Exercises
| Exercise | Avg. Time | Difficulty | Solved by | Tier | |
|---|---|---|---|---|---|
|
JS Sandbox: static-eval Direct Constructor Access
This exercise covers exploiting the original unpatched static-eval with unrestricted property access on functions.
|
< 1 Hr. |  |
7 | PRO |
|
|
JS Sandbox: static-eval Destructuring Parameter Bypass
This exercise covers bypassing static-eval parameter validation using destructured parameters (ObjectPattern).
|
< 1 Hr. | |
4 | PRO |
|
|
JS Sandbox: vm.runInNewContext Null Prototype
This exercise covers escaping vm.runInNewContext when the context is created with Object.create(null) so this.constructor is undefined.
|
< 1 Hr. | |
7 | PRO |
|
|
JS Sandbox: static-eval Function Property Blocked
This exercise covers bypassing post-2.0 static-eval that blocks member access on functions, using anonymous function bodies.
|
< 1 Hr. | |
8 | PRO |
|
|
JS Sandbox: vm.runInNewContext Restricted Globals
This exercise covers escaping vm.runInNewContext when specific safe objects are provided but frozen, using Error objects or Promise callbacks.
|
< 1 Hr. | |
7 | PRO |
|
|
JS Sandbox: AST-Based Filtering
This exercise covers bypassing AST-based sandbox filtering using computed property access or Reflect.get().
|
-- | |
11 | PRO |
|
|
JS Sandbox: vm.runInNewContext Empty Context
This exercise covers escaping Node.js vm.runInNewContext with an empty sandbox object via the constructor chain.
|
-- | |
9 | PRO |
|
|
JS Sandbox: Regex Filter Bypass
This exercise covers bypassing regex filters with hex escapes, unicode escapes, or base64 decoding.
|
< 1 Hr. | |
14 | PRO |
|
|
JS Sandbox: Type Confusion Bypass
This exercise covers bypassing string sanitization by sending an object when the sanitizer expects a string.
|
-- | |
11 | PRO |
|
|
JS Sandbox: Keyword Blocklist Bypass
This exercise covers bypassing indexOf/includes blocklists with bracket notation and string concatenation.
|
< 1 Hr. | |
21 | PRO |
|
|
Latex: --shell-escape
This exercise covers how one can leverage latex when pdflatex is used with the --shell-escape option to gain command execution.
|
< 1 Hr. | |
53 | PRO |
|
CVE-2022-24720
This exercise covers how one can leverage image processing in ActiveStorage to gain command execution.
|
1-2 Hr. | |
36 | PRO |
|
|
CVE-2024-47081 | < 1 Hr. | |
26 | PRO |
|
|
UUIDv1 IDOR | 1-2 Hr. | |
223 | PRO |
|
API Mass-Assignment 03 | < 1 Hr. | |
432 | PRO |
|
|
API Mass-Assignment 01 | < 1 Hr. | |
491 | PRO |
|
|
API Mass-Assignment 02 | < 1 Hr. | |
463 | PRO |
|
|
Mongo IDOR III | < 1 Hr. | |
242 | PRO |
|
|
API 19
This exercise covers how to exploit an authorization issue in an API.
|
< 1 Hr. | |
543 | PRO |
|
|
API 20
This exercise covers how to exploit an authorization issue in an API.
|
< 1 Hr. | |
525 | PRO |
|
|
API 18
This exercise covers how to exploit an authorization issue in an API.
|
< 1 Hr. | |
556 | PRO |
|
|
API 17
This exercise covers how to exploit an authorization issue in an API.
|
< 1 Hr. | |
468 | PRO |
|
|
API 16
This exercise covers how to exploit an authorization issue in an API.
|
< 1 Hr. | |
559 | PRO |
|
|
ORM LEAK: SQLite
This exercise covers how to exploit an ORM leak vulnerability
|
1-2 Hr. | |
162 | PRO |
|
|
ORM LEAK 02
This exercise covers how to exploit an ORM leak vulnerability
|
< 1 Hr. | |
235 | PRO |
|
|
ORM LEAK 01
This exercise covers how to exploit a simple ORM leak.
|
1-2 Hr. | |
279 | PRO |
|
|
API 14
This exercise covers how to exploit a leaked encrypted password with an API.
|
< 1 Hr. | |
721 | PRO |
|
|
API 12
This exercise covers a common filter bypass in API.
|
< 1 Hr. | |
769 | PRO |
|
|
API 10
This exercise covers a common filter bypass in API.
|
< 1 Hr. | |
880 | PRO |
|
|
API 11
This exercise covers a common filter bypass in API.
|
< 1 Hr. | |
810 | PRO |
Showing 1–30 of 260 exercises
Free Labs of the Month
