Web Security Training Platform

Master cybersecurity vulnerabilities through hands-on labs designed to challenge and enhance your penetration testing skills.

217+
Labs Available
22
Vulnerability Types
3
Difficulty Levels
100%
Hands-On

Vulnerability Categories

Cross-Site Scripting (XSS)

LAB 1
Easy Training
Reflected XSS - Basic Input
ACCESS THE LAB
LAB 2
Easy Training
Reflected XSS - Script Tag Filter Evasion
ACCESS THE LAB
LAB 3
Medium Training
Reflected XSS - Script & Img Tag Filter
ACCESS THE LAB
LAB 4
Medium Training
Reflected XSS - Case-Insensitive Filter Bypass
ACCESS THE LAB
LAB 5
Hard Training
Reflected XSS - Less-Than Sign Filter
ACCESS THE LAB
LAB 6
Hard Training
Reflected XSS in HTML Title Tag
ACCESS THE LAB
LAB 7
Easy Training
Reflected XSS in Page Heading
ACCESS THE LAB
LAB 8
Easy Training
Reflected XSS - Function Name Filter
ACCESS THE LAB
LAB 9
Medium Training
Reflected XSS - Extended Function Filter
ACCESS THE LAB
LAB 10
Medium Training
Reflected XSS - Event Handler Filter
ACCESS THE LAB
LAB 11
Hard Training
Reflected XSS - Multi-Parameter Filter Evasion
ACCESS THE LAB
LAB 12
Hard Training
Reflected XSS - Encoding Bypass Attempts
ACCESS THE LAB
LAB 13
Hard Training
Reflected XSS - Mixed Security Parameters
ACCESS THE LAB
LAB 14
Hard Training
Reflected XSS - String Concatenation Bypass
ACCESS THE LAB
LAB 16
Hard Training
Reflected XSS in Search Function
ACCESS THE LAB
LAB 17
Hard Training
Reflected XSS in Category Filter
ACCESS THE LAB
LAB 18
Hard Training
Stored XSS - User Comments System
ACCESS THE LAB
LAB 19
Hard Training
Stored XSS - User Profile Management
ACCESS THE LAB
LAB 20
Hard Training
Stored XSS - Blog Post System
ACCESS THE LAB
LAB 21
Hard Training
Stored XSS - Support Ticket System
ACCESS THE LAB
LAB 22
Hard Training
Stored XSS - Admin Panel Settings
ACCESS THE LAB
LAB 50
Hard Training
Self XSS via POST Parameter
ACCESS THE LAB
LAB 51
Hard Training
POST-Based Reflected XSS
ACCESS THE LAB
LAB 52
Hard Training
POST XSS in Input Tag Value
ACCESS THE LAB
LAB 53
Hard Training
POST XSS in Document Title
ACCESS THE LAB
LAB 54
Hard Training
DOM-based XSS with jQuery
ACCESS THE LAB
LAB 55
Hard Real World
Reflected XSS in JS Analytics Context (Equifax — HackerOne #1818163)
ACCESS THE LAB
LAB 56
Low Real World
Reflected XSS in HTML Attribute Context (PUBG — HackerOne #751870)
ACCESS THE LAB
LAB 57
Low Real World
XSS via javascript: URI in Redirect Parameter (Shopify — HackerOne #1940245)
ACCESS THE LAB
LAB 58
Medium Real World
Reflected XSS in URL Path Segment (Imgur Mobile — HackerOne #149855)
ACCESS THE LAB
LAB 59
Hard Real World
Reflected XSS via Unquoted Attribute Injection (Reddit — HackerOne #1549206)
ACCESS THE LAB
LAB 60
Hard Real World
Stored XSS in Report Name Field (MoPub / Twitter — HackerOne #485748)
ACCESS THE LAB
LAB 61
Medium Real World
Stored XSS via Rich Text Editor HTML Tab in Article Body — Quill CMS (Shopify — HackerOne #1147433)
ACCESS THE LAB
LAB 62
Medium Real World
