Backend Security: Injection, Authorization, and Defense in Depth
Learn backend security by tracing real attacks and defenses: SQL and NoSQL injection, server-side validation and trust boundaries, password hashing and timing-safe comparison, RBAC and ABAC authorization, SSRF and metadata-service abuse, secrets management, symmetric encryption and HMAC, brute-force protection and account enumeration defenses, dependency supply chain risk, and transport hardening with HSTS and security headers.
See the Invisible
Interactive simulators visualise what's hidden from view.
Hands-On Labs
Step through executions tick by tick. Manipulate state.
Why, Not Just What
Understand the reasoning behind every design decision.
Quizzes & Cheatsheets
Verify your understanding and keep a quick reference handy.
Get Certified
Earn a shareable certificate to prove your deep expertise.
Become the Engineer Who Supervises AI
As AI generates more code, understanding what that code does becomes more valuable, not less. Someone must verify AI output, debug failures, and make architectural decisions.
Build Your Architectural EdgeSecurity advice tells you what to add. It never shows you what each attack looks like when you don't.
Defending against attacks you've never actually seen
You add parameterized queries, bcrypt hashing, and RBAC middleware
because best practices say to. When AI generates an endpoint with a
raw query escape hatch, you're not confident it's safe. When a
colleague skips ownership verification on a resource lookup, you
can't trace the exact exploit path. You've never watched a
UNION-based injection extract rows from another table, seen an SSRF
payload reach a cloud metadata endpoint at
169.254.169.254, or traced how a timing attack leaks
hash comparison results byte by byte. Without seeing these mechanics
play out, security stays a checklist you follow on trust.
Build security intuition you can see
Interactive simulations reveal attack mechanics that no documentation, video, or AI explanation can replicate.
Watch attacks execute step by step
Step through SQL injection payloads, SSRF requests, and authorization bypasses as they happen, seeing exactly how each one manipulates your system and where each defense intercepts it.
See why each defense pattern works
Follow parameterized queries, adaptive password hashing, and HMAC verification through their internal operations so you understand what makes them effective, not just that they're recommended.
Build visual references you keep
When you encounter a raw query escape hatch or a missing ownership check during code review months later, you'll recognize the exploit path because you've already watched it play out.
What's Covered
From injection mechanics to supply chain defenses, this Deep Dive covers the attack patterns and defense strategies backend engineers encounter in production.
Trace how raw user input becomes executable query syntax and apply parameterized queries, type validation, and server-side allowlisting to stop it at the trust boundary.
Store passwords with adaptive algorithms like bcrypt and Argon2id, manage runtime secrets through encrypted stores with automatic rotation, and close exposure paths from git history to crash dumps.
Implement RBAC and ABAC models, identify BOLA/IDOR and broken function-level authorization vulnerabilities, and enforce permissions at the routing layer before controller execution.
Recognize SSRF exploits, brute force attempts, credential stuffing, and account enumeration vectors, then apply rate limiting, URL allowlisting, and constant-time response patterns to neutralize them.
Choose the right primitive for each job: AES-256-GCM for confidentiality, HMAC for integrity and authenticity verification, and cryptographically secure random generators for tokens and keys.
Audit dependency trees for transitive vulnerabilities,
defend against typosquatting and dependency confusion
attacks, and configure security headers like HSTS, CSP
frame-ancestors, and Permissions-Policy.
The Curriculum
Comprehensive Lessons! Each with theory, interactive simulation, and quiz.
Injection Attacks: Query Manipulation and Parameterized Defenses
How user input inserted into database queries via raw
string concatenation becomes executable syntax. SQL
injection mechanics: tautology-based authentication
bypass with OR 1=1, UNION-based data
extraction from other tables, and stacked queries for
destructive operations like DROP TABLE.
Blind SQL injection through boolean-based inference and
time-based delay measurement. Second-order injection
where safely stored input becomes dangerous when used in
a subsequent query without re-sanitization. NoSQL
operator injection using MongoDB query operators
($ne, $gt,
$regex) to alter query logic. Parameterized
queries (prepared statements) as the primary defense:
bind variables transmitted separately from query
structure. ORM parameterization and the injection risks
reintroduced by raw query escape hatches.
Input Validation and Server-Side Trust Boundaries
The server as the only enforceable trust boundary:
client-side validation is bypassable via HTTP clients
and browser dev tools. Validation (rejecting
non-conforming input by format, type, length, range)
versus sanitization (transforming input to escape
dangerous characters). Allowlisting versus denylisting
and why denylists remain incomplete against evolving
payloads. Type coercion vulnerabilities where silent
string-to-number conversions enable comparison bypasses
in loosely-typed languages. Mass assignment: framework
auto-binding of request fields to model attributes,
allowing unauthorized manipulation like
role=admin, defended by explicit
allowlisting, DTOs, or fillable/guarded declarations.
Insecure deserialization with formats like Python
Pickle, PHP unserialize, and Java
ObjectInputStream that reconstruct
arbitrary objects and can trigger code execution. Schema
validation placement in the request lifecycle before
business logic execution.
Password Storage: Hashing, Salting, and Adaptive Algorithms
Why plaintext and reversible encryption storage means immediate full exposure on database compromise. Fast hashing algorithms (MD5, SHA-256) and their vulnerability to brute-force and rainbow table attacks using precomputed hash-to-password lookup tables. Per-user random salts that invalidate precomputed tables by requiring separate brute-force per user. Adaptive hashing algorithms designed for password storage: bcrypt (configurable cost factor), scrypt (memory-hard, GPU/ASIC resistant), and Argon2id (configurable time, memory, and parallelism). Work factor tuning as hardware improves. Timing-safe comparison functions that prevent character-by-character information leakage through response time differences. Credential breach detection via the Have I Been Pwned API k-anonymity model.
