Penetration Testing, Security Code Review and Web App Security Exercises

Free PRO CVE Easy Medium Hard XSS Code Review API SSRF HTTP RECON CSRF SQLi

Exercise	Avg. Time	Solved by	Tier
GraphQL: SQL Injection This exercise covers how to use introspection and a SQL injection to get access to additional information in GraphQL.	1-2 Hr.	1503	PRO
OAuth2: Authorization Server OpenRedirect This exercise covers the exploitation of an OpenRedirect in an OAuth2 Authorization Server	< 1 Hr.	965	PRO
SAML: Signature Stripping This exercise covers the exploitation of a signature stripping vulnerability in SAML	< 1 Hr.	2147	PRO
Android 05 This exercise will guide you through the process of reversing a simple obfuscated Android code to recover the encrypted data	1-2 Hr.	2050	PRO
Ruby 2.x Universal RCE Deserialization Gadget Chain This exercise covers how to get code execution by using a Ruby Universal Gadget when an attacker controls the data passed to Marshal.load()	< 1 Hr.	1438	PRO
CVE-2018-10933: LibSSH auth bypass This exercise covers how to bypass authentication on an SSH server based on libssh to gain a shell on the affected system	--	0	FREE
Android 04 This exercise will guide you through the process of reversing a simple Android code	< 1 Hr.	2605	PRO
Android 03 This exercise will guide you through the process of extracting simple information from an APK	< 1 Hr.	3446	PRO
Introduction to CSP This exercise details the exploitation of a XSS in a simple web application that uses Content Security Policy	< 1 Hr.	2544	PRO
Git Information Leak II This exercise details how to retrieve information from an exposed .git directory on a web server, provided directory listing is disabled	< 1 Hr.	2654	PRO
CVE-2016-5386: HTTPoxy/Golang HTTProxy namespace conflict This exercise covers the exploitation of HTTPoxy against an old version of Golang	< 1 Hr.	949	PRO
Unix 31 This exercise is one of our challenges to help you learn more about Unix/Linux	< 1 Hr.	14289	PRO
Unix 30 This exercise is one of our challenges to help you learn more about Unix/Linux	< 1 Hr.	14317	PRO
CBC-MAC II Crypto This exercise covers the exploitation of an application using CBC-MAC when an attacker has control over the IV	1-2 Hr.	1775	PRO
JWT VI JWT This exercise covers the exploitation of an injection in the kid element of a JWT. This injection can be used to bypass the signature mechanism	< 1 Hr.	2608	PRO
CVE-2018-6574: go get RCE This exercise covers a remote command execution in Golang's go get command.	< 1 Hr.	914	PRO
Unix 15 This exercise is one of our challenges to help you learn more about Unix/Linux	< 1 Hr.	16587	PRO
Unix 20 This exercise is one of our challenges to help you learn more about Unix/Linux	< 1 Hr.	15248	PRO
JWT V JWT This exercise covers the exploitation of a trivial secret used to sign JWT tokens.	< 1 Hr.	3175	PRO
JWT IV JWT This exercise covers the exploitation of a vulnerability similar to the recent CVE-2017-17405 impacting Ruby Net::FTP	< 1 Hr.	2761	PRO
JWT kid Injection JWT This exercise covers the exploitation of an issue in the usage of JWT token	1-2 Hr.	2987	PRO
Code Execution 09 This exercise is one of our challenges on Code Execution	< 1 Hr.	11055	PRO
Server Side Template Injection 02 This exercise is one of our challenges on Server-Side Template Injection	< 1 Hr.	8739	PRO
Authorization 06 This exercise is one of our challenges on Authorisation issues	< 1 Hr.	15183	PRO
Code Execution 08 This exercise is one of our challenges on Code Execution	< 1 Hr.	11152	PRO
Authorization 04 This exercise is one of our challenges on Authorisation issues	< 1 Hr.	16517	PRO
Authorization 05 This exercise is one of our challenges on Authorisation issues	< 1 Hr.	15812	PRO
Server Side Template Injection 01 This exercise is one of our challenges on Server-Side Template Injection	< 1 Hr.	8732	PRO
Code Execution 05 This exercise is one of our challenges on Code Execution	< 1 Hr.	12719	PRO
Code Execution 07 This exercise is one of our challenges on Code Execution	< 1 Hr.	12169	PRO

‹ 1 … 4 5 6 7 8 9 ›

Showing 181–210 of 260 exercises