Exercises
| Exercise | Avg. Time | Difficulty | Solved by | Tier | |
|---|---|---|---|---|---|
|
JS Sandbox: static-eval Function Property Blocked
This exercise covers bypassing post-2.0 static-eval that blocks member access on functions, using anonymous function bodies.
|
-- |  |
4 | PRO |
|
|
JS Sandbox: vm.runInNewContext Restricted Globals
This exercise covers escaping vm.runInNewContext when specific safe objects are provided but frozen, using Error objects or Promise callbacks.
|
-- | |
4 | PRO |
|
|
JS Sandbox: vm.runInNewContext Null Prototype
This exercise covers escaping vm.runInNewContext when the context is created with Object.create(null) so this.constructor is undefined.
|
-- | |
4 | PRO |
|
|
JS Sandbox: static-eval Destructuring Parameter Bypass
This exercise covers bypassing static-eval parameter validation using destructured parameters (ObjectPattern).
|
1-2 Hr. | |
2 | PRO |
|
|
JS Sandbox: static-eval Direct Constructor Access
This exercise covers exploiting the original unpatched static-eval with unrestricted property access on functions.
|
-- | |
4 | PRO |
|
CVE-2026-XX242
This challenge covers the review of a CVE in a python codebase and its patch
|
-- |  |
14 | PRO |
|
|
CVE-2026-XX738
This challenge covers the review of a CVE in a python codebase and its patch
|
-- | |
14 | PRO |
|
|
Web Fundamentals: Introduction | -- | |
40 | PRO |
|
|
JS Sandbox: AST-Based Filtering
This exercise covers bypassing AST-based sandbox filtering using computed property access or Reflect.get().
|
-- | |
9 | PRO |
|
|
JS Sandbox: Type Confusion Bypass
This exercise covers bypassing string sanitization by sending an object when the sanitizer expects a string.
|
-- | |
9 | PRO |
|
|
JS Sandbox: Regex Filter Bypass
This exercise covers bypassing regex filters with hex escapes, unicode escapes, or base64 decoding.
|
< 1 Hr. | |
10 | PRO |
|
|
JS Sandbox: vm.runInNewContext Empty Context
This exercise covers escaping Node.js vm.runInNewContext with an empty sandbox object via the constructor chain.
|
-- | |
8 | PRO |
|
|
CVE-2024-X7X95
This challenge covers the review of a CVE in a JavaScript codebase and its patch
|
< 1 Hr. | |
21 | PRO |
|
|
CVE-2025-XXXXX
This challenge covers the review of a CVE in a JavaScript codebase and its patch
|
< 1 Hr. | |
24 | PRO |
|
|
CVE-2026-XX292
This challenge covers the review of a CVE in a typescript codebase and its patch
|
-- | |
31 | PRO |
|
|
CVE-2026-XX822
This challenge covers the review of a CVE in a typescript codebase and its patch
|
< 1 Hr. | |
33 | PRO |
|
|
CVE-2026-XX27
This challenge covers the review of a CVE in a javascript codebase and its patch
|
-- | |
29 | PRO |
|
|
Web Fundamentals: Content Delivery Network | < 1 Hr. | |
53 | PRO |
|
|
Web Fundamentals: URL Parsing | < 1 Hr. | |
75 | PRO |
|
|
Web Fundamentals: Virtual Hosts | < 1 Hr. | |
57 | PRO |
|
Web Fundamentals: HTTP | < 1 Hr. | |
70 | PRO |
|
|
Web Fundamentals: URL Encoding | < 1 Hr. | |
76 | PRO |
|
|
Web Fundamentals: HTML | < 1 Hr. | |
69 | PRO |
|
|
Web Fundamentals: HTML Forms | < 1 Hr. | |
61 | PRO |
|
|
Web Fundamentals: Cookies | < 1 Hr. | |
63 | PRO |
|
|
Web Fundamentals: JSON | < 1 Hr. | |
58 | PRO |
|
|
JS Sandbox: The Function Constructor
This exercise covers using Function(...)() as an eval alternative to execute arbitrary code in an app that blocks eval.
|
< 1 Hr. |  |
19 | PRO |
|
|
JS Sandbox: Keyword Blocklist Bypass
This exercise covers bypassing indexOf/includes blocklists with bracket notation and string concatenation.
|
< 1 Hr. | |
18 | PRO |
|
|
JS Sandbox: From Sandbox Escape to RCE
This exercise covers the standard Node.js RCE chain: process -> mainModule -> require('child_process') -> execSync.
|
< 1 Hr. | |
19 | PRO |
|
|
JS Sandbox: Prototype Chain Navigation
This exercise covers navigating __proto__, .constructor, and .prototype from a string literal to reach the Function constructor.
|
< 1 Hr. | |
24 | PRO |
Showing 1–30 of 734 exercises
Free Labs of the Month
