- Checkmarx Documentation
- Checkmarx Codebashing
- Course Catalog and Descriptions
Course Catalog and Descriptions
Welcome Codebasher!
Codebashing offers pre-designed courses with interactive lessons in different coding languages that demonstrate some of their security vulnerabilities, how they occur, their impact, and how they are remediated. The goal of each course is to provide you with practical skills in securing your application.
Note
The courses' default language is English. To view the lessons in a different language, select the desired language from the Content Language list in your Account Settings.
In addition, admin users and authorized manager users may build their courses or add available lessons to an existing course.
The following is a catalog of the courses and their lessons in Codebashing:
This course covers various vulnerabilities and secure coding practices for Android apps. Lessons include forceful Browsing Attacks, Excessive Logging Risks, Secure Management of Login Credentials, Protection Against Background Screenshots, Preventing Autocomplete-related Vulnerabilities, Insecure Local Storage, Sensitive Data in File Storage, and Client-Side Injection.
This course explores various vulnerabilities and secure coding practices in Java-based web applications. Topics you will learn: SQL Injection, XXE Processing, Command Injection, Session Fixation, Use of Insufficiently Random Values, Reflected XSS, Stored (Persistent) XSS, DOM XSS, Directory (Path) Traversal, Privileged Interface Exposure, Leftover Debug Code, Authentication Credentials In URL, Session Exposure Within URL, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, ClickJacking, Insecure URL Redirect, Insecure TLS Validation, Insecure Object Deserialization, and Vulnerable and Outdated Components.
This course delves into advanced topics related to secure coding in Java-based web applications. Topics you will learn: SQL Injection, Command Injection, Use Of Insufficiently Random Values, Server Side Request Forgery, Second Order SQL Injection, Reflected XSS, Stored XSS, Cross-Site Request Forgery, Path Traversal, and Session Fixation.
This course continues to explore a range of advanced vulnerabilities and secure coding practices in Java-based web applications. Topics you will learn: XXE Processing, LDAP injection, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, Insecure Object Deserialization, Insecure Password Storage, Open Redirect, Race Condition, and Denial of Service via Unrestricted File Upload.
This course introduces the fundamentals of securing Infrastructure as Code (IaC) deployments. Topics you will learn: Access Management, Networking in the Cloud, Introduction to IaC Security, Subdomain Takeover, Supply Chain Attack &; Insecure Templates, Secrets Management, Object Storage Access Management, Security Use Cases, and Logging.
This course teaches the foundational principles of securing Java backend applications. Topics you will learn: Encoding vs. Hashing vs. Encryption, Password Storage, SQL Injection, Second Order SQL Injection, Command Injection, Denial of Service via Unrestricted File Upload, Directory (Path) Traversal, Leftover Debug Code, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, Server-Side Request Forgery, Race Condition, Insecure TLS Validation, Insecure Object Deserialization, Vulnerable and Outdated Components, XXE Processing, and LDAP Injection.
This course focuses on addressing security challenges specific to React applications and teaching you how to write secure code while maintaining the integrity and confidentiality of user data. Topics you will learn: Cross-site Scripting (XSS) in React, The dangerouslySetInnerHTML Property, Sensitive Data in Code, Cross-site Request Forgery, and Vulnerable and Outdated Components.
This course teaches you comprehensive knowledge of secure coding practices for .NET applications. Including lessons: SQL Injection, XXE Processing, Command Injection, Session Fixation, Use of Insufficiently Random Values, Reflected XSS, Stored (Persistent) XSS, DOM XSS, Directory (Path) Traversal, Privileged Interface Exposure, Leftover Debug Code, Authentication Credentials In URL, Session Exposure Within URL, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, ClickJacking, Insecure URL Redirect, Insecure TLS Validation, Insecure Object Deserialization, Vulnerable and Outdated Components.
This course explores various security vulnerabilities applicable across different programming languages, enabling you to apply its principles to secure applications in your programming language. Topics you will learn: Cross-Site Request Forgery (POST), Vertical Privilege Escalation, Horizontal Privilege Escalation, Leftover Debug Code, XXE Processing, Session Fixation, Session Exposure Within URL, Privileged Interface Exposure, Stored (Persistent) XSS, Authentication Credentials In URL, Directory (Path) Traversal, Insecure TLS Validation, SQL Injection, Cross-Site Request Forgery (GET), Reflected XSS, Vulnerable and Outdated Components, Command Injection, User Enumeration, Use of Insufficiently Random Values, ClickJacking, and Insecure URL Redirect.
This course delves into advanced security topics specifically tailored for .NET applications.
