Research Academy
My account Customers About Blog Careers Legal Contact Resellers
  1. Web Security Academy
  2. All labs

All labs

Mystery lab challenge

Try solving a random lab with the title and description hidden. As you'll have no prior knowledge of the type of vulnerability that you need to find and exploit, this is great for practicing recon and analysis.

Take me to the mystery lab challenge

SQL injection

LAB
APPRENTICE SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
LAB
APPRENTICE SQL injection vulnerability allowing login bypass
LAB
PRACTITIONER SQL injection UNION attack, determining the number of columns returned by the query
LAB
PRACTITIONER SQL injection UNION attack, finding a column containing text
LAB
PRACTITIONER SQL injection UNION attack, retrieving data from other tables
LAB
PRACTITIONER SQL injection UNION attack, retrieving multiple values in a single column
LAB
PRACTITIONER SQL injection attack, querying the database type and version on Oracle
LAB
PRACTITIONER SQL injection attack, querying the database type and version on MySQL and Microsoft
LAB
PRACTITIONER SQL injection attack, listing the database contents on non-Oracle databases
LAB
PRACTITIONER SQL injection attack, listing the database contents on Oracle
LAB
PRACTITIONER Blind SQL injection with conditional responses
LAB
PRACTITIONER Blind SQL injection with conditional errors
LAB
PRACTITIONER Visible error-based SQL injection
LAB
PRACTITIONER Blind SQL injection with time delays
LAB
PRACTITIONER Blind SQL injection with time delays and information retrieval
LAB
PRACTITIONER Blind SQL injection with out-of-band interaction
LAB
PRACTITIONER Blind SQL injection with out-of-band data exfiltration
LAB
PRACTITIONER SQL injection with filter bypass via XML encoding

Cross-site scripting

LAB
APPRENTICE Reflected XSS into HTML context with nothing encoded
LAB
APPRENTICE Stored XSS into HTML context with nothing encoded
LAB
APPRENTICE DOM XSS in document.write sink using source location.search
LAB
APPRENTICE DOM XSS in innerHTML sink using source location.search
LAB
APPRENTICE DOM XSS in jQuery anchor href attribute sink using location.search source
LAB
APPRENTICE DOM XSS in jQuery selector sink using a hashchange event
LAB
APPRENTICE Reflected XSS into attribute with angle brackets HTML-encoded
LAB
APPRENTICE Stored XSS into anchor href attribute with double quotes HTML-encoded
LAB
APPRENTICE Reflected XSS into a JavaScript string with angle brackets HTML encoded
LAB
PRACTITIONER DOM XSS in document.write sink using source location.search inside a select element
LAB
PRACTITIONER DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
LAB
PRACTITIONER Reflected DOM XSS
LAB
PRACTITIONER Stored DOM XSS
LAB
PRACTITIONER Exploiting cross-site scripting to steal cookies
LAB
PRACTITIONER Exploiting cross-site scripting to capture passwords
LAB
PRACTITIONER Exploiting XSS to perform CSRF
LAB
PRACTITIONER Reflected XSS into HTML context with most tags and attributes blocked
LAB
PRACTITIONER Reflected XSS into HTML context with all tags blocked except custom ones
LAB
PRACTITIONER Reflected XSS with some SVG markup allowed
LAB
PRACTITIONER Reflected XSS in canonical link tag
LAB
PRACTITIONER Reflected XSS into a JavaScript string with single quote and backslash escaped
LAB
PRACTITIONER Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
LAB
PRACTITIONER Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
LAB
PRACTITIONER Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
LAB
EXPERT Reflected XSS with event handlers and href attributes blocked
LAB
EXPERT Reflected XSS in a JavaScript URL with some characters blocked
LAB
EXPERT Reflected XSS with AngularJS sandbox escape without strings
LAB
EXPERT Reflected XSS with AngularJS sandbox escape and CSP
LAB
EXPERT Reflected XSS protected by very strict CSP, with dangling markup attack
LAB
EXPERT Reflected XSS protected by CSP, with CSP bypass

Cross-site request forgery (CSRF)

