Exercises
| Exercise | Avg. Time | Difficulty | Solved by | Tier | |
|---|---|---|---|---|---|
|
|
H2 INIT Parameter RCE II | < 1 Hr. | 5 | PRO | |
|
|
CVE-2026-XX792
This challenge covers the review of a CVE in a typescript codebase and its patch
|
-- | 18 | PRO | |
|
|
CVE-2026-XX957
This challenge covers the review of a CVE in a typescript codebase and its patch
|
< 1 Hr. | 18 | PRO | |
|
|
CVE-2026-XX464
This challenge covers the review of a CVE in a typescript codebase and its patch
|
-- | 18 | PRO | |
|
|
H2 INIT Parameter RCE | < 1 Hr. | 9 | PRO | |
|
|
SAML: Transform RCE
This exercise covers the exploitation of an RCE in SAML by leveraging a vulnerable version of xmlsec
|
< 1 Hr. | 9 | PRO | |
|
|
Web Fundamentals: Browser Storage | -- | 59 | PRO | |
|
|
Web Fundamentals: Proxy | -- | 56 | PRO | |
|
|
Web Fundamentals: WebDAV Introduction | -- | 57 | PRO | |
|
|
Web Fundamentals: GraphQL | -- | 68 | PRO | |
|
|
Web Fundamentals: CORS Introduction | -- | 65 | PRO | |
|
|
Web Fundamentals: Same-Origin Policy Introduction | -- | 62 | PRO | |
|
|
Web Fundamentals: WebSockets | -- | 70 | PRO | |
|
|
Web Fundamentals: API | -- | 74 | PRO | |
|
|
Web Fundamentals: Client-Side Code | -- | 86 | PRO | |
|
|
Web Fundamentals: Server-Side Code | -- | 86 | PRO | |
|
|
Web Fundamentals: Databases | -- | 78 | PRO | |
|
|
Web Fundamentals: Sessions | -- | 76 | PRO | |
|
|
JS Sandbox: static-eval Function Property Blocked
This exercise covers bypassing post-2.0 static-eval that blocks member access on functions, using anonymous function bodies.
|
< 1 Hr. | 16 | PRO | |
|
|
JS Sandbox: static-eval Destructuring Parameter Bypass
This exercise covers bypassing static-eval parameter validation using destructured parameters (ObjectPattern).
|
< 1 Hr. | 10 | PRO | |
|
|
JS Sandbox: vm.runInNewContext Null Prototype
This exercise covers escaping vm.runInNewContext when the context is created with Object.create(null) so this.constructor is undefined.
|
< 1 Hr. | 17 | PRO | |
|
|
JS Sandbox: vm.runInNewContext Restricted Globals
This exercise covers escaping vm.runInNewContext when specific safe objects are provided but frozen, using Error objects or Promise callbacks.
|
< 1 Hr. | 15 | PRO | |
|
|
JS Sandbox: static-eval Direct Constructor Access
This exercise covers exploiting the original unpatched static-eval with unrestricted property access on functions.
|
< 1 Hr. | 18 | PRO | |
|
|
CVE-2026-XX242
This challenge covers the review of a CVE in a python codebase and its patch
|
< 1 Hr. | 41 | PRO | |
|
|
CVE-2026-XX738
This challenge covers the review of a CVE in a python codebase and its patch
|
< 1 Hr. | 38 | PRO | |
|
|
Web Fundamentals: Introduction | < 1 Hr. | 145 | PRO | |
|
|
JS Sandbox: Type Confusion Bypass
This exercise covers bypassing string sanitization by sending an object when the sanitizer expects a string.
|
-- | 20 | PRO | |
|
|
JS Sandbox: AST-Based Filtering
This exercise covers bypassing AST-based sandbox filtering using computed property access or Reflect.get().
|
-- | 20 | PRO | |
|
|
JS Sandbox: Regex Filter Bypass
This exercise covers bypassing regex filters with hex escapes, unicode escapes, or base64 decoding.
|
< 1 Hr. | 24 | PRO | |
|
|
JS Sandbox: vm.runInNewContext Empty Context
This exercise covers escaping Node.js vm.runInNewContext with an empty sandbox object via the constructor chain.
|
-- | 19 | PRO |
Showing 1–30 of 752 exercises
Free Labs of the Month