Stored XSS in Profile Signature Field — DevAsk Forum (Acronis — HackerOne #1084183)
ACCESS THE LAB
LAB 63
Medium Real World
Blind Stored XSS in Company Name (Informatica — HackerOne #1011888)
ACCESS THE LAB
LAB 64
Hard Real World
Blind XSS via Support Ticket Form — ZAP-Hosting (Name, Subject & Message fields)
ACCESS THE LAB
LAB 65
Medium Real World HackerOne #474656
DOM XSS via URL Tracking Parameter — HackerOne Careers
?lever- tracking param → jQuery.append() unsanitized sink
ACCESS THE LAB
LAB 66
Medium Real World HackerOne #324303
DOM XSS via URL Hash Fragment — MyCrypto Wallet
#send-transaction hash → innerHTML unsanitized sink
ACCESS THE LAB
LAB 67
Hard Real World HackerOne #396493
Reflected DOM XSS via URL + prettyPhoto Hash Chain — Starbucks UK
?slug= → canonical link attr injection + prettyPhoto jQuery trigger
ACCESS THE LAB
LAB 68
Medium Real World HackerOne #704266
DOM XSS via Hash in jQuery Fancybox Selector — ForeScout Technologies
window.location.hash → .html() unsanitized sink
ACCESS THE LAB
LAB 69
Medium Real World HackerOne #1004833
DOM XSS via javascript: URI in location.replace — Informatica IQ Card
document.location.search → location.replace() navigation sink
ACCESS THE LAB
LAB 1
Easy Training
PUNISHMENT LAB 1
ACCESS THE LAB
LAB 2
Easy Training
PUNISHMENT LAB 2
ACCESS THE LAB
LAB 3
Medium Training
PUNISHMENT LAB 3
ACCESS THE LAB
LAB 4
Medium Training
PUNISHMENT LAB 4
ACCESS THE LAB
LAB 5
Hard Training
PUNISHMENT LAB 5
ACCESS THE LAB
LAB 6
Hard Training
PUNISHMENT LAB 6
ACCESS THE LAB
LAB 7
Easy Training
PUNISHMENT LAB 7
ACCESS THE LAB
LAB 8
Easy Training
PUNISHMENT LAB 8
ACCESS THE LAB
LAB 9
Medium Training
PUNISHMENT LAB 9
ACCESS THE LAB
LAB 10
Medium Training
PUNISHMENT LAB 10
ACCESS THE LAB
LAB 11
Hard Training
PUNISHMENT LAB 11
ACCESS THE LAB
LAB 12
Hard Training
PUNISHMENT LAB 12
ACCESS THE LAB
LAB 13
Hard Training
PUNISHMENT LAB 13
ACCESS THE LAB
LAB 14
Hard Training
PUNISHMENT LAB 14
ACCESS THE LAB
LAB 15
Hard Training
PUNISHMENT LAB 15
ACCESS THE LAB
LAB 16
Hard Training
PUNISHMENT LAB 16
ACCESS THE LAB
LAB 17
Hard Training
PUNISHMENT LAB 17
ACCESS THE LAB
LAB 18
Hard Training
PUNISHMENT LAB 18
ACCESS THE LAB
LAB 19
Hard Training
PUNISHMENT LAB 19
ACCESS THE LAB
LAB 20
Hard Training
PUNISHMENT LAB 20
ACCESS THE LAB
LAB 21
Hard Training
PUNISHMENT LAB 21
ACCESS THE LAB
LAB 22
Hard Training
PUNISHMENT LAB 22
ACCESS THE LAB
LAB 23
Hard Training
PUNISHMENT LAB 23
ACCESS THE LAB
LAB 24
Hard Training
PUNISHMENT LAB 24
ACCESS THE LAB
LAB 25
Hard Training
PUNISHMENT LAB 25
ACCESS THE LAB
LAB 26
Hard Training
PUNISHMENT LAB 26
ACCESS THE LAB
LAB 27
Hard Training
PUNISHMENT LAB 27
ACCESS THE LAB
LAB 28
Hard Training
PUNISHMENT LAB 28
ACCESS THE LAB
LAB 29
Hard Training
PUNISHMENT LAB 29
ACCESS THE LAB
LAB 30
Hard Training
PUNISHMENT LAB 30
ACCESS THE LAB
LAB 31
Hard Training
PUNISHMENT LAB 31
ACCESS THE LAB
LAB 32
Hard Training
PUNISHMENT LAB 32
ACCESS THE LAB
LAB 33
Hard Training
PUNISHMENT LAB 33
ACCESS THE LAB
LAB 34
Hard Training
PUNISHMENT LAB 34
ACCESS THE LAB

