The full curriculum

15 stations. 142 lessons. No filler.

Every lesson below is original, written-from-scratch content, built around the OWASP Top 10, real-world attack patterns, and what actually pays on HackerOne and Bugcrowd. This is the structure; the full lessons, labs, and exams live inside the platform.

01

Foundations

How the web really works: HTTP, DNS, browsers, Linux, the request lifecycle.

25 lessons
  1. 01Start Here — How to Use This Roadmap
  2. 02Clients, Servers & the Web — The Big Picture
  3. 03The URL — Anatomy of Every Web Address
  4. 04How the Internet Works — Packets, Routers, and IPs
  5. 05The Domain Name System (DNS) — The Internet's Phone Book
  6. 06TCP vs UDP — Reliability vs Speed
  7. 07Ports & Services — What's Listening?
  8. 08The OSI Model — 7 Layers of Communication
  9. 09HTTP — The Language of the Web
  10. 10HTTPS & TLS — How Encryption Protects Data in Transit
  11. 11WebSockets — Real-Time Two-Way Communication
  12. 12Other Protocols — SMTP, FTP & SSH
  13. 13How Browsers Work — From URL to Rendered Page
  14. 14The Same-Origin Policy — Why Browsers Isolate Origins
  15. 15CORS — Cross-Origin Resource Sharing
  16. 16HTML — The Structure of Every Web Page
  17. 17CSS — How Websites Look
  18. 18JavaScript — Making Pages Interactive
  19. 19The DOM — How Browsers Represent Web Pages
  20. 20Cookies, Sessions & Local Storage
  21. 21How Web Applications Are Built — Frontend, Backend & Database
  22. 22APIs — REST, SOAP, GraphQL & JSON-RPC
  23. 23CDNs, Load Balancers & Reverse Proxies
  24. 24Linux, the Terminal & the File System
  25. 25Essential Linux Commands & Networking Tools
02

Recon & OSINT

Mapping the full attack surface before touching a single endpoint.

12 lessons
  1. 01The Recon Mindset — Attack Surface Mapping
  2. 02Passive vs Active Recon
  3. 03Google Dorking — Advanced Search Operators
  4. 04WHOIS, DNS Records & Certificate Transparency
  5. 05Subdomain Enumeration — subfinder, amass, dnsx
  6. 06Port Scanning with Nmap
  7. 07Technology Fingerprinting — Wappalyzer, WhatWeb, httpx
  8. 08Shodan & Censys — The IoT Search Engines
  9. 09GitHub Dorking — Finding Leaked Credentials and Keys
  10. 10Web Crawling & Spidering — Mapping the Application
  11. 11Parameter Discovery — Finding Hidden Inputs
  12. 12Organising Your Recon Data — Taking Notes That Win Bounties
03

Web App Security Core

The core vulnerability classes every hunter has to own cold.

15 lessons
  1. 01Client-Server Architecture — How Web Apps Are Built
  2. 02HTTP Methods in Depth — GET, POST, PUT, DELETE, PATCH, OPTIONS
  3. 03HTTP Headers — The Metadata Layer
  4. 04The Request-Response Cycle — Step by Step
  5. 05Authentication vs Authorization — Two Different Problems
  6. 06Cookie-Based Authentication
  7. 07Session Management — Creating, Storing, Invalidating Sessions
  8. 08JSON Web Tokens (JWT) — Structure, Signing, Verification
  9. 09OAuth 2.0 & OpenID Connect — Delegated Authorization
  10. 10Same-Origin Policy (SOP) — The Web's Core Security Model
  11. 11CORS — Cross-Origin Resource Sharing
  12. 12Content Security Policy (CSP) — Defending Against Injection
  13. 13REST APIs — How Modern Apps Communicate
  14. 14GraphQL — The Query Language for APIs
  15. 15Web Application Firewalls (WAF) — What They Block and How to Bypass
04

Bug Bounty Methodology

Scope, safe testing, triage, CVSS scoring, and report writing.

8 lessons
  1. 01What is Bug Bounty? The Mindset of a Hunter
  2. 02Reading Program Scope — In-Scope vs Out-of-Scope
  3. 03Safe Testing Practices — Not Breaking Things
  4. 04The Bug Hunter's Methodology — A Repeatable Process
  5. 05Triage — Is This Actually a Vulnerability?
  6. 06Writing a Great Bug Report
  7. 07CVSS Scoring — How Severity is Calculated
  8. 08Building Your Lab Environment
05

Information Disclosure

Finding the secrets applications leak without realising it.

11 lessons
  1. 01What Is Information Disclosure — The Quiet Bug Class
  2. 02Sensitive Data in HTTP Responses
  3. 03Verbose Errors & Stack Traces
  4. 04Debug Pages & Dev Endpoints
  5. 05Exposed Config & Backup Files
  6. 06JavaScript Source Maps & Bundle Leaks
  7. 07HTML Comments, Hidden Fields & Frontend Leaks
  8. 08Response Headers Leaking Tech
  9. 09Username & Email Enumeration
  10. 10Chaining Information Disclosure Into Critical Bugs
  11. 11Reporting Information Disclosure
06

IDOR & Access Control

The #1 vulnerability class on HackerOne, where most hunters earn their first bounty.

