a shell. CSRF happens when the browser sends a request the user did not authorize. Different surfaces, one principle: never confuse data and code.

07.A

Attack Pages

07.01
Cross-Site Scripting (XSS)
Injecting JavaScript into pages another user will view. Reflected, stored, and DOM-based variants, plus the cookie theft demo that explains why session hijacking is so easy when it works.
Live 07.02
Cross-Site Request Forgery (CSRF)
Tricking the browser into making an authenticated request the user never intended. Why cookies were a great idea twenty years ago and a defensive headache today. SameSite, tokens, and the death of the GET-side-effect.
Live 07.03
Command Injection
When user input reaches the shell. The bug that turned a ping form into remote code execution — from Shellshock to Log4Shell and beyond. Interactive shell-substitution sandbox included.
Live 07.04
XML External Entities (XXE)
An XML feature from 1998 that turns a parser into a file reader, SSRF tool, and sometimes RCE. SAML, Office docs, SVG uploads — all parse XML, all are attack surface.
Live 07.05
File Upload
Magic bytes, content-type spoofing, double extensions, polyglots, ImageTragick. The path from "upload a profile picture" to RCE, and the structural defense that closes it.
Live 07.06
Open Redirect
The "polite" vulnerability that powers credible phishing. ?next= parameters, OAuth callbacks, password reset returns — every login flow has one.
Live 07.07
Path Traversal
../../../etc/passwd. Encoding bypasses, null bytes, double-decode, Apache's famous CVE-2021-41773. The fix: resolve, then verify.
Live 07.08
Server-Side Template Injection
Jinja2, Twig, Velocity. When user input becomes the template source, the engine doesn't notice. {{ 7*7 }} is the polite probe; RCE follows in two more steps.
Live LAB
SSRF Playground
A vulnerable image-preview app. Try eight progressively cleverer payloads — file://, IMDS, internal IPs, DNS rebinding, 0.0.0.0 bypass. Flip on the defended mode and watch the same payloads bounce off scheme/host allow-lists and the network egress filter.
Lab LAB
IDOR Scavenger Hunt
Six endpoints, each with an IDOR of a different shape: numeric increment, UUID enumeration via "convenience" filter, predictable tokens, mass assignment, nested-resource bypass, predictable S3 paths. Find each one, then read the fix pattern.
Lab