CyberCode Academy episodes:

• November 12, 2025Course 3 - Mastering Nuclei for Bug Bounty | Episode 2: Controlling Scans, Traffic Tuning, and Custom Template Development

  In this lesson, you’ll learn about:

  • Controlling Nuclei template selection — include templates by tags (e.g., xss, tech, enginex), severity (info, low, medium, high, critical), or author; and exclude specific templates/tags/severity with exclusion flags to avoid noisy results.
  • Performance tuning & safe scanning — tune rate-limit (requests/sec), bulk-size (parallel hosts per batch), and -C (concurrency for templates) to avoid overwhelming targets or triggering WAFs; prefer conservative defaults for bug‑bounty targets.
  • Request identification & tracking — add custom HTTP headers with -H / --header to tag traffic (useful for program owners and triage).
  • Persistent configuration — use config.yaml to store default flags (targets, template lists, exclusions, headers) so runs are consistent and reproducible.
  • Debugging & visibility — use -debug and -v to print the exact HTTP requests and responses Nuclei sends/receives; essential to understand why a match fired (status codes, regexes, extractors).
  • Template structure & components — YAML template building blocks: id, info (name, severity, author, tags), requests (method, path, payload), matchers (status code, regex, words), and extractors (capture and display matched data).
  • Filtering & extraction rules — craft matchers for precise detection (e.g., status: 200, regex capture); use extractors to pull versions or identifiers into the output.
  • Custom template development — how to modify/create templates (example: PHP version detection), validate YAML with linters (YAML Lint), and test locally with -debug before wide runs.
  • Operational best practices — limit templates to relevant categories, exclude info severity when noisy, validate custom templates, document headers/flags used for each engagement, and always respect scope/authorization.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• November 12, 2025Course 3 - Mastering Nuclei for Bug Bounty | Episode 1: Nuclei: Installation, Template Setup, and First Scan

  In this lesson, you’ll learn about:
  

  • Nuclei — definition & purpose: a template‑based automated vulnerability scanner written in Go, designed for fast, customizable scanning, mass hunting, and CI/CD integration.
  • Claims & note: community descriptions sometimes state very low false‑positive rates; always validate findings in-scope before reporting.
  • Supported template types: HTTP, DNS, TCP, and file‑based templates (organized by categories like CVEs, misconfiguration, takeovers, fuzzing).
  • Templates are the core: templates are YAML files that define checks; most are community‑maintained in the official GitHub repo and can be auto‑downloaded or installed manually (git clone / ZIP).
  • Installation methods: primary method uses Go (requires Go ≥ 1.18); alternatives include Homebrew (Mac) or Docker. Verify install by running nuclei -h.
  • First run / basic CLI usage: scans require a template (-t) and a target URL (-u with protocol). Omitting -t runs all templates — avoid this on live targets to prevent excessive requests.
  • Practical example: running the technologies template category can reveal informational details such as PHP and Nginx (EngineX) versions on a target.
  • Operational best practices: always limit templates to relevant checks, respect target scope/authorization, throttle requests when needed, and validate any automated findings manually.
  • Integration: Nuclei works well in automation pipelines for continuous scanning, and users can write custom templates to match unique testing needs.
  • Analogy (teaching aid): Nuclei = the locksmith’s toolkit (binary) and templates = custom lockpicks — pick the right template (-t) for the target lock (-u) instead of trying the whole box.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• November 12, 2025Course 2 - API Security Offence and Defense | Episode 4: Aggressive Attacks, Traditional Vulnerabilities and Exploitation of Staging APIs

  In this lesson, you’ll learn about:
  

