LEARNING PATH: Application Security Essentials

Injections, XXE, and Insecure Deserialization

Understanding the core principles of Application Security is the difference between building software that’s secure and one that’s easily exploitable.  This course is a deep dive into some of the most common and frequently occurring vulnerabilities your applications are likely to have over the course of development.

This course, Injections, XXE, and Insecure Deserialization, contains 5 modules, each dealing with a different common vulnerability. To begin, we’ll take you through real-world techniques of how to attack applications using Injection flaws, XML External Entities (XXE), Insecure Deserialization and Server-Side Request Forgery (SSRF). 

Next, we’ll counter these with battle-tested strategies to defend against each of them. Every module is packed with hands-on labs that you’ll do alongside the trainer. This ensures you get practical experience dealing with real-world vulnerabilities as you’re learning about them. 

At the end of this course, you’ll come away with a comprehensive understanding of some of the most commonly occurring vulnerabilities that affect applications today. You’ll be able to take everything you’ve learned about Injection vulnerabilities, XXE, and Insecure Deserialization and implement it in a modern development environment. 

Injections, XXE, and insecure Desteralization
Proficiency Beginner
Audience Application Security
Course Duration​ 4
Lessons​ 34
Cloud Labs​ 5



Cloud Security Expert

Course duration




Cloud Labs


    • Injection Flaws – An Introduction
    • Parser Flaws – An Introduction and Overview
    • History of Breaches with Injection and Parser flaws
    • Types of Injection Flaws
    • How Injection Flaws work
    • SQL Injection – Attack and Defense
    • Labs: SQL Injection Attack and Defense
    • Server-Side Template Injection – Attack and Defense
    • Labs: Server-Side Template Injection
    • OS Command Injection – Attack and Defense
    • Labs: OS Command Injection
    • XML – DTD and Entities
    • XML Parsers, their Configuration and XXE
    • XXE Effects and Attack Possibilities
    • Lab: Attacking XXE Vulnerabilities to do: 
      • Local File Inclusion
      • Server-side Request Forgery
      • Denial of Service
    • Lab: Defending against XXE – Parser Configuration
    • Lab: Defending against XXE – Library Scanning
    • Overview – Serialization and Deserialization
    • Platform-specific and agnostic Serialization formats
    • Insecure Deserialization: A Primer
    • Breaches and Real-world attacks caused by Insecure Deserialization
    • Lab: Attacking Insecure Deserialization for Remote Code Execution
    • Defending against Insecure Deserialization: 
      • Look-Ahead Deserialization
      • Sandbox implementation
      • Patching libraries or secure variants of libraries
    • URL Parsers and their inconsistencies
    • In Redirect we trust: Parser Inconsistencies and Server-Side Request Forgery
    • Effects and Real-world impacts of Server-side request forgery attacks
    • Lab: Attacking Server-Side Request Forgery 
    • Lab: Defending against Server-Side Request Forgery
  • Understanding SQL Injection
  • Defending against SQL Injection
  • Server-Side Template Injection against NodeJS apps
  • Attack & Defense - XXE
  • Attack & Defense - Insecure Deserialization
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept" you consent to the use of All the cookies