All labs

Mystery lab challenge

Try solving a random lab with the title and description hidden. As you'll have no prior knowledge of the type of vulnerability that you need to find and exploit, this is great for practicing recon and analysis.

Take me to the mystery lab challenge

SQL injection

LAB

APPRENTICE SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

LAB

APPRENTICE SQL injection vulnerability allowing login bypass

LAB

PRACTITIONER SQL injection attack, querying the database type and version on Oracle

LAB

PRACTITIONER SQL injection attack, querying the database type and version on MySQL and Microsoft

LAB

PRACTITIONER SQL injection attack, listing the database contents on non-Oracle databases

LAB

PRACTITIONER SQL injection attack, listing the database contents on Oracle

LAB

PRACTITIONER SQL injection UNION attack, determining the number of columns returned by the query

LAB

PRACTITIONER SQL injection UNION attack, finding a column containing text

LAB

PRACTITIONER SQL injection UNION attack, retrieving data from other tables

LAB

PRACTITIONER SQL injection UNION attack, retrieving multiple values in a single column

LAB

PRACTITIONER Blind SQL injection with conditional responses

LAB

PRACTITIONER Blind SQL injection with conditional errors

LAB

PRACTITIONER Visible error-based SQL injection

LAB

PRACTITIONER Blind SQL injection with time delays

LAB

PRACTITIONER Blind SQL injection with time delays and information retrieval

LAB

PRACTITIONER Blind SQL injection with out-of-band interaction

LAB

PRACTITIONER Blind SQL injection with out-of-band data exfiltration

LAB

PRACTITIONER SQL injection with filter bypass via XML encoding

Cross-site scripting

LAB

APPRENTICE Reflected XSS into HTML context with nothing encoded

LAB

APPRENTICE Stored XSS into HTML context with nothing encoded

LAB

APPRENTICE DOM XSS in document.write sink using source location.search

LAB

APPRENTICE DOM XSS in innerHTML sink using source location.search

LAB

APPRENTICE DOM XSS in jQuery anchor href attribute sink using location.search source

LAB

APPRENTICE DOM XSS in jQuery selector sink using a hashchange event

LAB

APPRENTICE Reflected XSS into attribute with angle brackets HTML-encoded

LAB

APPRENTICE Stored XSS into anchor href attribute with double quotes HTML-encoded

LAB

APPRENTICE Reflected XSS into a JavaScript string with angle brackets HTML encoded

LAB

PRACTITIONER DOM XSS in document.write sink using source location.search inside a select element

LAB

PRACTITIONER DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded

LAB

PRACTITIONER Reflected DOM XSS

LAB

PRACTITIONER Stored DOM XSS

LAB

PRACTITIONER Reflected XSS into HTML context with most tags and attributes blocked

LAB

PRACTITIONER Reflected XSS into HTML context with all tags blocked except custom ones

LAB

PRACTITIONER Reflected XSS with some SVG markup allowed

LAB

PRACTITIONER Reflected XSS in canonical link tag

LAB

PRACTITIONER Reflected XSS into a JavaScript string with single quote and backslash escaped

LAB

PRACTITIONER Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped

LAB

PRACTITIONER Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped

LAB

PRACTITIONER Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped

LAB

PRACTITIONER Exploiting cross-site scripting to steal cookies

LAB

PRACTITIONER Exploiting cross-site scripting to capture passwords

LAB

PRACTITIONER Exploiting XSS to perform CSRF

LAB

EXPERT Reflected XSS with AngularJS sandbox escape without strings

LAB

EXPERT Reflected XSS with AngularJS sandbox escape and CSP

LAB

EXPERT Reflected XSS with event handlers and href attributes blocked

LAB

EXPERT Reflected XSS in a JavaScript URL with some characters blocked

LAB

EXPERT Reflected XSS protected by very strict CSP, with dangling markup attack

LAB

EXPERT Reflected XSS protected by CSP, with CSP bypass

Cross-site request forgery (CSRF)