LAB
APPRENTICE CSRF vulnerability with no defenses
LAB
PRACTITIONER CSRF where token validation depends on request method
LAB
PRACTITIONER CSRF where token validation depends on token being present
LAB
PRACTITIONER CSRF where token is not tied to user session
LAB
PRACTITIONER CSRF where token is tied to non-session cookie
LAB
PRACTITIONER CSRF where token is duplicated in cookie
LAB
PRACTITIONER SameSite Lax bypass via method override
LAB
PRACTITIONER SameSite Strict bypass via client-side redirect
LAB
PRACTITIONER SameSite Strict bypass via sibling domain
LAB
PRACTITIONER SameSite Lax bypass via cookie refresh
LAB
PRACTITIONER CSRF where Referer validation depends on header being present
LAB
PRACTITIONER CSRF with broken Referer validation

Clickjacking

LAB
APPRENTICE Basic clickjacking with CSRF token protection
LAB
APPRENTICE Clickjacking with form input data prefilled from a URL parameter
LAB
APPRENTICE Clickjacking with a frame buster script
LAB
PRACTITIONER Exploiting clickjacking vulnerability to trigger DOM-based XSS
LAB
PRACTITIONER Multistep clickjacking

DOM-based vulnerabilities

LAB
PRACTITIONER DOM XSS using web messages
LAB
PRACTITIONER DOM XSS using web messages and a JavaScript URL
LAB
PRACTITIONER DOM XSS using web messages and JSON.parse
LAB
PRACTITIONER DOM-based open redirection
LAB
PRACTITIONER DOM-based cookie manipulation
LAB
EXPERT Exploiting DOM clobbering to enable XSS
LAB
EXPERT Clobbering DOM attributes to bypass HTML filters

Cross-origin resource sharing (CORS)

LAB
APPRENTICE CORS vulnerability with basic origin reflection
LAB
APPRENTICE CORS vulnerability with trusted null origin
LAB
PRACTITIONER CORS vulnerability with trusted insecure protocols
LAB
EXPERT CORS vulnerability with internal network pivot attack

XML external entity (XXE) injection

LAB
APPRENTICE Exploiting XXE using external entities to retrieve files
LAB
APPRENTICE Exploiting XXE to perform SSRF attacks
LAB
PRACTITIONER Blind XXE with out-of-band interaction
LAB
PRACTITIONER Blind XXE with out-of-band interaction via XML parameter entities
LAB
PRACTITIONER Exploiting blind XXE to exfiltrate data using a malicious external DTD
LAB
PRACTITIONER Exploiting blind XXE to retrieve data via error messages
LAB
PRACTITIONER Exploiting XInclude to retrieve files
LAB
PRACTITIONER Exploiting XXE via image file upload
LAB
EXPERT Exploiting XXE to retrieve data by repurposing a local DTD

Server-side request forgery (SSRF)

LAB
APPRENTICE Basic SSRF against the local server
LAB
APPRENTICE Basic SSRF against another back-end system
LAB
PRACTITIONER SSRF with blacklist-based input filter
LAB
PRACTITIONER SSRF with filter bypass via open redirection vulnerability
LAB
PRACTITIONER Blind SSRF with out-of-band detection
LAB
EXPERT SSRF with whitelist-based input filter
LAB
EXPERT Blind SSRF with Shellshock exploitation

HTTP request smuggling

LAB
PRACTITIONER HTTP request smuggling, basic CL.TE vulnerability
LAB
PRACTITIONER HTTP request smuggling, basic TE.CL vulnerability
LAB
PRACTITIONER HTTP request smuggling, obfuscating the TE header
LAB
PRACTITIONER HTTP request smuggling, confirming a CL.TE vulnerability via differential responses
LAB
PRACTITIONER HTTP request smuggling, confirming a TE.CL vulnerability via differential responses
LAB
PRACTITIONER Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability
LAB
PRACTITIONER Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability
LAB
PRACTITIONER Exploiting HTTP request smuggling to reveal front-end request rewriting
LAB
PRACTITIONER Exploiting HTTP request smuggling to capture other users' requests
LAB
PRACTITIONER Exploiting HTTP request smuggling to deliver reflected XSS
LAB
PRACTITIONER Response queue poisoning via H2.TE request smuggling
LAB
PRACTITIONER H2.CL request smuggling
LAB
PRACTITIONER HTTP/2 request smuggling via CRLF injection
LAB
PRACTITIONER HTTP/2 request splitting via CRLF injection
LAB
PRACTITIONER CL.0 request smuggling
LAB
EXPERT Exploiting HTTP request smuggling to perform web cache poisoning
LAB
EXPERT Exploiting HTTP request smuggling to perform web cache deception
LAB
EXPERT Bypassing access controls via HTTP/2 request tunnelling
LAB
EXPERT Web cache poisoning via HTTP/2 request tunnelling
LAB
EXPERT Client-side desync
LAB
EXPERT Browser cache poisoning via client-side desync
LAB
EXPERT Server-side pause-based request smuggling

