Exercises
| Exercise | Avg. Time | Difficulty | Solved by | Tier | |
|---|---|---|---|---|---|
|
JS Sandbox: static-eval Direct Constructor Access
This exercise covers exploiting the original unpatched static-eval with unrestricted property access on functions.
|
-- |  |
4 | PRO |
|
|
JS Sandbox: static-eval Destructuring Parameter Bypass
This exercise covers bypassing static-eval parameter validation using destructured parameters (ObjectPattern).
|
1-2 Hr. | |
2 | PRO |
|
|
JS Sandbox: vm.runInNewContext Null Prototype
This exercise covers escaping vm.runInNewContext when the context is created with Object.create(null) so this.constructor is undefined.
|
-- | |
4 | PRO |
|
|
JS Sandbox: static-eval Function Property Blocked
This exercise covers bypassing post-2.0 static-eval that blocks member access on functions, using anonymous function bodies.
|
-- | |
4 | PRO |
|
|
JS Sandbox: vm.runInNewContext Restricted Globals
This exercise covers escaping vm.runInNewContext when specific safe objects are provided but frozen, using Error objects or Promise callbacks.
|
-- | |
4 | PRO |
|
|
JS Sandbox: AST-Based Filtering
This exercise covers bypassing AST-based sandbox filtering using computed property access or Reflect.get().
|
-- | |
9 | PRO |
|
|
JS Sandbox: vm.runInNewContext Empty Context
This exercise covers escaping Node.js vm.runInNewContext with an empty sandbox object via the constructor chain.
|
-- | |
8 | PRO |
|
|
JS Sandbox: Regex Filter Bypass
This exercise covers bypassing regex filters with hex escapes, unicode escapes, or base64 decoding.
|
< 1 Hr. | |
10 | PRO |
|
|
JS Sandbox: Type Confusion Bypass
This exercise covers bypassing string sanitization by sending an object when the sanitizer expects a string.
|
-- | |
9 | PRO |
|
|
JS Sandbox: Keyword Blocklist Bypass
This exercise covers bypassing indexOf/includes blocklists with bracket notation and string concatenation.
|
< 1 Hr. | |
18 | PRO |
|
|
Latex: --shell-escape
This exercise covers how one can leverage latex when pdflatex is used with the --shell-escape option to gain command execution.
|
< 1 Hr. | |
50 | PRO |
|
CVE-2022-24720
This exercise covers how one can leverage image processing in ActiveStorage to gain command execution.
|
1-2 Hr. | |
33 | PRO |
|
|
CVE-2024-47081 | < 1 Hr. | |
26 | PRO |
|
|
UUIDv1 IDOR | 1-2 Hr. | |
219 | PRO |
|
API Mass-Assignment 03 | < 1 Hr. | |
424 | PRO |
|
|
API Mass-Assignment 01 | < 1 Hr. | |
484 | PRO |
|
|
API Mass-Assignment 02 | < 1 Hr. | |
457 | PRO |
|
|
Mongo IDOR III | < 1 Hr. | |
239 | PRO |
|
|
API 19
This exercise covers how to exploit an authorization issue in an API.
|
< 1 Hr. | |
537 | PRO |
|
|
API 20
This exercise covers how to exploit an authorization issue in an API.
|
< 1 Hr. | |
518 | PRO |
|
|
API 18
This exercise covers how to exploit an authorization issue in an API.
|
< 1 Hr. | |
550 | PRO |
|
|
API 17
This exercise covers how to exploit an authorization issue in an API.
|
< 1 Hr. | |
461 | PRO |
|
|
API 16
This exercise covers how to exploit an authorization issue in an API.
|
< 1 Hr. | |
552 | PRO |
|
|
ORM LEAK: SQLite
This exercise covers how to exploit an ORM leak vulnerability
|
1-2 Hr. | |
158 | PRO |
|
|
ORM LEAK 02
This exercise covers how to exploit an ORM leak vulnerability
|
< 1 Hr. | |
231 | PRO |
|
|
ORM LEAK 01
This exercise covers how to exploit a simple ORM leak.
|
1-2 Hr. | |
275 | PRO |
|
|
API 14
This exercise covers how to exploit a leaked encrypted password with an API.
|
< 1 Hr. | |
713 | PRO |
|
|
API 12
This exercise covers a common filter bypass in API.
|
< 1 Hr. | |
762 | PRO |
|
|
API 10
This exercise covers a common filter bypass in API.
|
< 1 Hr. | |
872 | PRO |
|
|
API 11
This exercise covers a common filter bypass in API.
|
< 1 Hr. | |
802 | PRO |
Showing 1–30 of 260 exercises
Free Labs of the Month