The course covers critical vulnerabilities such as SQL injection, second-order SQL injection, command injection, session fixation, cross-site request forgery (CSRF), server-side request forgery (SSRF), use of insufficiently random values, stored (persistent) XSS, reflected XSS, and directory (path) traversal.
This course continues your journey into advanced security topics specific to .NET applications.
This course focuses on vulnerabilities such as XXE processing, LDAP injection, user enumeration, horizontal privilege escalation, vertical privilege escalation, insecure object deserialization, insecure password storage, open redirect, race condition, and denial of service via an unrestricted file upload. You will learn best practices for secure coding, secure password storage techniques, and strategies for preventing race conditions and denial of service attacks.
This course focuses on securing .NET backend applications. You will learn about encoding, hashing, and encryption for data protection, secure password storage, preventing SQL injection, command injection, denial of service, and directory traversal.
This course focuses on fundamental security practices for front-end development. Topics you will learn: Reverse Tabnabbing, HTTP Strict-Transport-Security (HSTS), DOM XSS in URL, DOM XSS in AJAX, DOM XSS in eval(), Secure Cookie Flag, HttpOnly Cookie Flag, No Server-Side Validation, Clickjacking, DOM Open Redirect, Reflected XSS, Stored (Persistent) XSS, Cross-Site Request Forgery, Vulnerable and Outdated Components, Common XSS Use Cases, and SameSite Cookie Attribute.
This course covers key security principles related to HTTP. You will learn about HTTP security headers, misuse of headers, risks like HTTP response splitting, content security policy, web cache deception, HTTP caching, and same-origin policy and cross-origin resource sharing (CORS).
This course provides an interface tour and covers various security topics in C/C+. These include stack overflows, heap overflows, integer overflows, format string attacks, dangerous or insecure use of API, compiler optimization bugs, NULL pointer dereference, and race conditions.
This course covers a wide range of security vulnerabilities in Python Django applications. Lessons include: SQL Injection, XXE Processing, Command Injection, Session Fixation, Use of Insufficiently Random Values, Reflected XSS, Stored (Persistent) XSS, DOM XSS, Directory (Path) Traversal, Privileged Interface Exposure, Leftover Debug Code, Authentication Credentials In URL, Session Exposure Within URL, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, ClickJacking, Insecure URL Redirect, Insecure TLS Validation, Insecure Object Deserialization, Vulnerable and Outdated Components.
This course covers advanced security topics in Python. Topics you will learn: SQL Injection, Command Injection, Use Of Insufficiently Random Values, Server Side Request Forgery, Second Order SQL Injection, Reflected XSS, Stored XSS, Cross-Site Request Forgery, and Path Traversal.
This course covers advanced security topics in Python, including XXE processing, user enumeration, privilege escalation, unrestricted file upload, race condition, open redirect, LDAP injection, and insecure password storage.
This course covers fundamental security concepts for Python backend development. Topics you will learn: Encoding vs. Hashing vs. Encryption, Password Storage, SQL Injection, Second Order SQL Injection, Command Injection, Denial of Service via Unrestricted File Upload, Directory (Path) Traversal, Leftover Debug Code, Server-side Request Forgery, Race Condition, LDAP Injection, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, Insecure TLS Validation, Insecure Object Deserialization, XXE Processing, and Vulnerable and Outdated Components.
This course covers security vulnerabilities in Ruby on Rails applications. Lessons include: SQL Injection, XXE Processing, Command Injection, Session Fixation, Use of Insufficiently Random Values, Reflected XSS, Stored (Persistent) XSS, DOM XSS, Directory (Path) Traversal, Privileged Interface Exposure, Leftover Debug Code, Authentication Credentials In URL, Session Exposure Within URL, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, ClickJacking, Insecure URL Redirect, Insecure TLS Validation, Insecure Object Deserialization, Vulnerable and Outdated Components.
This course covers security vulnerabilities in PHP applications. Lessons include: SQL Injection, XXE Processing, Command Injection, Session Fixation, Use of Insufficiently Random Values, Reflected XSS, Stored (Persistent) XSS, DOM XSS, Directory (Path) Traversal, Privileged Interface Exposure, Leftover Debug Code, Authentication Credentials In URL, Session Exposure Within URL, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, ClickJacking, Insecure URL Redirect, Insecure TLS Validation, Insecure Object Deserialization, Vulnerable and Outdated Components.
This course covers advanced security topics in PHP, including SQL injection, command injection, second-order SQL injection, insufficient random values, SSRF, CSRF, reflected XSS, stored XSS, directory traversal, and session fixation.
