Languages › JavaScript

JavaScript

Live course

The language of the browser — and of client-side attacks.

12 modules · 15 lessons published · beginner-friendly

Overview

Almost every web app you'll test runs JavaScript, and the bugs that matter most now live in the client. This course takes you from 'what is a variable' to reading minified bundles, tracing DOM-XSS source-to-sink, understanding framework escape hatches, and chaining prototype-pollution gadgets. Built for a pentester who wants to read and weaponise JS, not ship software.

Why learn JavaScript

Modern apps are JavaScript-heavy SPAs — you can't test what you can't read.
Client-side bugs (DOM XSS, prototype pollution, postMessage) live entirely in JS.
Reading the bundle reveals endpoints, secrets, and hidden routes the UI never shows.

What you'll build

DOM source-and-sink findersBundle endpoint and secret extractorsAI-powered analysis artifactsProof-of-concept client-side exploits

Security applications

DOM-based XSS discovery and exploitation
JavaScript bundle analysis and secret extraction
Prototype pollution and gadget chaining
Framework security review (React, Angular, Vue)
Client-side authorization and JWT analysis

Tools built with JavaScript

Burp SuiteDevToolsPuppeteerPlaywrightDOMPurify

Full curriculum

1 Programming Fundamentals 4 lessons

How code runs, variables, data types, arrays, objects, operators, conditions, loops, and functions.

2 Core JavaScript 1 lessons

Scope, hoisting, closures, callbacks, arrow functions, destructuring, modules, and strict mode.

Scope, hoisting, and closures 5 min

3 Browser Fundamentals 1 lessons

Browser architecture, the DOM, BOM, storage, the same-origin policy, and the browser security model.

The browser security model and same-origin policy 3 min

4 DOM Manipulation 1 lessons

Selectors, events, dynamic HTML, and the unsafe sinks behind DOM XSS.

The DOM and its dangerous sinks 5 min

5 Asynchronous JavaScript 1 lessons

The event loop, promises, async/await, fetch, and API communication.

Promises, async/await, and fetch 5 min

6 Advanced JavaScript 1 lessons

Prototypes, the prototype chain, this, eval, the Function constructor, and prototype pollution.

Prototypes and prototype pollution 4 min

7 Modern Frontend Applications 1 lessons

React, Angular, and Vue from a security angle — escape hatches, SSR seams, and state stores.

Framework security: React, Angular, and the escape hatches 3 min

8 JavaScript Security Deep Dive 1 lessons

The full vulnerability catalogue: XSS family, prototype pollution, CSTI, JWTs, CSP, CORS, postMessage, workers, DOM clobbering, XS-Leaks.

The cross-site scripting (XSS) family 6 min

9 Reading Real Applications 1 lessons

Beautifying, source maps, webpack/Vite bundles, secret extraction, and DevTools workflows.

Reading minified bundles and source maps 3 min

10 Security Automation with JavaScript 1 lessons

Node.js, npm, HTTP requests, and browser automation for recon and analysis tools.

Building security tools with Node.js 4 min

11 Advanced Web Security Research 1 lessons

Browser internals, V8 and SpiderMonkey, execution and memory concepts, and attack chains.

Browser internals for security research 4 min

12 Real-World Pentesting Methodology 1 lessons

Complete workflows for SPAs, React/Angular, GraphQL, and API-heavy targets.

A methodology for testing modern web apps 4 min