Research Academy Daily Swig
My account Customers About Blog Careers Legal Contact Resellers
  1. Web Security Academy
  2. All labs

All labs

SQL injection

LAB SQL injection UNION attack, determining the number of columns returned by the query
LAB SQL injection UNION attack, finding a column containing text
LAB SQL injection UNION attack, retrieving data from other tables
LAB SQL injection UNION attack, retrieving multiple values in a single column
LAB SQL injection attack, querying the database type and version on Oracle
LAB SQL injection attack, querying the database type and version on MySQL and Microsoft
LAB SQL injection attack, listing the database contents on non-Oracle databases
LAB SQL injection attack, listing the database contents on Oracle
LAB Blind SQL injection with conditional responses
LAB Blind SQL injection with conditional errors
LAB Blind SQL injection with time delays
LAB Blind SQL injection with time delays and information retrieval
LAB Blind SQL injection with out-of-band interaction
LAB Blind SQL injection with out-of-band data exfiltration
LAB SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
LAB SQL injection vulnerability allowing login bypass

Cross-site scripting

LAB Reflected XSS into HTML context with nothing encoded
LAB Stored XSS into HTML context with nothing encoded
LAB DOM XSS in document.write sink using source location.search
LAB DOM XSS in document.write sink using source location.search inside a select element
LAB DOM XSS in innerHTML sink using source location.search
LAB DOM XSS in jQuery anchor href attribute sink using location.search source
LAB DOM XSS in jQuery selector sink using a hashchange event
LAB DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
LAB Reflected DOM XSS
LAB Stored DOM XSS
LAB Exploiting cross-site scripting to steal cookies
LAB Exploiting cross-site scripting to capture passwords
LAB Exploiting XSS to perform CSRF
LAB Reflected XSS into HTML context with most tags and attributes blocked
LAB Reflected XSS into HTML context with all tags blocked except custom ones
LAB Reflected XSS with event handlers and href attributes blocked
LAB Reflected XSS with some SVG markup allowed
LAB Reflected XSS into attribute with angle brackets HTML-encoded
LAB Stored XSS into anchor href attribute with double quotes HTML-encoded
LAB Reflected XSS in canonical link tag
LAB Reflected XSS into a JavaScript string with single quote and backslash escaped
LAB Reflected XSS into a JavaScript string with angle brackets HTML encoded
LAB Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
LAB Reflected XSS in a JavaScript URL with some characters blocked
LAB Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
LAB Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
LAB Reflected XSS with AngularJS sandbox escape without strings
LAB Reflected XSS with AngularJS sandbox escape and CSP
LAB Reflected XSS protected by CSP, with dangling markup attack
LAB Reflected XSS protected by very strict CSP, with dangling markup attack
LAB Reflected XSS protected by CSP, with CSP bypass

Cross-site request forgery (CSRF)

LAB CSRF vulnerability with no defenses
LAB CSRF where token validation depends on request method
LAB CSRF where token validation depends on token being present
LAB CSRF where token is not tied to user session
LAB CSRF where token is tied to non-session cookie
LAB CSRF where token is duplicated in cookie
LAB CSRF where Referer validation depends on header being present
LAB CSRF with broken Referer validation

Clickjacking

LAB Basic clickjacking with CSRF token protection
LAB Clickjacking with form input data prefilled from a URL parameter
LAB Clickjacking with a frame buster script
LAB Exploiting clickjacking vulnerability to trigger DOM-based XSS
LAB Multistep clickjacking

DOM-based vulnerabilities

LAB DOM XSS using web messages
LAB DOM XSS using web messages and a JavaScript URL
LAB DOM XSS using web messages and JSON.parse
LAB DOM-based open redirection
LAB DOM-based cookie manipulation
LAB Exploiting DOM clobbering to enable XSS
LAB Clobbering DOM attributes to bypass HTML filters

Cross-origin resource sharing (CORS)

LAB CORS vulnerability with basic origin reflection
LAB CORS vulnerability with trusted null origin
LAB CORS vulnerability with trusted insecure protocols
LAB CORS vulnerability with internal network pivot attack

XML external entity (XXE) injection

LAB Exploiting XXE using external entities to retrieve files
LAB Exploiting XXE to perform SSRF attacks
LAB Blind XXE with out-of-band interaction
LAB Blind XXE with out-of-band interaction via XML parameter entities
LAB Exploiting blind XXE to exfiltrate data using a malicious external DTD
LAB Exploiting blind XXE to retrieve data via error messages
LAB Exploiting XXE to retrieve data by repurposing a local DTD
LAB Exploiting XInclude to retrieve files
LAB Exploiting XXE via image file upload

Server-side request forgery (SSRF)

LAB Basic SSRF against the local server
LAB Basic SSRF against another back-end system
LAB SSRF with blacklist-based input filter
LAB SSRF with whitelist-based input filter
LAB SSRF with filter bypass via open redirection vulnerability
LAB Blind SSRF with out-of-band detection
LAB Blind SSRF with Shellshock exploitation

HTTP request smuggling

LAB HTTP request smuggling, basic CL.TE vulnerability
LAB HTTP request smuggling, basic TE.CL vulnerability
LAB HTTP request smuggling, obfuscating the TE header
LAB HTTP request smuggling, confirming a CL.TE vulnerability via differential responses
LAB HTTP request smuggling, confirming a TE.CL vulnerability via differential responses
LAB Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability
LAB Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability
LAB Exploiting HTTP request smuggling to reveal front-end request rewriting
LAB Exploiting HTTP request smuggling to capture other users' requests
LAB Exploiting HTTP request smuggling to deliver reflected XSS
LAB Exploiting HTTP request smuggling to perform web cache poisoning
LAB Exploiting HTTP request smuggling to perform web cache deception
LAB Response queue poisoning via H2.TE request smuggling
LAB Bypassing access controls via HTTP/2 request tunnelling
LAB Web cache poisoning via HTTP/2 request tunnelling
LAB H2.CL request smuggling
LAB HTTP/2 request smuggling via CRLF injection
LAB HTTP/2 request splitting via CRLF injection

