9.1: flaws.cloud
Exploit several vulnerable cloud deployments to gain unauthorized access.
77 min 
Updated Jun 17, 2025
9.2: flaws2.cloud
Play attacker and defender roles in the cloud using several vulnerable cloud deployments.
73 min 
Updated Jun 17, 2025
9.3: Serverless Goat
Exploit a serverless application to gain unauthorized access to resources of the account that hosts it.
68 min 
Updated Jun 17, 2025
9.4: CloudGoat
Exploit vulnerable cloud deployments to gain unauthorized access to cloud resources.
73 min 
Updated Jun 17, 2025
5.1: XSS
Leverage cross-site scripting to attack vulnerable clients
174 min 
Updated Jun 17, 2025
5.2: CORS, Content Security Policy
Experiment with headers within HTTP that limit XSS vulnerabilities.
72 min 
Updated Jun 17, 2025
6.1: CSRF
Leverage cross-site request forgery to exploit vulnerable web applications
53 min 
Updated Jun 17, 2025
6.2: Clickjacking, Web Cache Poisoning
Leverage unsolicited framing and web cache poisoning to exploit vulnerable web applications
50 min 
Updated Jun 17, 2025
6.3: Insecure Deserialization (PHP)
Leverage a deserialization vulnerability to exploit a PHP web application.
43 min 
Updated Jun 17, 2025
6.4: Insecure Deserialization (JavaScript)
Leverage a deserialization vulnerability to exploit a NodeJS web application.
55 min 
Updated Jun 17, 2025
6.5: Web Socket Vulnerabilities
Leverage vulnerabilities in web socket use
10 min 
Updated Jun 17, 2025
8.1: Cloud Setup
Setup accounts on a cloud provider for the course.
30 min 
Updated Jun 17, 2025
8.2: Thunder CTF
Play attacker and defender roles in the cloud using several vulnerable cloud deployments.
171 min 
Updated Jun 25, 2025
8.3: Thunder CTF Defender
Play defender in the cloud using a compromised cloud deployment.
70 min 
Updated Jun 26, 2025
1.2: Web Programming
Use Python to efficiently access a collection of web sites
53 min 
Updated Apr 8, 2025
1.4: HW1 (username-enumeration-via-response-timing)
Write a program to brute-force a vulnerable authentication process
147 min 
Updated Apr 15, 2025
4.2: HW2 (time-delays-info-retrieval)
Write a program to perform Blind SQL injection using binary search
161 min 
Updated Jun 17, 2025
6.6: Final project
Exploit additional classes of vulnerabilities and create a screencast walkthrough showing how.
422 min 
Updated Jun 17, 2025
1.3: Broken Authentication
Leverage authentication vulnerabilities to gain unauthorized access to sites.
75 min 
Updated Apr 15, 2025
2.1: Broken Access Control
Leverage access control vulnerabilities to exploit vulnerable web sites
228 min 
Updated Jun 17, 2025
3.1: SSRF
Leverage server-side request forgery to exploit vulnerable web applications
23 min 
Updated Jun 17, 2025
3.2: XXE
Leverage XML eXternal Entities to exploit vulnerable web applications
35 min 
Updated Jun 17, 2025
3.3: Command and SQL injection
Leverage command and SQL injection to exploit web applications
55 min 
Updated Jun 17, 2025
4.1: SQL injection
LeverageSQL injection to exploit web applications
55 min 
Updated Jun 17, 2025
1.1: Setup
Setup the accounts and virtual machines for use in this course.
69 min 
Updated Apr 7, 2025
7.1: Tools setup
Setup Kali VMs and web servers to practice using tools that automate reconnaissance, scanning, and exploitation.
60 min 
Updated Jul 8, 2025
7.2: Discovery tools (Pt 1)
Actively discover potential targets using wfuzz, nmap, bucket-stream, and Google dorking
39 min 
Updated Jun 17, 2025
7.3: Discovery tools (Pt 2)
Scan WordPress sites for vulnerabilities automatically with wpscan
42 min 
Updated Jul 7, 2025
7.4: Exploitation tools (Pt 1)
Exploit targets using hydra, sqlmap, xsstrike, commix
25 min 
Updated Jun 17, 2025
7.5: Exploitation tools (Pt 2)
Exploit a target using Metasploit
27 min 
Updated Jul 2, 2025
Loading Codelabs, please wait...