OS command injection

LAB
APPRENTICE OS command injection, simple case
LAB
PRACTITIONER Blind OS command injection with time delays
LAB
PRACTITIONER Blind OS command injection with output redirection
LAB
PRACTITIONER Blind OS command injection with out-of-band interaction
LAB
PRACTITIONER Blind OS command injection with out-of-band data exfiltration

Server-side template injection

LAB
PRACTITIONER Basic server-side template injection
LAB
PRACTITIONER Basic server-side template injection (code context)
LAB
PRACTITIONER Server-side template injection using documentation
LAB
PRACTITIONER Server-side template injection in an unknown language with a documented exploit
LAB
PRACTITIONER Server-side template injection with information disclosure via user-supplied objects
LAB
EXPERT Server-side template injection in a sandboxed environment
LAB
EXPERT Server-side template injection with a custom exploit

Directory traversal

LAB
APPRENTICE File path traversal, simple case
LAB
PRACTITIONER File path traversal, traversal sequences blocked with absolute path bypass
LAB
PRACTITIONER File path traversal, traversal sequences stripped non-recursively
LAB
PRACTITIONER File path traversal, traversal sequences stripped with superfluous URL-decode
LAB
PRACTITIONER File path traversal, validation of start of path
LAB
PRACTITIONER File path traversal, validation of file extension with null byte bypass

Access control vulnerabilities

LAB
APPRENTICE Unprotected admin functionality
LAB
APPRENTICE Unprotected admin functionality with unpredictable URL
LAB
APPRENTICE User role controlled by request parameter
LAB
APPRENTICE User role can be modified in user profile
LAB
APPRENTICE User ID controlled by request parameter
LAB
APPRENTICE User ID controlled by request parameter, with unpredictable user IDs
LAB
APPRENTICE User ID controlled by request parameter with data leakage in redirect
LAB
APPRENTICE User ID controlled by request parameter with password disclosure
LAB
APPRENTICE Insecure direct object references
LAB
PRACTITIONER URL-based access control can be circumvented
LAB
PRACTITIONER Method-based access control can be circumvented
LAB
PRACTITIONER Multi-step process with no access control on one step
LAB
PRACTITIONER Referer-based access control

Authentication

LAB
APPRENTICE Username enumeration via different responses
LAB
APPRENTICE 2FA simple bypass
LAB
APPRENTICE Password reset broken logic
LAB
PRACTITIONER Username enumeration via subtly different responses
LAB
PRACTITIONER Username enumeration via response timing
LAB
PRACTITIONER Broken brute-force protection, IP block
LAB
PRACTITIONER Username enumeration via account lock
LAB
PRACTITIONER 2FA broken logic
LAB
PRACTITIONER Brute-forcing a stay-logged-in cookie
LAB
PRACTITIONER Offline password cracking
LAB
PRACTITIONER Password reset poisoning via middleware
LAB
PRACTITIONER Password brute-force via password change
LAB
EXPERT Broken brute-force protection, multiple credentials per request
LAB
EXPERT 2FA bypass using a brute-force attack

WebSockets

LAB
APPRENTICE Manipulating WebSocket messages to exploit vulnerabilities
LAB
PRACTITIONER Manipulating the WebSocket handshake to exploit vulnerabilities
LAB
PRACTITIONER Cross-site WebSocket hijacking

Web cache poisoning

LAB
PRACTITIONER Web cache poisoning with an unkeyed header
LAB
PRACTITIONER Web cache poisoning with an unkeyed cookie
LAB
PRACTITIONER Web cache poisoning with multiple headers
LAB
PRACTITIONER Targeted web cache poisoning using an unknown header
LAB
PRACTITIONER Web cache poisoning via an unkeyed query string
LAB
PRACTITIONER Web cache poisoning via an unkeyed query parameter
LAB
PRACTITIONER Parameter cloaking
LAB
PRACTITIONER Web cache poisoning via a fat GET request
LAB
PRACTITIONER URL normalization
LAB
EXPERT Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria
LAB
EXPERT Combining web cache poisoning vulnerabilities
LAB
EXPERT Cache key injection
LAB
EXPERT Internal cache poisoning

