What is PortSwigger Web Security Academy?
PortSwigger Web Security Academy is the free, official learning platform from the creators of Burp Suite — the web security testing tool used by virtually every professional web penetration tester on the planet. The Academy offers structured learning modules on every major web vulnerability class, hands-on practice labs, and a complete learning path from beginner to advanced — all at no cost. PortSwigger describes its mission:
Web Security Academy is a free online training center for web application security. It is written by the PortSwigger Research team — the creators of Burp Suite. The materials are regularly updated and kept in line with the latest advances in web security research.
What separates Web Security Academy from other web security resources: the labs run in your browser against real vulnerable applications, the content is written by the people who discover these vulnerabilities professionally, and the entire thing is free. There is no better free resource for web application security education anywhere.
Is This Right for You?
This is for you if...
- Web application security is your primary focus or a significant part of your role
- You want to learn Burp Suite properly — this is the official training platform
- You’re preparing for bug bounty hunting, web penetration testing, or CEH/CPENT certifications
- You’re a developer who wants to understand and prevent the vulnerabilities in your own code
- You want 100% free, research-quality web security education from the people who write the tooling
This is NOT for you if...
- You’re focused on network security, Active Directory, or binary exploitation — this is web only
- You’re brand new to security with no web development or HTTP knowledge — build that baseline first
- You prefer video-based learning — Web Security Academy is text and lab-based
Learning Path Overview
| Topic Area | Labs | Level | Key Vulnerabilities Covered |
|---|---|---|---|
|
SQL Injection |
18+ labs |
Beginner–Advanced |
Error-based, blind, time-based, out-of-band, filter bypass |
|
Cross-Site Scripting (XSS) |
30+ labs |
Beginner–Advanced |
Reflected, stored, DOM, CSP bypass, template injection |
|
CSRF |
12+ labs |
Intermediate |
Token bypass, SameSite, Referer-based |
|
XXE (XML External Entity) |
9+ labs |
Intermediate–Advanced |
File disclosure, SSRF via XXE, blind XXE |
|
SSRF |
7+ labs |
Advanced |
Cloud metadata, partial bypass, DNS rebinding |
|
OS Command Injection |
5+ labs |
Beginner–Intermediate |
Blind, time-based, out-of-band |
|
Business Logic Flaws |
11+ labs |
Intermediate |
Trust boundaries, order manipulation, authentication bypass |
|
Authentication |
14+ labs |
Beginner–Advanced |
Brute force, 2FA bypass, OAuth, session management |
|
Insecure Deserialization |
10+ labs |
Advanced |
Java, PHP, Python gadget chains |
|
HTTP Request Smuggling |
14+ labs |
Advanced |
CL.TE, TE.CL, response queue poisoning |
|
GraphQL |
9+ labs |
Intermediate |
Introspection, injection, CSRF |
|
Race Conditions |
6+ labs |
Advanced |
Limit overrun, partial construction, TOCTOU |
Learning Paths on PortSwigger
Server-Side Vulnerabilities
SQL Injection → Path Traversal → Authentication → Business Logic → Information Disclosure → Access Control → File Upload → SSRF → XXE → OS Command Injection. These are the vulnerabilities that compromise backend systems and databases — the highest-impact category for bug bounty programs.
Client-Side Vulnerabilities
XSS → CSRF → CORS → Clickjacking → DOM-Based Attacks → WebSockets. Client-side vulnerabilities impact users and enable account takeover, session hijacking, and cross-site attacks — consistently among the most common bug bounty findings.
Advanced Topics
Insecure Deserialization → Web Cache Poisoning → HTTP Request Smuggling → OAuth → JWT → GraphQL → Race Conditions → Prototype Pollution. These are the vulnerabilities that pay the most in bug bounty programs and that separate intermediate from advanced practitioners.
| Topic Area | Labs Available | Difficulty Range | Bug Bounty Value |
|---|---|---|---|
|
SQL Injection |
18 labs |
Apprentice → Expert |
High — direct data exfiltration |
|
XSS |
30 labs |
Apprentice → Expert |
Medium — account takeover potential |
|
SSRF |
8 labs |
Practitioner → Expert |
Very High — internal service access, cloud metadata |
|
XXE |
9 labs |
Apprentice → Expert |
High — file disclosure, SSRF via XXE |
|
OAuth |
6 labs |
Practitioner → Expert |
Very High — account takeover via auth bypass |
|
Deserialization |
10 labs |
Practitioner → Expert |
Critical — often leads to RCE |
|
JWT |
8 labs |
Practitioner → Expert |
High — authentication bypass, account takeover |
|
Race Conditions |
6 labs |
Practitioner → Expert |
Medium-High — logic bypass, duplicate actions |
Pricing
Web Security Academy is completely free. All learning content, all labs, all practice environments — no payment, no subscription, no trial. PortSwigger funds it as part of their mission to advance web security education globally.
