All labs
Mystery lab challenge
Try solving a random lab with the title and description hidden. As you'll have no prior knowledge of the type of vulnerability that you need to find and exploit, this is great for practicing recon and analysis.
Take me to the mystery lab challengeSQL injection
LAB
LAB
LAB
LAB
LAB
LAB
LAB
PRACTITIONER
Blind SQL injection with conditional responses
LAB
PRACTITIONER
Blind SQL injection with conditional errors
LAB
PRACTITIONER
Visible error-based SQL injection
LAB
PRACTITIONER
Blind SQL injection with time delays
LAB
LAB
PRACTITIONER
Blind SQL injection with out-of-band interaction
LAB
LAB
PRACTITIONER
SQL injection with filter bypass via XML encoding
Cross-site scripting
LAB
LAB
LAB
LAB
LAB
LAB
LAB
PRACTITIONER
Reflected DOM XSS
LAB
PRACTITIONER
Stored DOM XSS
LAB
PRACTITIONER
Reflected XSS with some SVG markup allowed
LAB
PRACTITIONER
Reflected XSS in canonical link tag
LAB
LAB
LAB
LAB
PRACTITIONER
Exploiting cross-site scripting to steal cookies
LAB
PRACTITIONER
Exploiting cross-site scripting to capture passwords
LAB
PRACTITIONER
Exploiting XSS to perform CSRF
Cross-site request forgery (CSRF)
LAB
APPRENTICE
CSRF vulnerability with no defenses
LAB
LAB
LAB
PRACTITIONER
CSRF where token is not tied to user session
LAB
PRACTITIONER
CSRF where token is tied to non-session cookie
LAB
PRACTITIONER
CSRF where token is duplicated in cookie
LAB
PRACTITIONER
SameSite Lax bypass via method override
LAB
PRACTITIONER
SameSite Strict bypass via client-side redirect
LAB
PRACTITIONER
SameSite Strict bypass via sibling domain
LAB
PRACTITIONER
SameSite Lax bypass via cookie refresh
LAB
LAB
PRACTITIONER
CSRF with broken Referer validation
Clickjacking
LAB
LAB
APPRENTICE
Clickjacking with a frame buster script
LAB
LAB
PRACTITIONER
Multistep clickjacking
DOM-based vulnerabilities
LAB
PRACTITIONER
DOM XSS using web messages
LAB
PRACTITIONER
DOM XSS using web messages and a JavaScript URL
LAB
PRACTITIONER
DOM XSS using web messages and
JSON.parse
LAB
PRACTITIONER
DOM-based open redirection
LAB
PRACTITIONER
DOM-based cookie manipulation
LAB
Cross-origin resource sharing (CORS)
LAB
LAB
APPRENTICE
CORS vulnerability with trusted null origin
LAB
PRACTITIONER
CORS vulnerability with trusted insecure protocols
XML external entity (XXE) injection
LAB
LAB
APPRENTICE
Exploiting XXE to perform SSRF attacks
LAB
PRACTITIONER
Blind XXE with out-of-band interaction
LAB
LAB
LAB
PRACTITIONER
Exploiting XInclude to retrieve files
LAB
PRACTITIONER
Exploiting XXE via image file upload
Server-side request forgery (SSRF)
LAB
APPRENTICE
Basic SSRF against the local server
LAB
APPRENTICE
Basic SSRF against another back-end system
LAB
PRACTITIONER
Blind SSRF with out-of-band detection
LAB
PRACTITIONER
SSRF with blacklist-based input filter
LAB
LAB
LAB
HTTP request smuggling
LAB
LAB
LAB
LAB
LAB
LAB
LAB
PRACTITIONER
Response queue poisoning via H2.TE request smuggling
LAB
PRACTITIONER
H2.CL request smuggling
LAB
PRACTITIONER
HTTP/2 request smuggling via CRLF injection
LAB
PRACTITIONER
HTTP/2 request splitting via CRLF injection
LAB
PRACTITIONER
CL.0 request smuggling
LAB
PRACTITIONER
HTTP request smuggling, basic CL.TE vulnerability
LAB
PRACTITIONER
HTTP request smuggling, basic TE.CL vulnerability
LAB
PRACTITIONER
HTTP request smuggling, obfuscating the TE header
LAB
EXPERT
Client-side desync
LAB
OS command injection
LAB
APPRENTICE
OS command injection, simple case
LAB
PRACTITIONER
Blind OS command injection with time delays
LAB
PRACTITIONER
Blind OS command injection with output redirection
LAB
LAB
Server-side template injection
LAB
PRACTITIONER
Basic server-side template injection
LAB
PRACTITIONER
Basic server-side template injection (code context)
LAB
PRACTITIONER
Server-side template injection using documentation
LAB
Path traversal
LAB
APPRENTICE
File path traversal, simple case
LAB
LAB
PRACTITIONER
File path traversal, validation of start of path
Access control vulnerabilities
LAB
APPRENTICE
Unprotected admin functionality
LAB
LAB
APPRENTICE
User role controlled by request parameter
LAB
APPRENTICE
User role can be modified in user profile
LAB
APPRENTICE
User ID controlled by request parameter
LAB
APPRENTICE
Insecure direct object references
LAB
PRACTITIONER
URL-based access control can be circumvented
LAB
PRACTITIONER
Method-based access control can be circumvented
LAB
LAB
PRACTITIONER
Referer-based access control
Authentication
LAB
APPRENTICE
Username enumeration via different responses
LAB
APPRENTICE
2FA simple bypass
LAB
APPRENTICE
Password reset broken logic
LAB
PRACTITIONER
Username enumeration via subtly different responses
LAB
PRACTITIONER
Username enumeration via response timing