Insecure deserialization

LAB
APPRENTICE Modifying serialized objects
LAB
PRACTITIONER Modifying serialized data types
LAB
PRACTITIONER Using application functionality to exploit insecure deserialization
LAB
PRACTITIONER Arbitrary object injection in PHP
LAB
PRACTITIONER Exploiting Java deserialization with Apache Commons
LAB
PRACTITIONER Exploiting PHP deserialization with a pre-built gadget chain
LAB
PRACTITIONER Exploiting Ruby deserialization using a documented gadget chain
LAB
EXPERT Developing a custom gadget chain for Java deserialization
LAB
EXPERT Developing a custom gadget chain for PHP deserialization
LAB
EXPERT Using PHAR deserialization to deploy a custom gadget chain

Information disclosure

LAB
APPRENTICE Information disclosure in error messages
LAB
APPRENTICE Information disclosure on debug page
LAB
APPRENTICE Source code disclosure via backup files
LAB
APPRENTICE Authentication bypass via information disclosure
LAB
PRACTITIONER Information disclosure in version control history

Business logic vulnerabilities

LAB
APPRENTICE Excessive trust in client-side controls
LAB
APPRENTICE High-level logic vulnerability
LAB
APPRENTICE Inconsistent security controls
LAB
APPRENTICE Flawed enforcement of business rules
LAB
PRACTITIONER Low-level logic flaw
LAB
PRACTITIONER Inconsistent handling of exceptional input
LAB
PRACTITIONER Weak isolation on dual-use endpoint
LAB
PRACTITIONER Insufficient workflow validation
LAB
PRACTITIONER Authentication bypass via flawed state machine
LAB
PRACTITIONER Infinite money logic flaw
LAB
PRACTITIONER Authentication bypass via encryption oracle

HTTP Host header attacks

LAB
APPRENTICE Basic password reset poisoning
LAB
APPRENTICE Host header authentication bypass
LAB
PRACTITIONER Web cache poisoning via ambiguous requests
LAB
PRACTITIONER Routing-based SSRF
LAB
PRACTITIONER SSRF via flawed request parsing
LAB
PRACTITIONER Host validation bypass via connection state attack
LAB
EXPERT Password reset poisoning via dangling markup

OAuth authentication

LAB
APPRENTICE Authentication bypass via OAuth implicit flow
LAB
PRACTITIONER Forced OAuth profile linking
LAB
PRACTITIONER OAuth account hijacking via redirect_uri
LAB
PRACTITIONER Stealing OAuth access tokens via an open redirect
LAB
PRACTITIONER SSRF via OpenID dynamic client registration
LAB
EXPERT Stealing OAuth access tokens via a proxy page

File upload vulnerabilities

LAB
APPRENTICE Remote code execution via web shell upload
LAB
APPRENTICE Web shell upload via Content-Type restriction bypass
LAB
PRACTITIONER Web shell upload via path traversal
LAB
PRACTITIONER Web shell upload via extension blacklist bypass
LAB
PRACTITIONER Web shell upload via obfuscated file extension
LAB
PRACTITIONER Remote code execution via polyglot web shell upload
LAB
EXPERT Web shell upload via race condition

JWT

LAB
APPRENTICE JWT authentication bypass via unverified signature
LAB
APPRENTICE JWT authentication bypass via flawed signature verification
LAB
PRACTITIONER JWT authentication bypass via weak signing key
LAB
PRACTITIONER JWT authentication bypass via jwk header injection
LAB
PRACTITIONER JWT authentication bypass via jku header injection
LAB
PRACTITIONER JWT authentication bypass via kid header path traversal
LAB
EXPERT JWT authentication bypass via algorithm confusion
LAB
EXPERT JWT authentication bypass via algorithm confusion with no exposed key

Essential skills

LAB
PRACTITIONER Discovering vulnerabilities quickly with targeted scanning

Prototype pollution

LAB
PRACTITIONER DOM XSS via client-side prototype pollution
LAB
PRACTITIONER DOM XSS via an alternative prototype pollution vector
LAB
PRACTITIONER Client-side prototype pollution via flawed sanitization
LAB
PRACTITIONER Client-side prototype pollution in third-party libraries
LAB
PRACTITIONER Client-side prototype pollution via browser APIs
LAB
PRACTITIONER Privilege escalation via server-side prototype pollution
LAB
PRACTITIONER Detecting server-side prototype pollution without polluted property reflection
LAB
PRACTITIONER Bypassing flawed input filters for server-side prototype pollution
LAB
PRACTITIONER Remote code execution via server-side prototype pollution
LAB
EXPERT Exfiltrating sensitive data via server-side prototype pollution