Guided web security tutorials from aspect, built for beginners, IT teams, developers, and small businesses that want to understand how web application testing works.
These tutorials are for educational and authorized security testing only. Do not scan, attack, fuzz, exploit, or attempt to access systems without explicit permission. All Aspect tutorials teach safe workflows using authorized targets and intentionally vulnerable labs.
New to Burp Suite? Start here.
Start here if you are new to Burp Suite. This beginner-friendly walkthrough explains how Burp helps inspect web traffic in a safe, authorized environment.
Choose a track based on your background and goals. All tracks use authorized targets and safe, legal practice environments.
Start with the basics: what Burp Suite does, how to use Burp's browser, and how to intercept your first HTTP request.
Learn practical testing workflows for common web application security concepts using authorized training environments.
Learn how to turn testing activity into clean, useful, client-ready findings that communicate risk clearly.
Understand how web security issues become real business risk for small and medium-sized businesses.
Individual video tutorials. Each lesson covers one concept using safe, authorized practice targets and is designed to be completed in under 20 minutes.
Learn how Burp sits between your browser and a web application so you can inspect HTTP requests and responses.
Learn how to resend, modify, and compare HTTP requests while testing safely on authorized targets.
Learn what session cookies are, why they matter for web security, and how Burp helps inspect them.
Learn how insecure direct object reference issues happen using safe, authorized examples in training labs.
Learn how reflected input works and why output encoding matters. Demonstrated in intentionally vulnerable labs only.
Learn how to document evidence, impact, reproduction steps, and remediation in a format that communicates real risk.
Only test systems you own, have explicit permission to test, or intentionally vulnerable training labs. The resources below are designed for safe, legal practice.
Free web security learning materials and interactive labs from PortSwigger, the makers of Burp Suite. The gold standard for web security practice.
An intentionally vulnerable web application for safe security training. Run it locally to practice Burp Suite workflows without legal risk.
A deliberately insecure training application from OWASP for learning common web vulnerabilities in a safe, controlled environment.
Finding a vulnerability is only part of security testing. A useful finding explains what happened, why it matters, how to reproduce it, and how to fix it. Clear documentation is what makes a test result actionable for the people who need to respond.
Once you find something worth reporting, you need a place to write it up properly. XPLT is a report writing tool built for bug bounty hunters, pentesters, and security researchers who want clean, structured documentation without the friction.
Generate professional, client-ready reports from your findings. Export clean PDFs ready to submit to programs or share with stakeholders.
Attach screenshots and request/response pairs directly to findings. Keep your evidence organized and tied to the right vulnerability.
Handles both bug bounty writeups and full pentest engagements. Integrates with BBP platforms, CTF systems, and Burp Suite Community & Pro.
Aspect helps small and medium-sized businesses understand and reduce web application risk through practical cybersecurity services, testing, reporting, and remediation guidance.
Aspect plans to expand this hub with a dedicated hosted lab environment at lab.aspect2020.com. For now, this learning hub focuses on videos, written walkthroughs, and safe external practice resources. The sandbox phase will be announced when it is ready.