  • Aggressive Attacks on APIs
    • Denial of Service (DoS): Flooding servers to disrupt service; Layer 7 attacks mimic normal users.
    • Brute Force: Guessing secrets like passwords, JWTs, tokens, or 2FA codes.
    • Mitigation: Rate limiting, authentication for heavy processes, short expiration for secrets, complex codes, caching, load balancing, restricting direct IP access.
  • Targeting Non-Production APIs
    • Development, staging, and deprecated APIs often lack proper security.
    • Risks include exposed debugging info, weaker policies, and connection to production databases.
    • Mitigation: Delete deprecated APIs, restrict access (passwords/IP), enforce production-level security policies, include in penetration testing scope.
  • Traditional Web Vulnerabilities in APIs
    • IDOR: Manipulate object IDs in URLs to access unauthorized data.
    • XSS: Only exploitable if content type allows JavaScript execution.
    • SQL Injection: Unexpected results indicate query manipulation.
    • Remote Code Execution (RCE): 500 errors from unusual input may signal server or OS-level vulnerabilities.
  • Key Takeaway:
    APIs must be protected from both API-specific threats and classic web vulnerabilities, with consistent security policies across all environments.

  
  
  
  
  
  
  
  
  
  
  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• November 12, 2025Course 2 - API Security Offence and Defense | Episode 3: OAuth Protocol: Standards, Authorization Flows, Attacks, and Real-World Case Study

  In this lesson, you’ll learn about:

  • OAuth — purpose & distinction: an authorization protocol that grants third-party apps scoped access to user resources without sharing user credentials; it’s about authorization, not authentication.
  • OAuth 1.0a — core concepts & flows:
    • Concepts: Consumer Key/Secret, Nonce, Signed requests (HMAC‑SHA1).
    • Flows: one‑legged (trusted apps), two‑legged (token exchange), and three‑legged (adds user approval and a verifier; e.g., Twitter sign‑in).
  • OAuth 2.0 — concepts & common flows:
    • Concepts: Client ID/Secret, Scope (permissions), Response Type, State (CSRF defense).
    • Flows: two‑legged (machine‑to‑machine) and three‑legged Authorization Code Grant (most common; auth code exchanged for access token after user consent).
  • Primary attacker goal: steal an access token — the token’s scope defines the attacker’s effective privileges.
  • Common OAuth vulnerabilities & attacks:
    • Auth code leakage via redirect_uri: weak redirect validation lets codes be sent to attacker servers.
    • CSRF in the OAuth flow: missing/invalid state allows attacker-forced authorization flows (account linking, CSRF).
    • Open redirect: poor redirect checks enable phishing or token exfiltration vectors.
    • CSRF via XSS / iframe chaining: use XSS to inject frames or scripts that bypass protections and extract codes/tokens.
    • Implicit flow abuse: switching response_type=token causes tokens to be returned in URL fragments — easily exfiltrated by XSS.
  • Hardening & best practices:
    • Always use HTTPS to prevent MITM.
    • Require and validate the state parameter to stop CSRF.
    • Disable implicit flow unless strictly necessary; prefer Authorization Code with PKCE for public clients.
    • Strictly validate redirect_uri (exact-match, not prefix).
    • Sanitize and remove XSS vulnerabilities that could be chained into OAuth attacks.
    • Minimize token lifetime and use scopes with least privilege.
  • Real-world lessons: small, low-severity bugs can be chained (redirect issues, missing validation, XSS) to fully compromise accounts — careful end‑to‑end validation and layered defenses are essential.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• November 12, 2025Course 2 - API Security Offence and Defense | Episode 2: Authentication Methods and Security: Basic, Digest, and JSON Web Tokens (JWT)

  In this lesson, you’ll learn about:
  