LAB

APPRENTICE CSRF vulnerability with no defenses

LAB

PRACTITIONER CSRF where token validation depends on request method

LAB

PRACTITIONER CSRF where token validation depends on token being present

LAB

PRACTITIONER CSRF where token is not tied to user session

LAB

PRACTITIONER CSRF where token is tied to non-session cookie

LAB

PRACTITIONER CSRF where token is duplicated in cookie

LAB

PRACTITIONER SameSite Lax bypass via method override

LAB

PRACTITIONER SameSite Strict bypass via client-side redirect

LAB

PRACTITIONER SameSite Strict bypass via sibling domain

LAB

PRACTITIONER SameSite Lax bypass via cookie refresh

LAB

PRACTITIONER CSRF where Referer validation depends on header being present

LAB

PRACTITIONER CSRF with broken Referer validation

Clickjacking

LAB

APPRENTICE Basic clickjacking with CSRF token protection

LAB

APPRENTICE Clickjacking with form input data prefilled from a URL parameter

LAB

APPRENTICE Clickjacking with a frame buster script

LAB

PRACTITIONER Exploiting clickjacking vulnerability to trigger DOM-based XSS

LAB

PRACTITIONER Multistep clickjacking

DOM-based vulnerabilities

LAB

PRACTITIONER DOM XSS using web messages

LAB

PRACTITIONER DOM XSS using web messages and a JavaScript URL

LAB

PRACTITIONER DOM XSS using web messages and JSON.parse

LAB

PRACTITIONER DOM-based open redirection

LAB

PRACTITIONER DOM-based cookie manipulation

LAB

EXPERT Exploiting DOM clobbering to enable XSS

LAB

EXPERT Clobbering DOM attributes to bypass HTML filters

LAB

APPRENTICE CORS vulnerability with basic origin reflection

LAB

APPRENTICE CORS vulnerability with trusted null origin

LAB

PRACTITIONER CORS vulnerability with trusted insecure protocols

LAB

EXPERT CORS vulnerability with internal network pivot attack

XML external entity (XXE) injection

LAB

APPRENTICE Exploiting XXE using external entities to retrieve files

LAB

APPRENTICE Exploiting XXE to perform SSRF attacks

LAB

PRACTITIONER Blind XXE with out-of-band interaction

LAB

PRACTITIONER Blind XXE with out-of-band interaction via XML parameter entities

LAB

PRACTITIONER Exploiting blind XXE to exfiltrate data using a malicious external DTD

LAB

PRACTITIONER Exploiting blind XXE to retrieve data via error messages

LAB

PRACTITIONER Exploiting XInclude to retrieve files

LAB

PRACTITIONER Exploiting XXE via image file upload

LAB

EXPERT Exploiting XXE to retrieve data by repurposing a local DTD

Server-side request forgery (SSRF)

LAB

APPRENTICE Basic SSRF against the local server

LAB

APPRENTICE Basic SSRF against another back-end system

LAB

PRACTITIONER Blind SSRF with out-of-band detection

LAB

PRACTITIONER SSRF with blacklist-based input filter

LAB

PRACTITIONER SSRF with filter bypass via open redirection vulnerability

LAB

EXPERT Blind SSRF with Shellshock exploitation

LAB

EXPERT SSRF with whitelist-based input filter

HTTP request smuggling

LAB

PRACTITIONER HTTP request smuggling, confirming a CL.TE vulnerability via differential responses

LAB

PRACTITIONER HTTP request smuggling, confirming a TE.CL vulnerability via differential responses

LAB

PRACTITIONER Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability

LAB

PRACTITIONER Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

LAB

PRACTITIONER Exploiting HTTP request smuggling to reveal front-end request rewriting

LAB

PRACTITIONER Exploiting HTTP request smuggling to capture other users' requests

LAB

PRACTITIONER Exploiting HTTP request smuggling to deliver reflected XSS

LAB

PRACTITIONER Response queue poisoning via H2.TE request smuggling

LAB

PRACTITIONER H2.CL request smuggling

LAB

PRACTITIONER HTTP/2 request smuggling via CRLF injection

LAB

PRACTITIONER HTTP/2 request splitting via CRLF injection

LAB

PRACTITIONER CL.0 request smuggling

LAB

PRACTITIONER HTTP request smuggling, basic CL.TE vulnerability

LAB

PRACTITIONER HTTP request smuggling, basic TE.CL vulnerability

LAB

PRACTITIONER HTTP request smuggling, obfuscating the TE header

LAB

EXPERT Exploiting HTTP request smuggling to perform web cache poisoning

LAB

EXPERT Exploiting HTTP request smuggling to perform web cache deception

LAB

EXPERT Bypassing access controls via HTTP/2 request tunnelling

LAB

EXPERT Web cache poisoning via HTTP/2 request tunnelling

LAB

EXPERT Client-side desync

LAB

EXPERT Server-side pause-based request smuggling

OS command injection

LAB

APPRENTICE OS command injection, simple case

LAB

PRACTITIONER Blind OS command injection with time delays

LAB

PRACTITIONER Blind OS command injection with output redirection

LAB

PRACTITIONER Blind OS command injection with out-of-band interaction

LAB

PRACTITIONER Blind OS command injection with out-of-band data exfiltration

Server-side template injection

LAB

PRACTITIONER Basic server-side template injection

LAB

PRACTITIONER Basic server-side template injection (code context)

