Personal writeups of PortSwigger Web Security Academy labs completed during preparation for the Burp Suite Certified Practitioner exam (targeting the week of September 1, 2026).
Each writeup follows a standard structure: what the vulnerability class is, what the specific lab tests, how I exploited it, and one takeaway. See _template.md for the shape.
| Tier | Complete | Total |
|---|---|---|
| Apprentice | 59 | 59 ✅ |
| Practitioner | 72 | 171 (in progress) |
| Expert | 12 | 39 |
Writeups are organized by vulnerability class. Each folder contains one markdown file per lab.
access-control/
authentication/
csrf/
file-upload/
graphql/
http-request-smuggling/
information-disclosure/
jwt/
oauth/
os-command-injection/
path-traversal/
prototype-pollution/
race-conditions/
sql-injection/
ssrf/
web-cache-poisoning/
websockets/
xss/
xxe/
Three reasons:
- Writing forces retention — I can't hand-wave through a lab if I have to explain it in words.
- A public writeup pattern is what hiring managers actually look for on the GitHub of an AppSec candidate — it proves the work happened.
- Future me will forget the exact payload chain that beat lab X. Notes to self.
Practitioner exam — week of September 1, 2026. Cost: $99. Format: 4 hours, two vulnerable web apps, exploit both to pass. Valid 3 years.
Repository is updated weekly through the study period.