Exercises
| Exercise | Avg. Time | Difficulty | Solved by | Tier | |
|---|---|---|---|---|---|
|
CVE-2026-24895: FrankenPHP Path Confusion RCE using Unicode | < 1 Hr. |  |
21 | PRO |
|
CVE-2021-X5X8
This challenge covers the review of a CVE in a Golang codebase and its patch
|
-- | |
67 | PRO |
|
GCM Tag Truncation
This challenge covers the exploitation of tag truncation on GCM
|
2-4 Hr. | |
18 | PRO |
|
|
SAML: CVE-2025-25291
This exercise covers the exploitation of CVE-2025-25291 (impacting ruby-saml)
|
2-4 Hr. | |
18 | PRO |
|
|
SAML: CVE-2025-29775 Signed Metadata
This exercise covers the exploitation of CVE-2025-29775 (impacting xml-crypto) without XMLResponse
|
2-4 Hr. | |
14 | PRO |
|
|
SAML: CVE-2025-29775
This exercise covers the exploitation of CVE-2025-29775 (impacting xml-crypto)
|
1-2 Hr. | |
21 | PRO |
|
|
Mongo IDOR IV | 2-4 Hr. | |
145 | PRO |
|
|
Puzzle 01
Find the XSS by leveraging backreferences in a regular expression
|
< 1 Hr. | |
79 | PRO |
|
|
Puzzle 02
CSP
XSS
Leverage a PHP trick to bypass CSP
|
< 1 Hr. | |
48 | PRO |
|
API 15
This exercise covers how to exploit a leaked encrypted password with an API.
|
< 1 Hr. | |
637 | PRO |
|
|
API 13
This exercise covers a complex filter bypass in API.
|
< 1 Hr. | |
697 | PRO |
|
|
JSON Web Token XV: CVE-2022-39227
JWT
This exercise covers the exploitation of polyglot token against python_jwt (CVE-2022-39227)
|
< 1 Hr. | |
42 | PRO |
|
|
Java Serialize 06
This exercise is one of our challenges to help you learn Java Serialisation exploitation
|
2-4 Hr. | |
60 | PRO |
|
|
JWT Algorithm Confusion with ECDSA Public Key Recovery
JWT
This exercise covers the exploitation of algorithm confusion when no public key is available with a ECDSA key
|
1-2 Hr. | |
45 | PRO |
|
|
DOMPDF RCE IV
This exercise covers the automation of the exploitation of a vulnerability in the DOMPDF library
|
> 4 Hr. | |
30 | PRO |
|
|
XSL PHP V
This exercise covers the exploitation of a PHP application using XSL
|
< 1 Hr. | |
121 | PRO |
|
|
API Payments 05
This exercise covers how to abuse a shopping cart allowing users to apply a voucher.
|
< 1 Hr. | |
933 | PRO |
|
|
CVE-2005-2x8x
This challenge covers the review of a CVE and its patch
|
< 1 Hr. | |
651 | PRO |
|
|
PHP Snippet #08
This challenge covers the review of a snippet of code written in PHP
|
< 1 Hr. | |
1665 | PRO |
|
|
Ox Remote Code Execution II
This exercise covers how you can gain code execution when an application is using Ox to deserialize data and is running on Ruby 2.7
|
2-4 Hr. | |
41 | PRO |
|
HTTP 30
This challenge covers how to send specific HTTP requests
|
< 1 Hr. | |
3144 | PRO |
|
|
Ox Remote Code Execution
This exercise covers how you can gain code execution when an application is using Ox to deserialize data and is running on Ruby 2.3
|
2-4 Hr. | |
92 | PRO |
|
|
CVE-2021-22204: Exiftool RCE
This exercise covers how you can gain code execution when an application uses exiftool on user-controlled files
|
1-2 Hr. | |
181 | PRO |
|
SSRF via FFMPEG II
This exercise covers how you can read arbitrary files when an application uses ffmpeg to render videos from a video you provide
|
< 1 Hr. | |
135 | PRO |
|
OAuth2: Authorization Server XSS II
This exercise covers the exploitation of an XSS in an OAuth2 Authorization Server
|
< 1 Hr. | |
287 | PRO |
|
|
JWT Algorithm Confusion with RSA Public Key Recovery
JWT
This exercise covers the exploitation of algorithm confusion when no public key is available
|
< 1 Hr. | |
222 | PRO |
|
|
SAML: Signature Wrapping II
This exercise covers how to use Signature Wrapping to become an arbitrary user
|
< 1 Hr. | |
497 | PRO |
|
|
RCE via argument injection
This exercise covers a remote command execution vulnerability via argument injection
|
2-4 Hr. | |
61 | PRO |
|
|
SAML: Signature Wrapping
This exercise covers how to use Signature Wrapping to become an arbitrary user
|
< 1 Hr. | |
601 | PRO |
|
|
Code Review 13
This exercise is one of our challenges to help you learn how to review real source code
|
1-2 Hr. | |
442 | PRO |
Showing 1–30 of 71 exercises
Free Labs of the Month
