Sign in Create Account

JavaScript for AppSec Engineers

Learn how security issues emerge in JavaScript and TypeScript applications, from client-side attacks and injection flaws to code review of real CVEs.

37 exercises
4 chapters ← All Tracks
Chapter 1
Client-Side Attacks
Start with browser-side vulnerabilities: cross-site request forgery, postMessage exploitation, XSS, CORS bypasses, and filter bypass techniques in JavaScript front-end code.
1
JSON Cross-Site Request Forgery Pro
Exploitation
2
postMessage() Pro
Exploitation
3
postMessage() II Pro
Exploitation
4
postMessage() III Pro
Exploitation
5
postMessage() IV Pro
Exploitation
6
TypeScript Snippet #02 Pro
Code Review · CORS Bypass
7
CVE-2025-625X8 Pro
Code Review · Cross-Site Scripting
8
CVE-2021-X27X0 Pro
Code Review · Filter Bypass
9
CVE-2024-X170X Pro
Code Review · Filter Bypass
10
CVE-2025-X23XX Pro
Code Review · Filter Bypass
11
CVE-2025-XX864 Pro
Code Review · Filter Bypass
Chapter 2
Injection & Command Execution
Exploit prototype pollution, then learn to spot SQL injection, command execution, SSTI, and log injection patterns in JavaScript and TypeScript code review.
12
JS Prototype Pollution Pro
Exploitation
13
Javascript Snippet #05 Pro
Code Review · Log Injection
14
Javascript Snippet #02 Pro
Code Review · SQL Injection
15
Javascript Snippet #06 Pro
Code Review · Server-Side Template Injection
16
Javascript Snippet #07 Pro
Code Review · SQL Injection
17
TypeScript Snippet #09 Pro
Code Review · SQL Injection
18
CVE-2020-XX079 Pro
Code Review · Command Execution
19
CVE-2025-XX953 Pro
Code Review · Command Execution
20
CVE-2025-X9X28 Pro
Code Review · Code Execution
Recommended: Complete Chapter 1 first
Chapter 3
Files, Paths & Prototypes
Tackle directory traversal, local file read, and prototype pollution vulnerabilities. Exploit path handling flaws in Express and Node.js, then review real CVE patches.
21
Express Local File Read Pro
Exploitation
22
TypeScript Snippet #01 Pro
Code Review · Directory Traversal
23
Javascript Snippet #03 Pro
Code Review · Directory Traversal
24
TypeScript Snippet #05 Pro
Code Review · Directory Traversal
25
Code Review 04 Pro
Code Review · Directory Traversal
26
CVE-2021-437XX Pro
Code Review · Directory Traversal
27
CVE-2026-XX951 Pro
Code Review · Directory Traversal
28
CVE-2026-XX888 Pro
Code Review · Prototype Pollution
Recommended: Complete Chapters 1 & 2 first
Chapter 4
Auth, Crypto & Application Logic
Review authentication flaws, hardcoded secrets, weak randomness, padding oracles, race conditions, and ReDoS patterns in JavaScript and TypeScript code.
29
TypeScript Snippet #06 Pro
Code Review · Padding Oracle
30
TypeScript Snippet #07 Pro
Code Review · Race Condition
31
TypeScript Snippet #04 Pro
Code Review · Broken Authentication
32
TypeScript Snippet #08 Pro
Code Review · Regular Expression DOS
33
Javascript Snippet #01 Pro
Code Review · Hardcoded Secret
34
TypeScript Snippet #03 Pro
Code Review · Broken Authentication
35
Javascript Snippet #04 Pro
Code Review · Insufficient Logging
36
Code Review 05 Pro
Code Review · Lack of Randomness
37
CVE-2026-XX050 Pro
Code Review · Information Leak
Recommended: Complete all previous chapters