This course covers important security concepts for PHP backend development. Topics you will learn: Encoding vs. Hashing vs. Encryption, Password Storage, SQL Injection, Second Order SQL Injection, Command Injection, Denial of Service via Unrestricted File Upload, Directory (Path) Traversal, Leftover Debug Code, Server-side Request Forgery, Race Condition, LDAP Injection, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, Insecure TLS Validation, Insecure Object Deserialization, XXE Processing, and Vulnerable and Outdated Components.
This course covers security vulnerabilities in Node.js applications. Lessons include: SQL Injection, XXE Processing, Command Injection, Session Fixation, Use of Insufficiently Random Values, Reflected XSS, Stored (Persistent) XSS, DOM XSS, Directory (Path) Traversal, Privileged Interface Exposure, Leftover Debug Code, Authentication Credentials In URL, Session Exposure Within URL, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, ClickJacking, Insecure URL Redirect, Insecure TLS Validation, Insecure Object Deserialization, Vulnerable and Outdated Components.
This course covers important security vulnerabilities in iOS applications, including forceful browsing, excessive logging, cached login credentials, unprotected background screenshots, autocomplete field risks, insecure local storage, sensitive data in Plist files, and client-side injection.
This course covers security topics specific to AngularJS applications, including sandbox introduction, escaping scenarios, contextual escaping, CSRF protection, HTML and URL sanitization, DOM open redirect, and sensitive data exposure.
This course continues to teach practical skills and security measures specific to Angular 2+ applications, including anti-XSS mechanisms, CSRF protection, XSS prevention, handling sensitive data, addressing components with known vulnerabilities, and the importance of server-side validation.
This course covers various security vulnerabilities in Scala applications. Lessons include: SQL Injection, XXE Processing, Command Injection, Session Fixation, Use of Insufficiently Random Values, Reflected XSS, Stored (Persistent) XSS, DOM XSS, Directory (Path) Traversal, Privileged Interface Exposure, Leftover Debug Code, Authentication Credentials In URL, Session Exposure Within URL, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, ClickJacking, Insecure URL Redirect, Insecure TLS Validation, Insecure Object Deserialization, Vulnerable and Outdated Components.
This course covers essential security topics for Scala backend development. Topics you will learn: Encoding vs. Hashing vs. Encryption, Password Storage, SQL Injection, Second Order SQL Injection, Command Injection, Denial of Service via Unrestricted File Upload, Directory (Path) Traversal, Leftover Debug Code, Server-side Request Forgery, Race Condition, LDAP Injection, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, Insecure Object Deserialization, XXE Processing, Cross-Site Request Forgery (POST), and Vulnerable and Outdated Components.
This course focuses on securing GO applications against common vulnerabilities. Lessons include: SQL Injection, XXE Processing, Command Injection, Session Fixation, Use of Insufficiently Random Values, Reflected XSS, Stored (Persistent) XSS, DOM XSS, Directory (Path) Traversal, Privileged Interface Exposure, Leftover Debug Code, Authentication Credentials In URL, Session Exposure Within URL, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, ClickJacking, Insecure URL Redirect, Insecure TLS Validation, Insecure Object Deserialization, Vulnerable and Outdated Components.
This course covers various programming languages including Java, .NET, Ruby, PHP, Python, Scala, C/C++, Android, APEX, ASP.NET, Groovy, JavaScript, Kotlin, Perl, Go, Visual Basic, and Visual Basic .NET while providing insights into securing source code written in these languages, addressing common vulnerabilities, and implementing best practices to ensure the security of software applications.
This course provides a comprehensive introduction to securing APIs built on the .NET framework. It covers key topics such as API authentication, separating authentication and authorization, addressing broken object-level and function-level authorization, mitigating brute-force attacks, and handling authentication credentials in URLs.
This course consists of several lessons covering important topics in Java API security. The lessons include an introduction to API security, authentication in APIs, separating authentication and authorization, addressing broken object-level and function-level authorization, mitigating brute force attacks, and handling authentication credentials in URLs.
Learn how to keep your APIs secure and prevent common attacks. The lessons cover important topics in API security, such as unsafe API consumption, improper inventory management, unrestricted resource consumption, broken object property level authorization—mass assignment, insufficient logging and monitoring, and more common threats like SSRFs and SQL and command injections.
This unique course introduces application security and equips decision-makers with the essential knowledge to make informed choices regarding application security measures. Topics you will learn: Introduction to Application Security, Injection Flaws, Identification and Authentication Failures, Sensitive Data Exposure, Broken Access Control, Security Misconfigurations, Vulnerable and Outdated Components, Best Practices for Managers, XXE Injection, Security Logging and Monitoring Failures, Insecure Object Deserialization, Server-Side Request Forgery (SSRF), Cryptographic Failures, and Insecure Design.