Authorization Models: RBAC, ABAC, and Broken Access Control
Authentication versus authorization: identity verification versus permission enforcement. Role-Based Access Control (RBAC) with user-to-role assignment, role-to-permission mapping, and permission inheritance in role hierarchies. Attribute-Based Access Control (ABAC) evaluating user, resource, action, and environment attributes for fine-grained policies beyond what RBAC can express. Broken Object Level Authorization (BOLA/IDOR): horizontal privilege escalation via sequential or guessable resource identifiers without server-side ownership verification. Broken Function Level Authorization: admin endpoints exposed because access control relies on UI-level hiding instead of server-side role checks. Middleware-based authorization enforcement at the routing layer before controller execution.
Server-Side Request Forgery (SSRF)
Backend features that fetch user-supplied URLs (webhook
receivers, PDF generators, image proxies, URL importers)
turned into attack vectors when an attacker replaces the
expected external URL with an internal one. Cloud
instance metadata exploitation: accessing the
AWS/GCP/Azure metadata service at
169.254.169.254 for IAM credential and API
token extraction. Internal service probing via the
server as a network proxy. URL parsing inconsistencies
between validation logic and the HTTP client: scheme
confusion (file://,
gopher://), IP address encoding variants
(decimal, octal, hex representations of
127.0.0.1), and DNS rebinding attacks.
Defenses: URL allowlisting, RFC 1918 private IP range
blocking, link-local address blocking, HTTP redirect
disabling, and network-level segmentation.
Secrets Management and Credential Lifecycle
Runtime credentials your application needs: database
passwords, API keys, signing secrets, cloud provider
tokens. Common exposure patterns: hardcoded secrets in
source code, plaintext .env files committed
to version control, unencrypted environment variables.
The full exposure surface including git history
persistence (even after deletion from the working tree),
CI/CD build logs, container inspection output, and crash
dumps. Least privilege applied to credentials: narrow
scope and shortest possible lifetime per service.
Secrets managers as centralized, encrypted stores with
runtime API retrieval. Dynamic secrets with short-lived,
single-use credentials and automatic revocation. Secret
rotation with overlapping validity windows for
zero-downtime updates. Audit logging of secret access by
identity and timestamp.
Cryptographic Primitives for Backend Engineers
Encryption (reversible transformation for
confidentiality) versus hashing (one-way transformation
for integrity verification). AES-256-GCM symmetric
encryption: single shared key, GCM mode providing both
confidentiality and authentication (tamper detection),
and nonce/IV uniqueness requirements. Use cases for data
at rest, file storage, and inter-service payloads.
Secure random number generation: why language-level
PRNGs like Math.random are predictable
versus cryptographically secure alternatives
(crypto.randomBytes,
/dev/urandom, Python's
secrets module). HMAC for data integrity
and sender authenticity: the mechanism behind webhook
signatures, signed URLs, and tamper-proof tokens. Why
custom cryptographic implementations fail versus vetted
library usage.
Rate Limiting, Brute Force Protection, and Account Enumeration
Rate limiting algorithms for authentication and sensitive endpoints: token bucket, sliding window, and fixed window counters with boundary-burst susceptibility. HTTP 429 Too Many Requests response and Retry-After header mechanics. Brute force attacks versus automated credential stuffing from leaked databases. Account lockout after failed attempts with progressive duration, and the denial-of-service risk of intentional lockout by attackers. Account enumeration via distinct error messages, response time discrepancies from skipped password hashing on nonexistent users, and registration/password-reset flows confirming email existence. Constant-time response patterns that behave identically regardless of whether an account exists.
Dependency Vulnerabilities and Supply Chain Attacks
Modern backends importing dozens of packages, each with
its own dependency tree of hundreds. A vulnerability
anywhere in that tree is exploitable through your
application. Semantic versioning mechanics: version
ranges allowing automatic upgrades versus lockfiles
(package-lock.json,
composer.lock) pinning exact versions.
Development versus production dependency separation.
Automated vulnerability scanning with
npm audit, composer audit,
Dependabot, and Renovate against CVE, NVD, and GitHub
Advisory databases. Supply chain attack vectors:
typosquatting, compromised maintainer accounts,
malicious postinstall/lifecycle scripts, and dependency
confusion exploiting private-to-public registry
fallback. Mitigation through lockfile integrity
verification in CI, scoped registries, and exact version
pinning.
Security Headers and Transport Hardening
HTTP response headers set by the backend that activate
security behaviors in the browser. HSTS: forced HTTPS
with max-age,
includeSubDomains, and preload list
mechanics for protocol downgrade prevention.
X-Content-Type-Options: nosniff preventing
browser MIME-sniffing away from declared Content-Type.
Clickjacking defense:
X-Frame-Options (DENY, SAMEORIGIN) and its
modern replacement, CSP frame-ancestors.
Referrer-Policy for controlling URL
information leakage in the Referer header.
Permissions-Policy for restricting browser
features (camera, microphone, geolocation, payment) on
pages and embedded iframes.
Backend security grounded in how every attack actually works
Every defense you implement, from parameterized queries to RBAC middleware to HSTS headers, is now backed by a visual model of the attack it prevents. You'll write more secure code, catch vulnerabilities during review, and confidently evaluate AI-generated security patterns because you've watched what happens when they fail.
Ready to see what's really happening?
All deep dives included with your subscription. Cancel anytime.