PortSwiggerApprentice
Username enumeration via different responses
A login form only needs to say one thing to an attacker: "wrong." The moment it says two different kinds of wrong — one for a username that doesn't...
PortSwiggerApprentice
2FA simple bypass
Two-factor authentication only works if the server treats "password verified" and "fully authenticated" as different states. If a session is marked...
PortSwiggerApprentice
Password reset broken logic
A password reset token is only a security control if it's actually checked at the moment it matters — when the new password gets saved, not just when...
Want to go from zero to junior pentester?
These walkthroughs are a taste. The full path — live, hands-on, small cohorts — starts with a free webinar.
Join the Free Live Webinar →