Exercises
| Exercise | Avg. Time | Difficulty | Solved by | Tier | |
|---|---|---|---|---|---|
|
CVE-2026-24895: FrankenPHP Path Confusion RCE using Unicode | 1-2 Hr. |  |
3 | PRO |
|
CVE-2021-X5X8
This challenge covers the review of a CVE in a Golang codebase and its patch
|
-- | |
36 | PRO |
|
GCM Tag Truncation
This challenge covers the exploitation of tag truncation on GCM
|
> 4 Hr. | |
14 | PRO |
|
|
SAML: CVE-2025-25291
This exercise covers the exploitation of CVE-2025-25291 (impacting ruby-saml)
|
2-4 Hr. | |
11 | PRO |
|
|
SAML: CVE-2025-29775 Signed Metadata
This exercise covers the exploitation of CVE-2025-29775 (impacting xml-crypto) without XMLResponse
|
2-4 Hr. | |
8 | PRO |
|
|
SAML: CVE-2025-29775
This exercise covers the exploitation of CVE-2025-29775 (impacting xml-crypto)
|
1-2 Hr. | |
16 | PRO |
|
|
Mongo IDOR IV | 2-4 Hr. | |
88 | PRO |
|
|
Puzzle 01
Find the XSS by leveraging backreferences in a regular expression
|
< 1 Hr. | |
62 | PRO |
|
|
Puzzle 02
CSP
XSS
Leverage a PHP trick to bypass CSP
|
< 1 Hr. | |
43 | PRO |
|
API 15
This exercise covers how to exploit a leaked encrypted password with an API.
|
< 1 Hr. | |
572 | PRO |
|
|
API 13
This exercise covers a complex filter bypass in API.
|
< 1 Hr. | |
572 | PRO |
|
|
JSON Web Token XV: CVE-2022-39227
JWT
This exercise covers the exploitation of polyglot token against python_jwt (CVE-2022-39227)
|
< 1 Hr. | |
35 | PRO |
|
|
Java Serialize 06
This exercise is one of our challenges to help you learn Java Serialisation exploitation
|
2-4 Hr. | |
49 | PRO |
|
|
JWT Algorithm Confusion with ECDSA Public Key Recovery
JWT
This exercise covers the exploitation of algorithm confusion when no public key is available with a ECDSA key
|
1-2 Hr. | |
38 | PRO |
|
|
DOMPDF RCE IV
This exercise covers the automation of the exploitation of a vulnerability in the DOMPDF library
|
> 4 Hr. | |
27 | PRO |
|
|
XSL PHP V
This exercise covers the exploitation of a PHP application using XSL
|
< 1 Hr. | |
117 | PRO |
|
|
API Payments 05
This exercise covers how to abuse a shopping cart allowing users to apply a voucher.
|
< 1 Hr. | |
888 | PRO |
|
|
CVE-2005-2x8x
This challenge covers the review of a CVE and its patch
|
< 1 Hr. | |
623 | PRO |
|
|
PHP Snippet #08
This challenge covers the review of a snippet of code written in PHP
|
< 1 Hr. | |
1535 | PRO |
|
|
Ox Remote Code Execution II
This exercise covers how you can gain code execution when an application is using Ox to deserialize data and is running on Ruby 2.7
|
2-4 Hr. | |
37 | PRO |
|
HTTP 30
This challenge covers how to send specific HTTP requests
|
< 1 Hr. | |
3094 | PRO |
|
|
Ox Remote Code Execution
This exercise covers how you can gain code execution when an application is using Ox to deserialize data and is running on Ruby 2.3
|
2-4 Hr. | |
87 | PRO |
|
|
CVE-2021-22204: Exiftool RCE
This exercise covers how you can gain code execution when an application uses exiftool on user-controlled files
|
1-2 Hr. | |
175 | PRO |
|
SSRF via FFMPEG II
This exercise covers how you can read arbitrary files when an application uses ffmpeg to render videos from a video you provide
|
< 1 Hr. | |
131 | PRO |
|
OAuth2: Authorization Server XSS II
This exercise covers the exploitation of an XSS in an OAuth2 Authorization Server
|
< 1 Hr. | |
281 | PRO |
|
|
JWT Algorithm Confusion with RSA Public Key Recovery
JWT
This exercise covers the exploitation of algorithm confusion when no public key is available
|
< 1 Hr. | |
211 | PRO |
|
|
SAML: Signature Wrapping II
This exercise covers how to use Signature Wrapping to become an arbitrary user
|
< 1 Hr. | |
460 | PRO |
|
|
RCE via argument injection
This exercise covers a remote command execution vulnerability via argument injection
|
2-4 Hr. | |
57 | PRO |
|
|
SAML: Signature Wrapping
This exercise covers how to use Signature Wrapping to become an arbitrary user
|
< 1 Hr. | |
558 | PRO |
|
|
Code Review 13
This exercise is one of our challenges to help you learn how to review real source code
|
1-2 Hr. | |
343 | PRO |
Showing 1–30 of 71 exercises
Free Labs of the Month
