Exercises
| Exercise | Avg. Time | Difficulty | Solved by | Tier | |
|---|---|---|---|---|---|
|
Latex: --shell-escape
This exercise covers how one can leverage latex when pdflatex is used with the --shell-escape option to gain command execution.
|
< 1 Hr. |  |
21 | PRO |
|
CVE-2022-24720
This exercise covers how one can leverage image processing in ActiveStorage to gain command execution.
|
1-2 Hr. | |
15 | PRO |
|
|
CVE-2024-47081 | < 1 Hr. | |
21 | PRO |
|
|
Cache Poisoning 01
This exercise details how to exploit an application vulnerable to cache poisoning
|
< 1 Hr. | |
127 | PRO |
|
|
Cache Deception 02
This exercise details how to exploit an application vulnerable to cache deception
|
< 1 Hr. | |
125 | PRO |
|
|
Cache Deception 01
This exercise details how to exploit an application vulnerable to cache deception
|
< 1 Hr. | |
151 | PRO |
|
SAML: PySAML2 SSRF
This exercise covers the exploitation of a SSRF in PySAML2
|
< 1 Hr. | |
251 | PRO |
|
|
SAML: CVE-2021-21239
This exercise covers the exploitation of CVE-2021-21239 (PySAML2)
|
1-2 Hr. | |
117 | PRO |
|
|
SAML: Malicious IDP
This exercise covers the creation of a malicious IDP to forge an assertion
|
2-4 Hr. | |
59 | PRO |
|
|
SAML: Signature Wrapping III
This exercise covers the exploitation of a Signature Wrapping Issue in passport-saml (CVE-2022-39299)
|
1-2 Hr. | |
173 | PRO |
|
|
CVE-2022-21449
JWT
This exercise covers the exploitation of CVE-2022-21449 against a Java Application relying on JWT
|
< 1 Hr. | |
169 | PRO |
|
OAuth2: Authorization Server XSS
This exercise covers the exploitation of an XSS in an OAuth2 Authorization Server
|
< 1 Hr. | |
386 | PRO |
|
|
SAML: Comment Injection II
This exercise covers the exploitation of a comment injection vulnerability in SAML
|
< 1 Hr. | |
617 | PRO |
|
|
SAML: SAMLResponse forwarding
This exercise covers how to pass the SAMLResponse from one Service Provider to another
|
< 1 Hr. | |
523 | PRO |
|
|
OAuth2: State Fixation
This exercise covers the exploitation of a state fixation in an OAuth2 Client
|
1-2 Hr. | |
413 | PRO |
|
|
SAML: Trusted Embedded Key
This exercise covers the exploitation of a Service Provider (SP) that doesn't check the certificate provided in the SAMLResponse
|
< 1 Hr. | |
509 | PRO |
|
|
SAML: Known Key
This exercise covers the exploitation of a known key in SAML
|
1-2 Hr. | |
530 | PRO |
|
|
SAML: Comment Injection
This exercise covers the exploitation of a comment injection vulnerability in SAML
|
< 1 Hr. | |
1703 | PRO |
|
From SQL injection to Shell III: PostgreSQL Edition
SQL Injection
This exercise covers how to gain access to an administration interface using a SQL injection, and how to get command execution using Ghostscript
|
2-4 Hr. | |
251 | PRO |
|
OAuth2: Client CSRF II
This exercise covers the exploitation of a CSRF in an OAuth2 Client
|
2-4 Hr. | |
494 | PRO |
|
|
OAuth2: Client CSRF
This exercise covers the exploitation of a CSRF in an OAuth2 Client
|
< 1 Hr. | |
966 | PRO |
|
|
SVG XSS
This exercise covers how to use an SVG to trigger a Cross-Site-Scripting
|
< 1 Hr. | |
1827 | PRO |
|
|
postMessage() IV
This exercise covers how insecure calls to the JavaScript function postMessage() can be used to leak sensitive information when a listener does not filter the Origin and X-Frame-Options is used
|
< 1 Hr. | |
981 | PRO |
|
|
postMessage() III
This exercise covers how insecure calls to the JavaScript function postMessage() can be used to trigger a Cross-Site Scripting
|
< 1 Hr. | |
996 | PRO |
|
|
postMessage() II
This exercise covers how insecure calls to the JavaScript function postMessage() can be used to leak sensitive information when a listener does not filter the Origin
|
< 1 Hr. | |
1104 | PRO |
|
|
postMessage()
This exercise covers how insecure calls to the JavaScript function postMessage() can be used to leak sensitive information
|
< 1 Hr. | |
1260 | PRO |
|
|
Cross-Site WebSocket Hijacking
This exercise covers Cross-Site WebSocket Hijacking and how it can be used to gain access to sensitive information
|
< 1 Hr. | |
1108 | PRO |
|
|
Cross-Origin Resource Sharing II
This exercise covers Cross-Origin Resource Sharing and how it can be used to get access to sensitive data.
|
< 1 Hr. | |
1048 | PRO |
|
|
OAuth2: Client OpenRedirect
This exercise covers the exploitation of an OpenRedirect in an OAuth2 Client
|
< 1 Hr. | |
839 | PRO |
|
|
GraphQL: SQL Injection
This exercise covers how to use introspection and a SQL injection to get access to additional information in GraphQL.
|
1-2 Hr. | |
1479 | PRO |
Showing 1–30 of 54 exercises
Free Labs of the Month
