WXJ

WXJ (Web eXploitation Junior) is the foundational SixHack Academy course to learn web security auditing from scratch. The goal is for you to understand how a web application works behind the scenes, learn how to interpret HTTP and HTTPS traffic, and be able to identify common vulnerabilities, validate them with a reproducible proof, and document them professionally.

Throughout the course we’ll follow a practical, structured way of working. You’ll learn how to map an application, identify inputs, flows, and sensitive areas, and then form hypotheses and confirm them with clear evidence. The main tool will be Burp Suite Community Edition, which you’ll use to intercept, replay, and modify requests in a controlled way.

Who is WXJ for?

WXJ is designed for people who want to get started in ethical hacking and web security with no prior experience. It’s also a great fit if you’re a student or early-career professional looking for a strong foundation and a real audit methodology. And if you come from a development background, it will help you understand why web issues happen, how they’re verified, and how they’re fixed with solid reasoning.

What you’ll learn

We’ll start with the fundamentals that are actually used when auditing web apps. You’ll cover networks and the Internet from an auditor’s perspective: IP, ports, DNS, TCP and UDP, and the role of proxies when analyzing an application.

Then we’ll dive into HTTP and HTTPS in a hands-on way: routes, parameters, sessions, cookies, authentication, CORS, TLS, and the details that often make the difference when something “feels off” but you’re not sure where to look yet.

You’ll work with manual auditing tools the way they’re used in the real world. Burp Suite will be at the center of your workflow, supported by browser DevTools, curl, and small helper utilities to move faster without losing control or rigor.

You’ll also learn how to think like an auditor: where to look first, how to prioritize, what signals truly matter, and how to avoid “gut feeling” conclusions when there’s no proof yet.

Vulnerabilities you’ll learn to find and validate

Over the course, you’ll learn to identify and validate common cases such as information exposure and insecure configurations, parameter tampering, authentication weaknesses, and business logic issues. You’ll go deep into access control and scenarios involving IDOR or broken authorization. You’ll cover session management and client-side vulnerabilities like XSS, CSRF, and frequent CORS misconfigurations. You’ll also practice high-impact issues like SQL Injection, Path Traversal and LFI, insecure file uploads, as well as XXE, SSRF, SSTI, Command Injection, and Open Redirect.

Turning technical work into a professional report

It’s not just about finding issues—it’s about explaining them properly. You’ll learn how to capture reproducible evidence with request/response pairs, describe impact and risk clearly for both technical and non-technical audiences, and prioritize findings with realistic, verifiable recommendations.

What you’ll take away by the end

You’ll finish with the ability to approach a new application, understand it, test it methodically, and document results as you would in a real audit. You’ll build the habit of working with organized evidence, reproducible steps, and defensible conclusions. And you’ll have a solid base to move into intermediate and advanced web security topics with good judgment—not just by following checklists.

Ethics and responsible use

WXJ is taught strictly for educational purposes. The techniques you learn must be applied only in labs, on systems you own, or on systems where you have explicit permission. The goal is to learn how to audit and improve security—not to cause harm or access information without authorization.