Boost your career
The Web Security Academy is a strong step toward a career in cybersecurity.
Learn anywhere, anytime, with free interactive labs and progress-tracking.
Learn from experts
Produced by a world-class team - led by the author of The Web Application Hacker's Handbook.
GraphQL vulnerabilities can have serious consequences, especially if an attacker is able to gain admin privileges by manipulating queries or executing a CSRF exploit. In this topic, you'll learn how to test GraphQL APIs, including how to detect endpoints, gain schema information, and bypass rate limiting.Learn more
The Web Security Academy is a free online training center for web application security. It includes content from PortSwigger's in-house research team, experienced academics, and our Chief Swig Dafydd Stuttard - author of The Web Application Hacker's Handbook.
Unlike a textbook, the Academy is constantly updated. It also includes interactive labs where you can put what you learn to the test. If you want to improve your knowledge of hacking, or you'd like to become a bug bounty hunter or pentester, you're in the right place.
We make Burp Suite - the leading software for web security testing. And we love our users (because they're the people who make Burp what it is). That's why we created the Web Security Academy. It's also why the Academy is 100% free.
The Web Security Academy exists to help anyone who wants to learn about web security in a safe and legal manner. You can access everything (for free) and track your progress by creating an account. Please see the sidebar for more information.
Web security and ethical hacking are lucrative careers to get into, but they're often seen as dark and mysterious arts. The Web Security Academy smashes that stereotype. We make the latest application security knowledge available to everyone.
Some of our interactive labs will, by their nature, require you to use tools to solve them. But fear not. If you don't have access to Burp Suite Professional, then Burp Suite Community Edition allows you to experiment for free. Download Burp Suite here.
Let's face it, some of the online web application training out there can be a bit dull. And isn't hacking supposed to be fun? We certainly think so. That's why we've taken a fully interactive approach when it comes to the design of our web security training.
While each topic in the Academy is fully explained in text, many also include video content to summarize key points. Then there are the interactive labs - realistic puzzles designed to test your skills as a hacker. These transfer directly over into real-life cybersecurity situations.
Although we designed the labs to be fun, that doesn't necessarily mean they're easy (because where would be the fun in that, right?). We also love a bit of competition here at the Web Security Academy - and that's how we came up with the idea for the Hall of Fame.
Every time we release a new lab, we'll announce it on Twitter. The first Web Security Academy users to solve the lab will win Burp Suite swag - as well as getting their name in the Hall of Fame for all to see. Of course, you can remain anonymous if you prefer.