LAB
PRACTITIONER
Broken brute-force protection, IP block
LAB
PRACTITIONER
Username enumeration via account lock
LAB
PRACTITIONER
2FA broken logic
LAB
PRACTITIONER
Brute-forcing a stay-logged-in cookie
LAB
PRACTITIONER
Offline password cracking
LAB
PRACTITIONER
Password reset poisoning via middleware
LAB
PRACTITIONER
Password brute-force via password change
LAB
WebSockets
LAB
LAB
PRACTITIONER
Cross-site WebSocket hijacking
LAB
Web cache poisoning
LAB
PRACTITIONER
Web cache poisoning with an unkeyed header
LAB
PRACTITIONER
Web cache poisoning with an unkeyed cookie
LAB
PRACTITIONER
Web cache poisoning with multiple headers
LAB
PRACTITIONER
Targeted web cache poisoning using an unknown header
LAB
PRACTITIONER
Web cache poisoning via an unkeyed query string
LAB
PRACTITIONER
Web cache poisoning via an unkeyed query parameter
LAB
PRACTITIONER
Parameter cloaking
LAB
PRACTITIONER
Web cache poisoning via a fat GET request
LAB
PRACTITIONER
URL normalization
LAB
LAB
EXPERT
Cache key injection
LAB
EXPERT
Internal cache poisoning
Insecure deserialization
LAB
APPRENTICE
Modifying serialized objects
LAB
PRACTITIONER
Modifying serialized data types
LAB
LAB
PRACTITIONER
Arbitrary object injection in PHP
LAB
PRACTITIONER
Exploiting Java deserialization with Apache Commons
LAB
LAB
Information disclosure
LAB
APPRENTICE
Information disclosure in error messages
LAB
APPRENTICE
Information disclosure on debug page
LAB
APPRENTICE
Source code disclosure via backup files
LAB
LAB
PRACTITIONER
Information disclosure in version control history
Business logic vulnerabilities
LAB
APPRENTICE
Excessive trust in client-side controls
LAB
APPRENTICE
High-level logic vulnerability
LAB
APPRENTICE
Inconsistent security controls
LAB
APPRENTICE
Flawed enforcement of business rules
LAB
PRACTITIONER
Low-level logic flaw
LAB
PRACTITIONER
Inconsistent handling of exceptional input
LAB
PRACTITIONER
Weak isolation on dual-use endpoint
LAB
PRACTITIONER
Insufficient workflow validation
LAB
PRACTITIONER
Authentication bypass via flawed state machine
LAB
PRACTITIONER
Infinite money logic flaw
LAB
PRACTITIONER
Authentication bypass via encryption oracle
HTTP Host header attacks
LAB
APPRENTICE
Basic password reset poisoning
LAB
APPRENTICE
Host header authentication bypass
LAB
PRACTITIONER
Web cache poisoning via ambiguous requests
LAB
PRACTITIONER
Routing-based SSRF
LAB
PRACTITIONER
SSRF via flawed request parsing
LAB
PRACTITIONER
Host validation bypass via connection state attack
LAB
OAuth authentication
LAB
LAB
PRACTITIONER
SSRF via OpenID dynamic client registration
LAB
PRACTITIONER
Forced OAuth profile linking
LAB
PRACTITIONER
OAuth account hijacking via redirect_uri
LAB
PRACTITIONER
Stealing OAuth access tokens via an open redirect
File upload vulnerabilities
LAB
APPRENTICE
Remote code execution via web shell upload
LAB
LAB
PRACTITIONER
Web shell upload via path traversal
LAB
PRACTITIONER
Web shell upload via extension blacklist bypass
LAB
PRACTITIONER
Web shell upload via obfuscated file extension
LAB
PRACTITIONER
Remote code execution via polyglot web shell upload
LAB
JWT
LAB
LAB
LAB
PRACTITIONER
JWT authentication bypass via weak signing key
LAB
PRACTITIONER
JWT authentication bypass via jwk header injection
LAB
PRACTITIONER
JWT authentication bypass via jku header injection
LAB
Essential skills
LAB
LAB
PRACTITIONER
Scanning non-standard data structures
Prototype pollution
LAB
PRACTITIONER
Client-side prototype pollution via browser APIs
LAB
PRACTITIONER
DOM XSS via client-side prototype pollution
LAB
LAB
LAB
LAB
LAB
LAB
GraphQL API vulnerabilities
LAB
APPRENTICE
Accessing private GraphQL posts
LAB
PRACTITIONER
Accidental exposure of private GraphQL fields
LAB
PRACTITIONER
Finding a hidden GraphQL endpoint
LAB
PRACTITIONER
Bypassing GraphQL brute force protections
LAB
PRACTITIONER
Performing CSRF exploits over GraphQL
Race conditions
LAB
APPRENTICE
Limit overrun race conditions
LAB
PRACTITIONER
Bypassing rate limits via race conditions
LAB
PRACTITIONER
Multi-endpoint race conditions
LAB
PRACTITIONER
Single-endpoint race conditions
LAB
PRACTITIONER
Exploiting time-sensitive vulnerabilities
LAB
NoSQL injection
LAB
APPRENTICE
Detecting NoSQL injection
LAB
LAB
PRACTITIONER
Exploiting NoSQL injection to extract data
LAB
API testing
LAB
LAB
LAB
PRACTITIONER
Finding and exploiting an unused API endpoint
LAB
PRACTITIONER
Exploiting a mass assignment vulnerability
Web LLM attacks
LAB
APPRENTICE
Exploiting LLM APIs with excessive agency
LAB
PRACTITIONER
Exploiting vulnerabilities in LLM APIs
LAB
PRACTITIONER
Indirect prompt injection
LAB
Want to track your progress and have a more personalized learning experience? (It's free!)