The BSCP Certification
PortSwigger offers the Burp Suite Certified Practitioner (BSCP) — a proctored, time-limited exam where candidates must exploit live web vulnerabilities using Burp Suite. It’s the only web security certification that tests hands-on exploitation in a live environment.
| BSCP Details | Information |
|---|---|
|
Exam format |
2 stages — each containing 2 applications with 1 vulnerability each — 4 hours total |
|
Passing score |
Complete all exploits within the time limit |
|
Preparation |
Web Security Academy — specifically the Practice Exam and mystery labs |
|
Level |
Intermediate–Advanced — all Academy content should be completed before attempting |
Certification Prep — What Web Security Academy Helps With
| Certification | How Web Security Academy Helps |
|---|---|
|
CEH / CEH Practical |
Web exploitation modules map directly to Academy content — SQLi, XSS, CSRF all tested |
|
CPENT (EC-Council) |
Advanced web exploitation sections in CPENT align with Academy advanced content |
|
OSCP |
Web exploitation module in PEN-200 — Academy provides deeper coverage than PEN-200 alone |
|
Bug Bounty (HackerOne/Bugcrowd) |
Academy advanced labs teach the vulnerability classes that pay the highest bounties |
|
BSCP (Burp Suite Certified Practitioner) |
Web Security Academy is the official preparation for PortSwigger’s own certification |
Recommended Resources
- Web Security Academy homepage and course access
- Free Burp Suite Community Edition download
- PentesterLab — complementary web security exercises with badge-based progression
- OWASP Top 10 — foundational classification all Academy content maps to
- HackTricks Web Hacking section — additional technique reference for Academy advanced labs
── SecVerse Marketplace — Resources ──
Which Platform is Right for You?
PortSwigger Web Security Academy is the right choice when you want the best free web security education available. Here is how it compares:
| If you want... | Best Choice |
|---|---|
|
You want badge-based progression and downloadable VMs for offline practice |
PentesterLab — badges, ISOs, structured web vulnerability track |
|
You want broad offensive security beyond web including network and AD |
Hack The Box — the widest range of attack categories |
|
You want CTF-style web challenges for beginners |
picoCTF — Web Exploitation category, 100% free |
|
You want the deepest, free, research-quality web security training |
PortSwigger Web Security Academy — this is the right choice |
How to Get Started
- Download Burp Suite Community Edition before opening the Academy. The labs require Burp Suite. Download it first, configure your browser to use the Burp proxy, and do the Burp Suite in-tool tutorial. Starting the Academy without Burp configured is like starting a driving lesson without the car.
- Follow the Academy’s recommended learning path — start with SQL Injection. SQLi is the most foundational web vulnerability and the Academy’s SQLi module is exceptional. Complete all 18+ labs including the blind and filter-bypass challenges before moving to XSS.
- Work mystery labs after completing topic modules. The Academy’s ‘mystery labs’ don’t tell you what vulnerability type they contain — you have to identify and exploit it from scratch. These are the most valuable practice in the entire Academy.
📌 Note: The information on this page — including certification details, exam codes, pricing, and salary ranges — is regularly reviewed and updated to reflect the latest data from official sources. Always verify current details directly with the relevant certification body or platform before making any decisions.
Community & Support
── Web Security Communities ──
Related Articles
The 6 Learning Paths Every Cybersecurity Beginner Should Know
Affiliate Disclaimer: Some links in this article are affiliate links. This means if you click a link and make a purchase, SecVerse may earn a small commission — at no extra cost to you. We only recommend tools we genuinely believe in and that we consider useful for your cybersecurity learning journey. Our editorial opinions are never influenced by affiliate relationships. Introduction: **In our first guide**, we covered how to start learning cybersecurity without feeling overwhelmed. If you haven’t read it yet, start there. Now, let’s talk about which path to take once you’re ready. When I decided to get into cybersecurity 20 years ago after I graduated from school of engineering as computer engineer, I had no idea which path to take. I bought a CEH course first. Then I bought a Security+ book. Then I tried to learn networking. I was all over the place. Don’t be me.
How to Start Learning Cybersecurity Without Feeling Overwhelmed
Affiliate Disclaimer: Some links in this article are affiliate links. This means if you click a link and make a purchase, SecVerse may earn a small commission — at no extra cost to you. We only recommend tools we genuinely believe in and that we consider useful for your cybersecurity learning journey. Our editorial opinions are never influenced by affiliate relationships. Introduction: The Overwhelm is Real (But Avoidable) Let’s be honest with ourselves to avoid the shock and be realistic. Cyber security is huge, branching, and massive field. When I decided to get and start in this field 20 years ago. I made every mistake imaginable: Bought expensive courses I never finished. Tried to learn everything at once – pentesting, malware analysis, cloud security, forensics. All in short time. Got trapped in “tutorial”- watching videos for hours but never actually doing anything because of not practicing them and being confused.