  • Authentication & Authorization Fundamentals:
    • Authentication: Identifying the user.
    • Authorization: Defining what actions an authenticated user can perform.
    • Stateful vs. Stateless:
      • Stateful: Session cookies store session data on the server.
      • Stateless: Tokens are validated without server-side session storage.
  • Basic and Digest Authentication:
    • Basic Auth: HTTP-based, sends Base64-encoded credentials; vulnerable because Base64 is easily decoded.
    • Digest Auth: Adds MD5 hashing with a nonce to protect credentials; less common.
  • Attacks on Traditional Methods:
    1. MITM Attacks: Stealing credentials if HTTPS is not used.
    2. Brute Force: No retry limits enable guessing credentials.
    3. Logic Attacks (Wrong HTTP Methods): Unprotected HTTP methods allow bypassing auth.
    4. Configuration File Exploitation: Accessing .htpasswd or .htdigest and cracking hashes.
  • Mitigation: Use HTTPS, enforce strong passwords, limit login retries, and protect all HTTP methods.
  • Tokens, Cookies, and JWT:
    • Cookies: Stateful; risks include XSS (if not HTTP Only), CSRF, and scalability issues.
    • Tokens: Stateless; risks include XSS (if in local storage), CSRF (if in cookies), and non-revocable compromised tokens.
    • JWT (JSON Web Token):
      • Structure: Header (algorithm), Payload/Claim (user data, exp, issuer), Signature (verification).
      • Generation: Signed using a secret key and chosen algorithm.
      • Usage: Stateless API authentication, self-contained.
  • JWT Attacks & Mitigation:
    1. Algorithm Bypass (None Attack): Modifying header to none can bypass verification.
    2. Algorithm Confusion (RS256 → HS256): Signing with public key due to server misconfiguration.
    3. Cracking Weak Secrets: Brute force or dictionary attacks on weak signing keys.
  • Mitigation for JWT: Enforce strong random keys, backend-enforced algorithm validation, short token expiration, and HTTPS.
  • Core takeaway: Modern web authentication requires careful design of state handling (cookies vs tokens), secure credentials, and robust JWT management to prevent bypasses, tampering, and data leaks.

  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• November 12, 2025Course 2 - API Security Offence and Defense | Episode 1: API Fundamentals: Standards, Versioning, and Investigative Techniques

  In this lesson, you’ll learn about:
  

  • APIs — Definition & Evolution:
    • API (Application Programming Interface): A mechanism originally designed to allow software to access operating system libraries; now primarily used for data exchange between servers, web apps, mobile apps, and frontend frameworks like React or Vue.
    • Evolution of API standards:
      • XML-RPC: Early XML-based method, complex and insecure.
      • SOAP (Simple Object Access Protocol): Standardized XML-based protocol, widely adopted but rigid.
      • REST (Representational State Transfer): Modern standard, relies on HTTP methods (GET, POST, PUT, DELETE) and commonly uses JSON or XML.
  • REST API Structure & Versioning:
    • HTTP Methods & CRUD mapping:
      • GET / HEAD: Read
      • POST: Create
      • PUT / PATCH: Update
      • DELETE: Delete
    • Request Components:
      • Headers: Authentication (Authorization: Bearer ), Accept for content type negotiation.
      • Response Headers: WWW-Authenticate, Content-Type, Set-Cookie, CORS headers.
      • Status Codes: e.g., 200 OK, 201 Created, 404 Not Found, 405 Method Not Allowed, 500 Internal Server Error.
    • Versioning: Ensures older clients continue functioning; can be implemented via URL path (/v1), Accept headers, or custom headers.
  • API Fingerprinting & Discovery:
    • Key info to gather:
      1. API endpoints and domains (e.g., api.example.com)
      2. Versioning method
      3. Programming language and backend storage (SQL, NoSQL, caches like Redis)
      4. Authentication mechanism
    • Techniques: Public documentation review, subdomain enumeration, intercepting client traffic via proxies, and deducing backend details from headers or job postings.
  • Debugging & Automated Testing:
    • Proxy Tools: Burp Suite for intercepting, modifying, and forwarding API requests.
    • API Testing Tools: Postman to construct requests, specify methods, headers, and bodies (JSON payloads).
    • Fuzzing: Automated testing by sending malformed/unexpected inputs to detect exceptions or abnormal HTTP responses (e.g., 500 errors).
  • Authentication vs. Authorization:
    • Authentication: Verifying identity (ID/password, tokens, cookies, API keys, JWT, OAuth).
    • Authorization: Determining allowed actions for an authenticated client (e.g., admin vs. user privileges).
  • Core takeaway: Understanding API architecture, endpoints, authentication/authorization mechanisms, and using proxy/debugging tools is essential for secure interaction, discovery, and testing of APIs.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• November 12, 2025Course 1 - BurpSuite Bug Bounty Web Hacking from Scratch | Episode 12: Cookies, Sessions, and Session Management Manipulation Vulnerability

  In this lesson, you’ll learn about:

  • HTTP is stateless: every request is independent, so web apps must implement state mechanisms to track users.
  • Cookies — client-side state: small text files (≈4 KB) stored in the browser holding prefs, auth data, and often session IDs; key attributes: Domain, Path, Expires, Secure (HTTPS-only), and HttpOnly (not accessible to JavaScript).
  • Sessions & Session IDs — server-side state: session data lives on the server and is referenced by a unique, high-entropy Session ID (long, random alphanumeric string) sent to the client; sessions are generally more secure because sensitive data is not exposed to the client.
  • Security properties: ensure Session IDs are random, long, rotated after privilege changes (e.g., post-login), and invalidated on logout/timeout; prefer server-side storage for sensitive state.
  • Cookie vs. Session tradeoffs: cookies provide persistence and client-side convenience but expose data to the client; sessions keep data server-side but require secure Session ID management.
  • Common session-management vulnerabilities: predictable or reused session IDs, session fixation (reusing same ID before/after login), session IDs in URLs, lack of invalidation, and insecure cookie flags leading to theft via XSS.
  • Practical exploitation demo (session manipulation): editing cookies can change user identity if server trusts client-side identifiers (e.g., modifying UID cookie allowed switching accounts), demonstrating weak server-side authorization checks.
  • Mitigations & best practices: never trust client-side identifiers for authorization, use secure cookie flags (Secure, HttpOnly, SameSite), rotate session IDs on privilege changes, implement strict session timeouts and invalidation, and store sensitive state server-side.
  • Core takeaway: robust session management requires secure Session ID generation, careful cookie handling, and server-side authorization — otherwise attackers can hijack or impersonate users via simple cookie/session manipulation.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• November 12, 2025Course 1 - BurpSuite Bug Bounty Web Hacking from Scratch | Episode 11: Injection and Directory Path Traversal Attacks.

  In this lesson, you’ll learn about:

  • Critical Web Security Vulnerabilities — Overview: Focus on Injection Attacks and Directory Path Traversal Attacks, two high-risk categories in web applications.
  • Injection Attacks — definition & mechanism:
    • Occur when untrusted input is sent to an interpreter (SQL, OS commands, HTML, CSS, or JavaScript), altering program execution.
    • Can lead to data theft, data loss, denial of service, or full system compromise.
    • Types include:
      • Client-side: Cross-Site Scripting (XSS), HTML injection, CSS injection.
      • Server-side: SQL injection, command injection, CRLF injection.
    • Requires input/output interaction with the web application or database.
  • Directory Path Traversal (Path Traversal) — definition & mechanism:
    • HTTP attack allowing attackers to bypass web server restrictions and access files outside the designated root directory.
    • Exploits file path parameters by inserting traversal sequences like ../ to move up directories.
    • Targets include sensitive files:
      • Windows: web.config
      • Linux: /etc/passwd
  • Consequences:
    • Unauthorized access to critical files, application configuration, and sensitive system data.
    • Potential for executing arbitrary commands depending on server privileges.
  • Detection & Demonstration:
    • Attackers test parameters by adding ../ sequences and observing responses.
    • Successful access indicates improper input validation and insufficient access controls.
  • Mitigation & Best Practices:
    • Keep web server software updated with latest patches.
    • Validate and sanitize all user inputs, filtering out meta-characters (../, %2e%2e/, etc.).
    • Restrict server environment to only necessary data and remove unused files.
    • Implement proper Access Control Lists (ACLs) and enforce directory confinement.
  • Key takeaway:
    Protecting against injection and path traversal attacks requires both input validation and secure configuration of server directories and application logic.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• November 12, 2025Course 1 - BurpSuite Bug Bounty Web Hacking from Scratch | Episode 10: XSS: Overview, Security Level Testing, and Real-World Attacks

  In this lesson, you’ll learn about:
  