LAB

PRACTITIONER Server-side template injection using documentation

LAB

PRACTITIONER Server-side template injection in an unknown language with a documented exploit

LAB

PRACTITIONER Server-side template injection with information disclosure via user-supplied objects

LAB

EXPERT Server-side template injection in a sandboxed environment

LAB

EXPERT Server-side template injection with a custom exploit

Path traversal

LAB

APPRENTICE File path traversal, simple case

LAB

PRACTITIONER File path traversal, traversal sequences blocked with absolute path bypass

LAB

PRACTITIONER File path traversal, traversal sequences stripped non-recursively

LAB

PRACTITIONER File path traversal, traversal sequences stripped with superfluous URL-decode

LAB

PRACTITIONER File path traversal, validation of start of path

LAB

PRACTITIONER File path traversal, validation of file extension with null byte bypass

Access control vulnerabilities

LAB

APPRENTICE Unprotected admin functionality

LAB

APPRENTICE Unprotected admin functionality with unpredictable URL

LAB

APPRENTICE User role controlled by request parameter

LAB

APPRENTICE User role can be modified in user profile

LAB

APPRENTICE User ID controlled by request parameter

LAB

APPRENTICE User ID controlled by request parameter, with unpredictable user IDs

LAB

APPRENTICE User ID controlled by request parameter with data leakage in redirect

LAB

APPRENTICE User ID controlled by request parameter with password disclosure

LAB

APPRENTICE Insecure direct object references

LAB

PRACTITIONER URL-based access control can be circumvented

LAB

PRACTITIONER Method-based access control can be circumvented

LAB

PRACTITIONER Multi-step process with no access control on one step

LAB

PRACTITIONER Referer-based access control

Authentication

LAB

APPRENTICE Username enumeration via different responses

LAB

APPRENTICE 2FA simple bypass

LAB

APPRENTICE Password reset broken logic

LAB

PRACTITIONER Username enumeration via subtly different responses

LAB

PRACTITIONER Username enumeration via response timing

LAB

PRACTITIONER Broken brute-force protection, IP block

LAB

PRACTITIONER Username enumeration via account lock

LAB

PRACTITIONER 2FA broken logic

LAB

PRACTITIONER Brute-forcing a stay-logged-in cookie

LAB

PRACTITIONER Offline password cracking

LAB

PRACTITIONER Password reset poisoning via middleware

LAB

PRACTITIONER Password brute-force via password change

LAB

EXPERT Broken brute-force protection, multiple credentials per request

LAB

EXPERT 2FA bypass using a brute-force attack

WebSockets

LAB

APPRENTICE Manipulating WebSocket messages to exploit vulnerabilities

LAB

PRACTITIONER Cross-site WebSocket hijacking

LAB

PRACTITIONER Manipulating the WebSocket handshake to exploit vulnerabilities

Web cache poisoning

LAB

PRACTITIONER Web cache poisoning with an unkeyed header

LAB

PRACTITIONER Web cache poisoning with an unkeyed cookie

LAB

PRACTITIONER Web cache poisoning with multiple headers

LAB

PRACTITIONER Targeted web cache poisoning using an unknown header

LAB

PRACTITIONER Web cache poisoning via an unkeyed query string

LAB

PRACTITIONER Web cache poisoning via an unkeyed query parameter

LAB

PRACTITIONER Parameter cloaking

LAB

PRACTITIONER Web cache poisoning via a fat GET request

LAB

PRACTITIONER URL normalization

LAB

EXPERT Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria

LAB

EXPERT Combining web cache poisoning vulnerabilities

LAB

EXPERT Cache key injection

LAB

EXPERT Internal cache poisoning

Insecure deserialization

LAB

APPRENTICE Modifying serialized objects

LAB

PRACTITIONER Modifying serialized data types

LAB

PRACTITIONER Using application functionality to exploit insecure deserialization

LAB

PRACTITIONER Arbitrary object injection in PHP

LAB

PRACTITIONER Exploiting Java deserialization with Apache Commons

LAB

PRACTITIONER Exploiting PHP deserialization with a pre-built gadget chain

LAB

PRACTITIONER Exploiting Ruby deserialization using a documented gadget chain

LAB

EXPERT Developing a custom gadget chain for Java deserialization

LAB

EXPERT Developing a custom gadget chain for PHP deserialization

LAB

EXPERT Using PHAR deserialization to deploy a custom gadget chain

Information disclosure

LAB

APPRENTICE Information disclosure in error messages

LAB

APPRENTICE Information disclosure on debug page

LAB

APPRENTICE Source code disclosure via backup files

LAB