This unique course introduces application security during testing and is specifically tailored for quality assurance (QA) professionals. Topics you will learn: Introduction to Application Security, Injection Flaws, Identification and Authentication Failures, Sensitive Data Exposure, Broken Access Control, Security Misconfigurations, Vulnerable and Outdated Components, Cross-Site Request Forgery, XXE Injection, Security Logging and Monitoring Failures, Insecure Object Deserialization, Server-Side Request Forgery (SSRF), Cryptographic Failures, and Insecure Design.
This comprehensive course provides you with essential knowledge about web application security. Topics you will learn: eslint, scope, Pippo Deserialization, Vert.X, XXE, Flask, Panel XSS, Apache Unomi, Mozilla-Bleach, Mutation, Cross-Site Scripting (mXSS), Cryptiles, Log4J, Pwnkit, and Zabbix.
This course details Cross-Site Request Forgery (CSRF) attacks and defense. The lessons include an Introduction to CSRF, an Overview of How CSRF Attacks Work, a Detailed Scenario Illustrating a CSRF Attack, Recommended Protection Mechanisms, Common Insufficient Protection Mechanisms, and Best Practices for Prevention.
In this course, you will explore JSON Web Token (JWT) security. Topics you will learn include an overview and introduction to JWT, Bypass Verification - No Signature Verification, Bypass Verification - None Signature Algorithm, Bypass Verification - Swapping Algorithms, Bypass Verification - Weak HMAC Algorithms, Bypass Parameters - Weak Secret, Header Parameters - jku Manipulation, Header Parameters - x5c and x5t Manipulation, Header Parameters - JWK Manipulation, and Header Parameters - Key ID Manipulation.
Throughout this course, you will learn about Docker security and management. Lessons include: Docker Overview: Part 1, Docker Overview: Part 2, Secrets in Images, Access to Docker Registry, Management Port Exposure, Privilege Escalation - Privileged Container, Privilege Escalation - Dangerous Mounts, Images with Known Vulnerabilities, Expose Docker API to a Network, Malicious Images, Privilege Escalation - Kernel Exploits, Privilege Escalation - Mount Docker API to a Container, and Insecure Resources Management.
In this course, you will discover strategies attackers use to create a deceptive GitHub profile. Topics you will learn include Legitimate Organization, More Artificial Stats, Achievements, Constant Activity, Using Contributors Reputation, and Stars Faking.
This course offers lessons on Kubernetes security. Topics you will learn include overviews of Kubernetes security Authentication and Authorization, Broken RBAC Configuration, Anonymous Access to Kubernetes API, Misconfigured Kubernetes Components, Insecure Secrets Management, Privilege Escalation: Service Account Token, Privilege Escalation: Cloud Platform Metadata, Insecure Workload Configuration, and Insecure Resources Management.
This course covers essential aspects of application security. Topics you will learn include Software Composition Analysis (SCA), Open-Source Software (OSS), Penetration Testing, Supply Chain Security, Software Development Lifecycles (SDLC), Software Bill Of Materials (SBOM), Security Baseline, Code Reviews, Priority, Severity, Security Assessments, Bug Bounty and Responsible Disclosure, Threat Modeling, The CIA Triad, Zero-Days, Threat Actors, CVE/CWE, Risks, Exploits, and Vulnerabilities.
This course introduces you to the exciting world of Cryptography - the art of protecting, securing, and encrypting information and codes. Topics you will learn include: Introduction to Cryptography, Security Aspects and Attack Vectors, The Essence of Encryption, Symmetric and Asymmetric Encryption, Hash Functions and their Applications, Message Authentication Codes (MAC) and their Uses, Digital Signatures, Public Key Infrastructure (PKI), and Practical Applications of Cryptography.
This course familiarizes you with the top 10 vulnerabilities listed in the Open Web Application Security Project (OWASP) Large Language Model (LLM). Every topic has an introduction, an example attack scenario, and remediation. Topics you will learn include Prompt Injection, Insecure Output Handling, Training Data Poisoning, Model Denial of Service, Supply Chain Vulnerabilities, Sensitive Information Disclosure, Insecure Plufin Design, Excessive Agency, Ovverreliance, and Model Theft.
This course consists of several lessons covering important COBOL and mainframe security topics. You will learn about AuthN, AuthZ, Log forging and logging sensitive data, the concept of Failure to Clean Up, Failing to handle all error (exceptions) conditions, Leftover Debug Code, Race Conditions, SQL injections, and remediation.