1. Web Security Academy
  2. All labs

All labs

Mystery lab challenge

Try solving a random lab with the title and description hidden. As you'll have no prior knowledge of the type of vulnerability that you need to find and exploit, this is great for practicing recon and analysis before taking your Burp Suite Certified Practitioner exam.

In some of the labs, you have access to your own account with the credentials wiener:peter. If you can enumerate usernames, you may also be able to brute-force the login using the following username and password lists.



SQL injection

Cross-site scripting

Cross-site request forgery (CSRF)


DOM-based vulnerabilities

Cross-origin resource sharing (CORS)

XML external entity (XXE) injection

Server-side request forgery (SSRF)

HTTP request smuggling

OS command injection

Server-side template injection

Directory traversal

Access control vulnerabilities



Web cache poisoning

Insecure deserialization

Information disclosure

Business logic vulnerabilities

HTTP Host header attacks

OAuth authentication

File upload vulnerabilities