This repository is a collection of materials to support training and workshops about the fundamentals of offensive security (AKA "hacking" and "penetration testing") with regards to web applications. The training may serve as a starting point for people interested in ethical hacking, penetration testing, application security, and network security. That said, the material has been built with defensive security in mind. As Sun Tzu wrote in The Art of War:
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
Lessons include descriptions of common attacks, advice for executing such attacks, and defensive strategies to prevent and mitigate such attacks.
The materials in this repository are provided solely for educational purposes.
It is your responsibility to understand and comply with the laws of your city/state/province/country in all contexts, and that includes the application of the tools and techniques described in this repository. It is almost always illegal to access a computer, server, or associated cloud infrastructure without explicit permission from the owner.
If you use the tools and tactics described in these materials in violation of the law, the authors of these materials and any affiliated parties are not responsible for your actions. If you wish to practice with these tools and tactics, ensure that you have explicit permission to access the websites, servers, databases, infrastructure involved prior to any access attempts. The same is true for accessing data and accounts that you do not own.
Furthermore, the information contained in this repository can be used in ways that cause damage and/or harm. Any such damage arising from your own application of this information is your responsibility, the authors of this material shall not be held liable for any such damage. If you choose to use these materials, you do so at your own risk, and agree to assume all liability for any harm arising from such use.
Your use of these materials constitutes your agreement to only apply the information contained herein in total compliance with any and all applicable laws whether they are local, national, or international. If you do not, you may face criminal charges.
These materials are primarily designed with instructors in mind. To that end, the files in the lessons folder are organized as lesson plans, with advice and scaffolding for leading a workshop. Students may, of course, find them useful as a reference during (and after) class. Some students may also find them useful for self study, even though they cater to experienced instructors.
Additionally, the files in the exercises folder are all a small amount of scaffolding on top of publicly available CTF exercises. Solutions for these CTFs are not provided, but some clues about how to approach them are provided, including which lessons are applicable to the particular CTF. Most of the CTFs do already have solutions that can be quickly found on Google but — for both pedagogical reasons and because HackerOne discourages publication of solutions — we have chosen not to publish any solutions.
These materials are available to all and released to the public domain. As far as copyright, patent, and trademark law is concerned, you may use them for any purpose whatsoever. Notwithstanding this repository's dedication to the public domain, it remains your responsibility to comply with any and all applicable laws with respect to the application of this information. See the above legal disclaimer.
This material is provided free of charge and free of copyright by Teb's Lab. We offer world class training on a wide variety of programming, computer science, data science, and software security topics. Visit our website where you can look through our other public domain educational materials and request a training.
If you want to support the creation and curation of this repository, and others like it, consider supporting Teb's Lab on Patreon.