OS command injection

LAB OS command injection, simple case
LAB Blind OS command injection with time delays
LAB Blind OS command injection with output redirection
LAB Blind OS command injection with out-of-band interaction
LAB Blind OS command injection with out-of-band data exfiltration

Server-side template injection

LAB Basic server-side template injection
LAB Basic server-side template injection (code context)
LAB Server-side template injection using documentation
LAB Server-side template injection in an unknown language with a documented exploit
LAB Server-side template injection with information disclosure via user-supplied objects
LAB Server-side template injection in a sandboxed environment
LAB Server-side template injection with a custom exploit

Directory traversal

LAB File path traversal, simple case
LAB File path traversal, traversal sequences blocked with absolute path bypass
LAB File path traversal, traversal sequences stripped non-recursively
LAB File path traversal, traversal sequences stripped with superfluous URL-decode
LAB File path traversal, validation of start of path
LAB File path traversal, validation of file extension with null byte bypass

Access control vulnerabilities

LAB Unprotected admin functionality
LAB Unprotected admin functionality with unpredictable URL
LAB User role controlled by request parameter
LAB User role can be modified in user profile
LAB URL-based access control can be circumvented
LAB Method-based access control can be circumvented
LAB User ID controlled by request parameter
LAB User ID controlled by request parameter, with unpredictable user IDs
LAB User ID controlled by request parameter with data leakage in redirect
LAB User ID controlled by request parameter with password disclosure
LAB Insecure direct object references
LAB Multi-step process with no access control on one step
LAB Referer-based access control

Authentication

LAB Username enumeration via different responses
LAB Username enumeration via subtly different responses
LAB Username enumeration via response timing
LAB Broken brute-force protection, IP block
LAB Username enumeration via account lock
LAB Broken brute-force protection, multiple credentials per request
LAB 2FA simple bypass
LAB 2FA broken logic
LAB 2FA bypass using a brute-force attack
LAB Brute-forcing a stay-logged-in cookie
LAB Offline password cracking
LAB Password reset broken logic
LAB Password reset poisoning via middleware
LAB Password brute-force via password change

WebSockets

LAB Manipulating WebSocket messages to exploit vulnerabilities
LAB Manipulating the WebSocket handshake to exploit vulnerabilities
LAB Cross-site WebSocket hijacking

Web cache poisoning

LAB Web cache poisoning with an unkeyed header
LAB Web cache poisoning with an unkeyed cookie
LAB Web cache poisoning with multiple headers
LAB Targeted web cache poisoning using an unknown header
LAB Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria
LAB Combining web cache poisoning vulnerabilities
LAB Web cache poisoning via an unkeyed query string
LAB Web cache poisoning via an unkeyed query parameter
LAB Parameter cloaking
LAB Web cache poisoning via a fat GET request
LAB URL normalization
LAB Cache key injection
LAB Internal cache poisoning

Insecure deserialization

LAB Modifying serialized objects
LAB Modifying serialized data types
LAB Using application functionality to exploit insecure deserialization
LAB Arbitrary object injection in PHP
LAB Exploiting Java deserialization with Apache Commons
LAB Exploiting PHP deserialization with a pre-built gadget chain
LAB Exploiting Ruby deserialization using a documented gadget chain
LAB Developing a custom gadget chain for Java deserialization
LAB Developing a custom gadget chain for PHP deserialization
LAB Using PHAR deserialization to deploy a custom gadget chain

Information disclosure

LAB Information disclosure in error messages
LAB Information disclosure on debug page
LAB Source code disclosure via backup files
LAB Authentication bypass via information disclosure
LAB Information disclosure in version control history

Business logic vulnerabilities

LAB Excessive trust in client-side controls
LAB High-level logic vulnerability
LAB Low-level logic flaw
LAB Inconsistent handling of exceptional input
LAB Inconsistent security controls
LAB Weak isolation on dual-use endpoint
LAB Insufficient workflow validation
LAB Authentication bypass via flawed state machine
LAB Flawed enforcement of business rules
LAB Infinite money logic flaw
LAB Authentication bypass via encryption oracle

HTTP Host header attacks

LAB Basic password reset poisoning
LAB Password reset poisoning via dangling markup
LAB Web cache poisoning via ambiguous requests
LAB Host header authentication bypass
LAB Routing-based SSRF
LAB SSRF via flawed request parsing

OAuth authentication

LAB Authentication bypass via OAuth implicit flow
LAB Forced OAuth profile linking
LAB OAuth account hijacking via redirect_uri
LAB Stealing OAuth access tokens via an open redirect
LAB Stealing OAuth access tokens via a proxy page
LAB SSRF via OpenID dynamic client registration

File upload vulnerabilities

LAB Remote code execution via web shell upload
LAB Web shell upload via Content-Type restriction bypass
LAB Web shell upload via path traversal
LAB Web shell upload via extension blacklist bypass
LAB Web shell upload via obfuscated file extension
LAB Remote code execution via polyglot web shell upload
LAB Web shell upload via race condition