Threat modeling, AuthN/AuthZ, injection, XSS, CSRF/SSRF, TLS/headers, crypto pitfalls, modern web threats, detection + IR. Defender-first, anchored in OWASP, MITRE ATT&CK, and real CVEs.
This is the course for builders who want to write web applications that don't get owned. Every module bridges attacker and defender views: the same mechanism that lets you write a hardened cookie also lets you spot a forgery; the same understanding of CSRF that prevents the bug helps you read a bug bounty report. Anchored in OWASP, MITRE ATT&CK, CIS, and NIST. Five capstones (you pick one) demonstrate mastery: audit a deliberately-vulnerable application against the OWASP Top 10, build a passkey-first authentication system, harden a JS app to a strict CSP + Trusted Types, audit and refactor your app's crypto stack, or stand up an IR-ready detection pipeline.
Built by Lakshya Kumar
Paste this into any AI chat. Fill in the bracketed parts with your context — you'll get back a straight answer on whether this belongs on your plate.
We grant free access case-by-case — students, career-switchers, builders on a tight budget. Sign in to send us a note.
Sign in to applyComplete all modules, then submit the required number of capstone projects. Each must earn a passing rating from an admin reviewer.
Stand up OWASP Juice Shop locally. Produce a written audit covering all ten 2021 OWASP categories: for each, identify at least one vulnerability in Juice Shop, demonstrate exploitation with screenshots/curl commands, and propose the production fix. Format: one finding per page, severity (CVSS v3.1), reproduction, fix, and a detection rule.
I am learning web application security — threat modeling, authentication and authorization, injection attacks (SQL, NoSQL, command, template), XSS (reflected/stored/DOM), CSRF and SSRF, transport security (TLS, CORS, cookies, security headers), crypto pitfalls (JWT, ECB, padding oracles, timing), modern web threats (prototype pollution, supply chain, CDN cache poisoning), and detection/incident response. Help me work through the actual mechanics with reference to real CVEs, real WAF behaviour, and real OWASP / MITRE ATT&CK / NIST guidance.
Build an auth system with WebAuthn passkeys as the primary factor, TOTP as fallback, argon2id for any password component. Include session rotation on every privilege boundary, secure cookie attributes (HttpOnly + Secure + SameSite + __Host-), credential-stuffing defences (per-IP and per-account rate limits + Pwned Passwords check), and per-device login notifications. Test session revocation completes in <1 second.
Take a real JS application. Implement a nonce-based strict CSP in report-only first; verify zero legitimate-traffic violations; promote to enforced. Enable `require-trusted-types-for 'script'` and route every TypeError through a Trusted Types policy backed by DOMPurify. Submit the before/after CSP, the policy code, and a write-up of what broke during migration and how you fixed it.
Produce a written audit of every cryptographic primitive in a real codebase: hashes (where, what algorithm, what use case), signing (JWT alg, key management), encryption (mode, AEAD?), random (CSPRNG everywhere?), key storage (KMS-managed?). For every finding below 2026 best practice, propose a fix with effort estimate. Implement the top three findings.
Stand up a working web-app security stack: structured logs for every authenticated request (who, action, object, outcome) shipped to a separate sink, five tuned detection rules (credential stuffing, geo-velocity, privilege escalation, mass export, unusual error spike) with their queries written down, one honeytoken alerting end-to-end, and a 1-page IR runbook. Run a tabletop exercise against the stack and document gaps.
Definitive defence-side references for every web vulnerability.