HTML Injection (HTMLI)

LAB 1
Easy Real World
HTML Injection in Support Chat (LinkedIn — HackerOne #3079966)
ACCESS THE LAB
LAB 2
Easy Training
Reflected HTML Injection via Search Parameter (E-commerce — Common Real-World Pattern)
ACCESS THE LAB
LAB 3
Easy Real World
Stored HTML Injection via Nickname in Wallet-Share Email (Romit - HackerOne #57914)
ACCESS THE LAB
LAB 4
Easy Real World
Stored HTML Tag Injection via Profile Name in Snippets Page (GitLab — HackerOne #358001)
ACCESS THE LAB
LAB 5
Medium Real World
HTML Injection via First/Last Name in Confirmation Email (HackerOne — #1374017)
ACCESS THE LAB

Open Redirect

LAB 1
Easy Training
Basic URL Parameter Redirect
ACCESS THE LAB
LAB 2
Easy Real World
Open Redirect via URL Path Manipulation (Omise — HackerOne #504751)
ACCESS THE LAB
LAB 3
Easy Real World
Open Redirect via URL Parameter (?url=) — Semrush · HackerOne #311330
ACCESS THE LAB
LAB 4
Medium Real World
Open Redirect via \@ Validator Bypass (Tumblr — HackerOne #2812583)
ACCESS THE LAB

Authentication Bypass

LAB 1
Medium Real World
Admin Auth Bypass via Response Manipulation (UPS — HackerOne #1490470)
ACCESS THE LAB
LAB 2
Medium Training
OTP Verification Bypass via Response Manipulation
ACCESS THE LAB
LAB 3
Medium Training
Phone OTP Bypass via Response Manipulation
ACCESS THE LAB

SQL Injection (SQLI)

LAB 1
Easy Training
SQL Injection - Login Bypass
ACCESS THE LAB
LAB 2
Easy Training
INSERT SQL Injection - Comment System
ACCESS THE LAB
LAB 3
Medium Training
CRUD SQL Injection - Book Management
ACCESS THE LAB
LAB 4
Medium Training
Time-based Blind SQL Injection
ACCESS THE LAB
LAB 5
Medium Training
Integer-based SQL Injection
ACCESS THE LAB
LAB 6
Hard Training
User-Agent Header Blind SQL Injection
ACCESS THE LAB
LAB 7
Hard Training
Referer Header Blind SQL Injection
ACCESS THE LAB
LAB 8
Hard Training
X-Forwarded-For Header Blind SQL Injection
ACCESS THE LAB
LAB 9
Hard Real World
Time-based Blind SQLi via item_id + WAF Bypass (Zomato — #403616)
ACCESS THE LAB
LAB 10
Hard Real World
Time-based Blind SQLi via User-Agent + XOR Arithmetic (labs.data.gov — #297478)
ACCESS THE LAB
LAB 11
Hard Real World
UNION-based SQLi via URL siteId — Results Reflected in Page (IntenseDebate — #1046084)
ACCESS THE LAB
LAB 12
Hard Real World
Blind SQLi via phone_number Login Field + XOR Payload (MTN FutExpert — #1069531)
ACCESS THE LAB
LAB 13
Hard Real World
ORDER BY SQLi via WordPress Shortcode Parameter (drivegrab.com / Grab — #273946)
ACCESS THE LAB
LAB 14
Hard Real World
Boolean-blind SQLi via REST API Path Segment (inDrive — #2051931)
ACCESS THE LAB
LAB 15
Hard Real World
Time-Based Blind SQLi via JSONP Analytics Tracker (Rocket.Chat / AgileCRM — #433792)
ACCESS THE LAB
LAB 16
Hard Real World
Boolean-Blind SQLi in PUT API Path Segment (Hyperpure / Zomato — #1044716)
ACCESS THE LAB
LAB 17
Hard Real World
UNION-Based SQLi in Bearer-Auth Admin Search API (Acronis — #923020)
ACCESS THE LAB
LAB 18
Hard Real World
UNION SQLi in WooCommerce Coupon Usage Report (Automattic — #3198980)
ACCESS THE LAB
LAB 19
Hard Real World
Time-Based Blind SQLi + XOR WAF Bypass in WordPress Login (Acronis — #1224660)
ACCESS THE LAB
LAB 20
Hard Real World
UNION SQLi via Integer entryid in DoD Form Confirmation AJAX Endpoint (U.S. DoD — #3127198)
ACCESS THE LAB
LAB 21
Hard Real World
Blind SQLi via CASE/**/ WHEN + Comment-Space WAF Bypass in Zomato Banner API (Zomato — #838855)
ACCESS THE LAB
LAB 22
Medium Real World
Time-Based Blind SQLi via GET Parameter in IntenseDebate Comment Settings (Automattic — #1042746)
ACCESS THE LAB
LAB 23
Hard Real World
String SQLi via Nested Subquery WAF Bypass in DoD Publications (U.S. DoD — #491191)
ACCESS THE LAB
LAB 24
Medium Real World
Time-Based Blind SQLi via XOR in DoD Publications Search (U.S. DoD — #2312334)
ACCESS THE LAB

Cross-Site Request Forgery (CSRF)