APPRENTICE Authentication bypass via information disclosure

LAB

PRACTITIONER Information disclosure in version control history

Business logic vulnerabilities

LAB

APPRENTICE Excessive trust in client-side controls

LAB

APPRENTICE High-level logic vulnerability

LAB

APPRENTICE Inconsistent security controls

LAB

APPRENTICE Flawed enforcement of business rules

LAB

PRACTITIONER Low-level logic flaw

LAB

PRACTITIONER Inconsistent handling of exceptional input

LAB

PRACTITIONER Weak isolation on dual-use endpoint

LAB

PRACTITIONER Insufficient workflow validation

LAB

PRACTITIONER Authentication bypass via flawed state machine

LAB

PRACTITIONER Infinite money logic flaw

LAB

PRACTITIONER Authentication bypass via encryption oracle

HTTP Host header attacks

LAB

APPRENTICE Basic password reset poisoning

LAB

APPRENTICE Host header authentication bypass

LAB

PRACTITIONER Web cache poisoning via ambiguous requests

LAB

PRACTITIONER Routing-based SSRF

LAB

PRACTITIONER SSRF via flawed request parsing

LAB

PRACTITIONER Host validation bypass via connection state attack

LAB

EXPERT Password reset poisoning via dangling markup

OAuth authentication

LAB

APPRENTICE Authentication bypass via OAuth implicit flow

LAB

PRACTITIONER SSRF via OpenID dynamic client registration

LAB

PRACTITIONER Forced OAuth profile linking

LAB

PRACTITIONER OAuth account hijacking via redirect_uri

LAB

PRACTITIONER Stealing OAuth access tokens via an open redirect

LAB

EXPERT Stealing OAuth access tokens via a proxy page

File upload vulnerabilities

LAB

APPRENTICE Remote code execution via web shell upload

LAB

APPRENTICE Web shell upload via Content-Type restriction bypass

LAB

PRACTITIONER Web shell upload via path traversal

LAB

PRACTITIONER Web shell upload via extension blacklist bypass

LAB

PRACTITIONER Web shell upload via obfuscated file extension

LAB

PRACTITIONER Remote code execution via polyglot web shell upload

LAB

EXPERT Web shell upload via race condition

JWT

LAB

APPRENTICE JWT authentication bypass via unverified signature

LAB

APPRENTICE JWT authentication bypass via flawed signature verification

LAB

PRACTITIONER JWT authentication bypass via weak signing key

LAB

PRACTITIONER JWT authentication bypass via jwk header injection

LAB

PRACTITIONER JWT authentication bypass via jku header injection

LAB

PRACTITIONER JWT authentication bypass via kid header path traversal

LAB

EXPERT JWT authentication bypass via algorithm confusion

LAB

EXPERT JWT authentication bypass via algorithm confusion with no exposed key

Essential skills

LAB

PRACTITIONER Discovering vulnerabilities quickly with targeted scanning

Prototype pollution

LAB

PRACTITIONER Client-side prototype pollution via browser APIs

LAB

PRACTITIONER DOM XSS via client-side prototype pollution

LAB

PRACTITIONER DOM XSS via an alternative prototype pollution vector

LAB

PRACTITIONER Client-side prototype pollution via flawed sanitization

LAB

PRACTITIONER Client-side prototype pollution in third-party libraries

LAB

PRACTITIONER Privilege escalation via server-side prototype pollution

LAB

PRACTITIONER Detecting server-side prototype pollution without polluted property reflection

LAB

PRACTITIONER Bypassing flawed input filters for server-side prototype pollution

LAB

PRACTITIONER Remote code execution via server-side prototype pollution

LAB

EXPERT Exfiltrating sensitive data via server-side prototype pollution

GraphQL API vulnerabilities

LAB

APPRENTICE Accessing private GraphQL posts

LAB

PRACTITIONER Accidental exposure of private GraphQL fields

LAB

PRACTITIONER Finding a hidden GraphQL endpoint

LAB

PRACTITIONER Bypassing GraphQL brute force protections

LAB

PRACTITIONER Performing CSRF exploits over GraphQL

Race conditions

LAB

APPRENTICE Limit overrun race conditions

LAB

PRACTITIONER Bypassing rate limits via race conditions

LAB

PRACTITIONER Multi-endpoint race conditions

LAB

PRACTITIONER Single-endpoint race conditions

LAB

PRACTITIONER Exploiting time-sensitive vulnerabilities

LAB

EXPERT Partial construction race conditions

NoSQL injection

LAB

APPRENTICE Detecting NoSQL injection

LAB

APPRENTICE Exploiting NoSQL operator injection to bypass authentication

LAB

PRACTITIONER Exploiting NoSQL injection to extract data

LAB

PRACTITIONER Exploiting NoSQL operator injection to extract unknown fields

Want to track your progress and have a more personalized learning experience? (It's free!)