  • Definition of Cross-Site Scripting (XSS):
    A client-side web vulnerability where an application executes user-supplied JavaScript instead of treating it as text. It typically occurs in user input areas such as search fields, comment boxes, or feedback forms.
  • Main Types of XSS:
    1. Reflected XSS (Non-persistent):
       • The malicious input is not stored in the database.
       • It only affects users who execute the injected script (e.g., by clicking a crafted link).
       • Commonly found in search or URL parameters.
    2. Stored XSS (Persistent):
       • The injected payload is saved in the application database (e.g., in comments).
       • The script runs automatically for every visitor who loads the infected page.
       • This type has a higher impact and broader reach.
    3. DOM-based XSS:
       • The vulnerability exists in the Document Object Model (DOM) layer.
       • The HTML response may appear unchanged, but JavaScript execution happens client-side.
  • Potential Consequences:
    • Theft of cookies and session tokens.
    • Hijacking user accounts or sessions.
    • Launching Cross-Site Request Forgery (CSRF) attacks.
    • Delivering malicious redirects or keyloggers.
  • Practical Demonstrations:
    • Reflected XSS (OWASP Mutillidae Example):
      • Using Burp Suite to intercept and inject a simple payload:
      • If the response returns the payload unmodified, the application is vulnerable.
    • DVWA Demonstrations Across Security Levels:
      • Low Level: The script runs immediately without filters.
      • Medium Level: Filtering is attempted (e.g., removing the word “script”). Bypassed using mixed-case payloads like:
      • High Level: Stronger filtering, but DOM-based XSS succeeds using:
        
        
  • Real-World Exploitation Example:
    • Attackers send phishing emails containing legitimate-looking links that include malicious JavaScript in the query string.
    • When clicked, the script executes on the target site, allowing theft of credentials or session data.
    • This is often referred to as first-order XSS, primarily exploiting GET requests.
  • Prevention Techniques:
    • Validate and sanitize all user input (both client and server-side).
    • Implement output encoding for HTML, JavaScript, and URL contexts.
    • Use modern Content Security Policy (CSP) headers.
    • Avoid using innerHTML for dynamic content updates.
    • Educate users to verify links before clicking, especially in unsolicited emails.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• November 12, 2025Course 1 - BurpSuite Bug Bounty Web Hacking from Scratch | Episode 9: Understanding and Finding SQL Injection Vulnerabilities

  In this lesson, you’ll learn about:

  • SQL Injection (SQLi) — definition & importance: what SQL is (Structured Query Language) and why data-driven apps are high-value targets for injection attacks.
  • Core mechanism: how attackers inject malicious input into dynamic SQL statements (queries built from runtime parameters) to alter logic — e.g., commenting out parts of a query or appending always-true conditions.
  • Types of SQLi: error-based, blind (boolean), time-based, and union-based injections — each exploits the DB engine differently and requires different discovery/exploitation techniques.
  • Potential impact: full database disclosure (dumping data), modifying/inserting/deleting records, or otherwise corrupting application data and functionality — impact depends on DB engine and privileges.
  • Discovery approach — fuzzing & logic-first mindset: understand the application flow and likely backend queries, then feed “weird input” to break or alter the SQL (fuzzing is the primary discovery method).
  • Basic test techniques:
    • Quotes: submit single (') or double (") quotes to provoke syntax errors — a common initial test for SQLi.
    • Backslashes / escapes: use \ (or DB-specific escape chars) to break query parsing in some engines (e.g., MySQL).
    • Choose the technique that matches the app’s input handling (single-quote, double-quote, or backslash may work differently).
  • Automation: use tools (or Burp Intruder) to automate payload lists once you know which delimiter/escape style affects the target. Monitor responses for errors, content changes, or timing differences.
  • Detection signals: SQL errors in responses, changes in content length/body, boolean differences, or time delays (for time-based tests) indicate possible vulnerability.
  • Next steps after detection: escalate from proof-of-concept errors to controlled data extraction techniques (union queries, blind extraction techniques, or time-based exfiltration) while keeping tests minimal and authorized.
  • Analogy (teaching aid): like a locksmith trying different picks (quotes, backslashes) in a lock (input field) to find the one that opens the mechanism (causes the backend SQL to fail or execute attacker-controlled logic).
  • Ethics & safety note: always test within authorized scope, avoid destructive payloads, and document findings/steps for reproducible PoCs.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---