LAB 1
Easy Real World
Login CSRF — Token Never Validated (HackerOne — HackerOne #834366)
ACCESS THE LAB
LAB 2
Medium Real World
Login CSRF — No Token on API Login Endpoint — Unikrn (#339352)
ACCESS THE LAB
LAB 3
Hard Real World
CSRF via GraphQL GET Mutation — Token Bypass on /api/graphql — GitLab (#1122408)
ACCESS THE LAB
LAB 4
Medium Real World
CSRF → Reflected XSS via Unsanitized Wishlist Comment — Teavana/Starbucks (#177508)
ACCESS THE LAB
LAB 5
Hard Real World
CSRF Account Takeover via Profile Edit — U.S. Dept of Defense / NPS (#2712857)
ACCESS THE LAB
LAB 6
Medium Real World
CSRF → Attribute-Context XSS via Training Answer Field — DoD/JKO (#1118521)
ACCESS THE LAB
LAB 7
Easy Training
CSRF Password Change — Unprotected Account Settings
ACCESS THE LAB
LAB 8
Easy Training
CSRF Email Hijack — Silent Account Takeover
ACCESS THE LAB
LAB 9
Easy Training
CSRF Account Wipe — Irreversible Data Deletion
ACCESS THE LAB
LAB 11
Easy Training
CSRF 2FA Bypass — Silent Security Downgrade
ACCESS THE LAB

Server-Side Request Forgery (SSRF)

LAB 1
Easy Training
Source Code Viewer - Basic cURL SSRF
ACCESS THE LAB
LAB 2
Easy Training
Screenshot Tool - URL to Image
ACCESS THE LAB
LAB 3
Medium Training
Port-based Timing Attack
ACCESS THE LAB
LAB 4
Medium Training
Domain Restriction Bypass with Redirects
ACCESS THE LAB
LAB 5
Medium Training
Website Checker with IP Blacklist
ACCESS THE LAB
LAB 6
Medium Training
AWS Metadata Filter Bypass
ACCESS THE LAB
LAB 7
Easy Training
PDF Generator - URL to PDF
ACCESS THE LAB

Insecure Direct Object Reference (IDOR)

LAB 1
Easy Training
SwiftCart — Insecure Order Invoice Disclosure
ACCESS THE LAB
LAB 2
Medium Real World HackerOne #150095
Uber Driver Portal — Trip & Earnings Disclosure
ACCESS THE LAB

Server-Side Template Injection (SSTI)

LAB 1
Easy Training
Template Engine Code Injection
ACCESS THE LAB
LAB 2
Medium Real World
SSTI via First Name in Registration Welcome Email (Glovo — #1104349)
ACCESS THE LAB
LAB 3
Medium Real World
SSTI via Profile Name in Account Update Email (Uber — #125980)
ACCESS THE LAB
LAB 4
Hard Real World
SSTI via Profile Fields in Invitation Email — Smarty RCE (Unikrn — #164224)
ACCESS THE LAB

Local File Inclusion (LFI)

LAB 1
Easy Training
Path Traversal - Basic
ACCESS THE LAB
LAB 2
Medium Training
CMS Local File Inclusion
ACCESS THE LAB
LAB 3
Hard Training
File Upload with LFI Vulnerability
ACCESS THE LAB
LAB 4
Easy Training
Image Gallery File Inclusion
ACCESS THE LAB
LAB 5
Hard Real World
Unauthenticated LFI via ! Path Separator in Jolokia JMX Bridge (U.S. DoD — #2778380)
ACCESS THE LAB
LAB 6
Medium Real World
Grafana LFI via Path Traversal in Plugin Static Files (MariaDB — #1419213)
ACCESS THE LAB
LAB 7
Medium Real World
LFI via Prefix-Bypass Path Traversal in download.php (U.S. DoD — #1639364)
ACCESS THE LAB
LAB 8
Hard Real World
LFI via Double URL Encoding in GWT CSS Servlet (U.S. DoD — #497771)
ACCESS THE LAB

Remote File Inclusion (RFI)

LAB 1
Easy Training
Remote File Inclusion via URL
ACCESS THE LAB
LAB 2
Medium Real World
RFI + XSS + SSRF via Unvalidated URL Proxy in GIS Portal (U.S. DoD — #192940)
ACCESS THE LAB

Remote Code Execution (RCE)

LAB 1
Easy Training
OS Command Injection
ACCESS THE LAB
LAB 2
Hard Real World
RCE via Prototype Pollution in Kibana SIEM ML Signal Processing — Elastic (#861744)
ACCESS THE LAB
LAB 3
Hard Real World
RCE via ImageMagick + Ghostscript CVE-2017-8291 (Profile Image Upload) — Basecamp (#365271)
ACCESS THE LAB
LAB 4
Hard Real World
RCE via Arbitrary File Write in RServer Report Export (ASPX Webshell) — U.S. Dept of Defense (#1072832)
ACCESS THE LAB