⚡

JavaScript for AppSec Engineers

Learn how security issues emerge in JavaScript and TypeScript applications, from client-side attacks and injection flaws to code review of real CVEs.

37 exercises

4 chapters

Unlock PRO Access ← All Tracks

Chapter 1

Client-Side Attacks

Start with browser-side vulnerabilities: cross-site request forgery, postMessage exploitation, XSS, CORS bypasses, and filter bypass techniques in JavaScript front-end code.

JSON Cross-Site Request Forgery Pro

postMessage() III Pro

Exploitation

postMessage() IV Pro

Exploitation

TypeScript Snippet #02 Pro

Code Review · CORS Bypass

CVE-2025-625X8 Pro

Code Review · Cross-Site Scripting

CVE-2021-X27X0 Pro

Code Review · Filter Bypass

CVE-2024-X170X Pro

Code Review · Filter Bypass

CVE-2025-X23XX Pro

Code Review · Filter Bypass

CVE-2025-XX864 Pro

Code Review · Filter Bypass

Chapter 2

Injection & Command Execution

Exploit prototype pollution, then learn to spot SQL injection, command execution, SSTI, and log injection patterns in JavaScript and TypeScript code review.

JS Prototype Pollution Pro

Exploitation

Javascript Snippet #05 Pro

Code Review · Log Injection

Javascript Snippet #02 Pro

Code Review · SQL Injection

Javascript Snippet #06 Pro

Code Review · Server-Side Template Injection

Javascript Snippet #07 Pro

Code Review · SQL Injection

TypeScript Snippet #09 Pro

Code Review · SQL Injection

CVE-2020-XX079 Pro

Code Review · Command Execution

CVE-2025-XX953 Pro

Code Review · Command Execution

CVE-2025-X9X28 Pro

Code Review · Code Execution

Recommended: Complete Chapter 1 first

Chapter 3

Files, Paths & Prototypes

Tackle directory traversal, local file read, and prototype pollution vulnerabilities. Exploit path handling flaws in Express and Node.js, then review real CVE patches.

Express Local File Read Pro

Exploitation

TypeScript Snippet #01 Pro

Code Review · Directory Traversal

Javascript Snippet #03 Pro

Code Review · Directory Traversal

TypeScript Snippet #05 Pro

Code Review · Directory Traversal

Code Review 04 Pro

Code Review · Directory Traversal

CVE-2021-437XX Pro

Code Review · Directory Traversal

CVE-2026-XX951 Pro

Code Review · Directory Traversal

CVE-2026-XX888 Pro

Code Review · Prototype Pollution

Recommended: Complete Chapters 1 & 2 first

Chapter 4

Auth, Crypto & Application Logic

Review authentication flaws, hardcoded secrets, weak randomness, padding oracles, race conditions, and ReDoS patterns in JavaScript and TypeScript code.

TypeScript Snippet #06 Pro

Code Review · Padding Oracle

TypeScript Snippet #07 Pro

Code Review · Race Condition

TypeScript Snippet #04 Pro

Code Review · Broken Authentication

TypeScript Snippet #08 Pro

Code Review · Regular Expression DOS

Javascript Snippet #01 Pro

Code Review · Hardcoded Secret

TypeScript Snippet #03 Pro

Code Review · Broken Authentication