Juicy Shop

Security Academy

Work through the curriculum from foundations to advanced defense. Each lesson pairs theory with secure-vs-insecure code and a knowledge check.

  1. 1Application Security FoundationsbeginnerStart here. Learn the attacker mindset, the CIA triad, how to think about trust boundaries, and how the OWASP Top 10 organises the most common web risks.Foundations · 8 min
  2. 2Injection & SQL InjectionintermediateInjection happens when untrusted input is interpreted as code or query syntax. Learn how SQL injection works, why string concatenation is the root cause, and how parameterised queries make it impossible.Injection · 12 min
  3. 3Input Validation & CanonicalisationintermediateMost injection and traversal bugs share a root cause: untrusted input is trusted too soon. Learn positive (allow-list) validation, canonicalisation, and why filename and path handling needs special care.Input Validation · 11 min
  4. 4Authentication & Session SecurityintermediateAuthentication proves who a user is. Learn how injection and weak credential handling break it, why passwords must be salted and hashed, and how to harden the login flow against takeover.Identification & Authentication · 11 min
  5. 5Cryptographic FailuresintermediateSensitive data leaks when it is stored or transmitted without proper cryptography. Learn why you hash passwords (never encrypt them), how to pick algorithms, and where data-in-transit protection belongs.Cryptography · 12 min
  6. 6Insecure DesignintermediateSome flaws can't be patched because the design itself is unsafe. Learn the difference between a bug and a design flaw, how threat modelling surfaces risks early, and why business-logic abuse needs design-level defences.Design · 12 min
  7. 7Cross-Site Scripting (XSS)intermediateXSS lets an attacker run JavaScript in another user's browser. Learn the three XSS types, why output encoding is the core defence, and how modern frameworks help — and where they still let you shoot yourself in the foot.Cross-Site Scripting · 12 min
  8. 8Cross-Site Request Forgery (CSRF)intermediateCSRF tricks a logged-in user's browser into sending a state-changing request they never intended. Learn why cookies make it possible and how SameSite cookies plus anti-CSRF tokens shut it down.Session Security · 11 min
  9. 9Broken Access Control & IDORintermediateBroken access control is the #1 web risk. Learn how trusting client-supplied identifiers leads to IDOR, why every request must be authorised server-side, and how to enforce ownership checks.Broken Access Control · 10 min
  10. 10Security MisconfigurationintermediateMost breaches don't need a clever exploit — just a default password, a verbose error, or an exposed admin panel. Learn the common misconfigurations and how secure-by-default settings close them.Configuration · 10 min
  11. 11Secrets ManagementintermediateAPI keys, database passwords, and signing keys leak constantly through source code, logs, and git history. Learn where secrets belong, how to rotate them, and why 'it's in a private repo' is not protection.Configuration · 9 min
  12. 12Vulnerable & Outdated ComponentsintermediateYour app is only as secure as its weakest dependency. Learn how known-vulnerable packages get exploited and how SBOMs, pinning, and automated scanning keep your supply chain honest.Supply Chain · 10 min
  13. 13Software & Data Integrity FailuresadvancedIntegrity failures happen when code or data is trusted without verifying it wasn't tampered with — from unsigned auto-updates to insecure deserialization and poisoned CI/CD pipelines. Learn to verify before you trust.Supply Chain · 12 min
  14. 14Security Logging & MonitoringintermediateIf you can't see an attack, you can't stop it. Learn what security events to log, how to avoid logging secrets, and why alerting and an incident response plan turn logs into defence.Detection · 10 min
  15. 15Server-Side Request Forgery (SSRF)advancedSSRF turns your server into a confused deputy, making requests to wherever an attacker chooses — including internal services and cloud metadata. Learn the attack and how allow-lists and network controls stop it.Server Security · 12 min
  16. 16Defense in Depth & the Secure SDLCadvancedNo single control is perfect. Learn to layer defences, bake security into the development lifecycle, and use platform features — CSP, headers, dependency scanning, logging — so that one failure does not become a breach.Secure Design · 13 min