HACKR.GG
Deep dives on how vulnerabilities actually work — and how to exploit them in the lab.
The OWASP Top 10 is the gold standard reference for web application security. Here's every vulnerability explained in plain English — with real payloads, real-world examples, and how attackers actually exploit each one.
Learning cybersecurity is hard when you get stuck and have nobody to ask. Eliza is an AI tutor built into every course and lab on Hackr.GG — she knows what you're studying and explains it in plain language.
A single apostrophe in a login form can hand an attacker your entire database. Here's exactly how SQL injection works, why it still exists everywhere, and how to spot it.
Cross-site scripting isn't just a pop-up trick. In the right hands it's a full account takeover. This is how attackers weaponise it — and what actually stops it.
Everyone says 'just start hacking' but nobody explains what that means. This is the honest path from complete beginner to your first valid report.
Insecure Direct Object References consistently pay out the biggest bug bounties and appear in the most high-profile breaches. Here's why they're so common and how to find them.
A ping field that shells out to the OS. A file converter that calls ImageMagick. One unsanitised input and the attacker is running commands as your web server. Here's how command injection works and why it keeps appearing in CVEs.
Server-Side Request Forgery turned a misconfigured AWS role into the Capital One breach. It lets attackers reach internal infrastructure — metadata APIs, databases, admin panels — that are never exposed to the internet.
The lock icon means the connection is encrypted. It doesn't mean the site is safe. Here's exactly what happens in a TLS handshake, what HTTPS protects against, and what it leaves completely open.
The honest guide to starting ethical hacking — what skills you actually need, what to learn in what order, and how to avoid the traps that waste most beginners' first six months.
Penetration testing is not just running vulnerability scanners. Here's what professional pentesters actually do, how engagements are structured, and what separates a useful pentest from a checkbox exercise.
Bug bounty programmes pay researchers to find security vulnerabilities — legally. Here's what you actually need to know before you start, including the mistakes that get beginners blocked or banned.
CTF competitions are how most hackers get their first taste of real exploitation. Here's what they are, what categories come up, and how to get started even with zero experience.
XSS has been in the OWASP Top 10 for two decades. It's widely misunderstood — treated as a pop-up trick when it's actually one of the most versatile attack primitives on the web.
Burp Suite is the tool every web security tester uses. This guide covers how it actually works — proxy, Repeater, Intruder, Decoder — and the daily workflow that makes it useful.
The complete SQL injection reference — detection payloads, UNION attacks, blind injection, time-based techniques, and database-specific syntax for MySQL, PostgreSQL, MSSQL, and Oracle.
An honest breakdown of the best online hacking labs — hackr.gg, HackTheBox, TryHackMe, PortSwigger, PentesterLab — who each one is for and where they fall short.
Where can you actually practice hacking without getting arrested? The complete answer — your own lab, browser-based platforms, bug bounty programmes, and CTF competitions.
You've got a shell as a low-privileged user. Now you need root. Here's the methodology — SUID binaries, sudo misconfigurations, cron jobs, writable files — and how to work through them systematically.
CSRF lets an attacker use your own browser against you — triggering authenticated actions on sites you're logged into, without ever touching your credentials. Here's how it works and how to find it.