7 lessons
  1. 01What Is IDOR — The Simplest Critical Bug
  2. 02Finding IDOR — Where to Look
  3. 03Horizontal vs Vertical Privilege Escalation
  4. 04Broken Access Control — Beyond IDOR
  5. 05Mass Assignment — Sending Fields You Shouldn't
  6. 06Real-World IDOR Case Studies
  7. 07Mitigation — How to Fix Access Control
07

Cross-Site Scripting

Reflected, stored, and DOM XSS, then chaining it into account takeover.

8 lessons
  1. 01What Is XSS and Why It Matters
  2. 02Reflected XSS — The One-Request Attack
  3. 03Stored XSS — Persistent and More Dangerous
  4. 04DOM-Based XSS — Client-Side Vulnerabilities
  5. 05XSS Payloads — From Alert to Account Takeover
  6. 06Bypass Techniques — Breaking Filters
  7. 07Finding XSS in the Wild — What to Test
  8. 08Impact, Mitigation, and Reporting
08

SQL Injection

Error-based, blind, and union-based SQLi, plus automation with sqlmap.

8 lessons
  1. 01What Is SQL? A 10-Minute Primer
  2. 02How SQL Injection Works — Breaking the Query
  3. 03Error-Based SQLi — Reading the Database's Mistakes
  4. 04UNION-Based SQLi — Extracting Data
  5. 05Blind Boolean SQLi — True or False?
  6. 06Time-Based Blind SQLi — When Silence Is the Answer
  7. 07sqlmap — Automation for SQLi
  8. 08Impact, Mitigation, and Real CVEs
09

Command Injection

From a single input field to remote code execution.

5 lessons
  1. 01OS Command Injection — What It Is and Why It Works
  2. 02Blind Command Injection — When You Get No Output
  3. 03Injection Points — Where to Look
  4. 04Bypass Techniques — Filters and WAF Evasion
  5. 05Impact and Real-World Examples
10

Server-Side Request Forgery

Blind and full-read SSRF, cloud metadata, and internal pivoting.

6 lessons
  1. 01What Is SSRF — The Server as Your Proxy
  2. 02Basic SSRF — Hitting Internal Endpoints
  3. 03Blind SSRF — Out-of-Band Detection
  4. 04SSRF to Internal Services — Redis, Elasticsearch, AWS Metadata
  5. 05Cloud Metadata Exploitation (AWS, GCP, Azure)
  6. 06Bypass Techniques — URL Parsers and Filters
11

API Security

REST and GraphQL attacks, broken auth, and mass assignment.

7 lessons
  1. 01What Is API Security
  2. 02API Authentication & Authorization Flaws
  3. 03GraphQL Attacks
  4. 04Rate Limiting Bypass & Mass Assignment
  5. 05API Reconnaissance
  6. 06Injections in APIs
  7. 07Real-World API Bug Case Studies
12

Authentication Attacks

Password reset flaws, JWT, OAuth, SAML, and 2FA bypass.

8 lessons
  1. 01Password Attacks — Brute Force and Credential Stuffing
  2. 02Password Reset Flaws — The Most Common Auth Bug
  3. 03OAuth 2.0 Vulnerabilities — State Parameter, Token Leakage
  4. 04JWT Attacks — None Algorithm, Weak Secrets, Key Confusion
  5. 05SAML Vulnerabilities — XML Signature Wrapping
  6. 06Two-Factor Authentication Bypass
  7. 07Session Fixation & Session Hijacking
  8. 08Real-World Authentication Bug Case Studies
13

Advanced Web Attacks

XXE, SSTI, request smuggling, deserialization, race conditions, chaining.

8 lessons
  1. 01XXE — XML External Entity Injection
  2. 02SSTI — Server-Side Template Injection
  3. 03Prototype Pollution
  4. 04HTTP Request Smuggling
  5. 05Insecure Deserialization
  6. 06Race Conditions
  7. 07OAuth 2.0 Advanced Attacks
  8. 08Vulnerability Chaining — From Low to Critical
14

Tools & Automation

Building a fast, repeatable hunting workflow and toolchain.

8 lessons
  1. 01Burp Suite Essentials
  2. 02Fuzzing with ffuf
  3. 03Nuclei — Automated Vulnerability Scanning
  4. 04Python Scripting for Bug Hunters
  5. 05Recon Tools — Subdomain & Attack Surface Discovery
  6. 06Custom Wordlists & Payload Generation
  7. 07Automation Workflow — Passive Monitoring & Continuous Recon
  8. 08Building Your Toolkit — Setup & Maintenance
15

Real-World Hunting

Putting it all together on live programs for real payouts.

6 lessons
  1. 01The Hunter's Mindset
  2. 02Choosing the Right Target
  3. 03Full Attack Surface Mapping
  4. 04Writing Winning Reports
  5. 05Getting Past Triage
  6. 06Your First Bounty — From Zero to Paid

This is the map. The platform is the territory.

Inside Codéjà Vu, each lesson comes with hands-on labs, timed exams, daily hunting logs, and live instructor review. Curious how we're scaling it, or want to partner on the mission?

Our missionPartner with us →