Penetration Testing, Security Code Review and Web App Security Exercises

Free PRO CVE Easy Medium Hard XSS Code Review API SSRF HTTP RECON CSRF SQLi

Exercise	Avg. Time	Solved by	Tier
GraphQL: SQL Injection This exercise covers how to use introspection and a SQL injection to get access to additional information in GraphQL.	1-2 Hr.	1501	PRO
OAuth2: Authorization Server OpenRedirect This exercise covers the exploitation of an OpenRedirect in an OAuth2 Authorization Server	< 1 Hr.	961	PRO
SAML: Signature Stripping This exercise covers the exploitation of a signature stripping vulnerability in SAML	< 1 Hr.	2137	PRO
Android 05 This exercise will guide you through the process of reversing a simple obfuscated Android code to recover the encrypted data	1-2 Hr.	2046	PRO
Ruby 2.x Universal RCE Deserialization Gadget Chain This exercise covers how to get code execution by using a Ruby Universal Gadget when an attacker controls the data passed to Marshal.load()	< 1 Hr.	1434	PRO
CVE-2018-10933: LibSSH auth bypass This exercise covers how to bypass authentication on an SSH server based on libssh to gain a shell on the affected system	--	0	FREE
Android 04 This exercise will guide you through the process of reversing a simple Android code	< 1 Hr.	2601	PRO
Android 03 This exercise will guide you through the process of extracting simple information from an APK	< 1 Hr.	3442	PRO
Introduction to CSP This exercise details the exploitation of a XSS in a simple web application that uses Content Security Policy	< 1 Hr.	2544	PRO
Git Information Leak II This exercise details how to retrieve information from an exposed .git directory on a web server, provided directory listing is disabled	< 1 Hr.	2651	PRO
CVE-2016-5386: HTTPoxy/Golang HTTProxy namespace conflict This exercise covers the exploitation of HTTPoxy against an old version of Golang	< 1 Hr.	948	PRO
Unix 31 This exercise is one of our challenges to help you learn more about Unix/Linux	< 1 Hr.	14284	PRO
Unix 30 This exercise is one of our challenges to help you learn more about Unix/Linux	< 1 Hr.	14312	PRO
CBC-MAC II Crypto This exercise covers the exploitation of an application using CBC-MAC when an attacker has control over the IV	1-2 Hr.	1775	PRO
JWT VI JWT This exercise covers the exploitation of an injection in the kid element of a JWT. This injection can be used to bypass the signature mechanism	< 1 Hr.	2606	PRO
CVE-2018-6574: go get RCE This exercise covers a remote command execution in Golang's go get command.	< 1 Hr.	914	PRO
Unix 15 This exercise is one of our challenges to help you learn more about Unix/Linux	< 1 Hr.	16577	PRO
Unix 20 This exercise is one of our challenges to help you learn more about Unix/Linux	< 1 Hr.	15241	PRO
JWT V JWT This exercise covers the exploitation of a trivial secret used to sign JWT tokens.	< 1 Hr.	3169	PRO
JWT IV JWT This exercise covers the exploitation of a vulnerability similar to the recent CVE-2017-17405 impacting Ruby Net::FTP	< 1 Hr.	2757	PRO
JWT kid Injection JWT This exercise covers the exploitation of an issue in the usage of JWT token	1-2 Hr.	2983	PRO
Code Execution 09 This exercise is one of our challenges on Code Execution	< 1 Hr.	11044	PRO
Server Side Template Injection 02 This exercise is one of our challenges on Server-Side Template Injection	< 1 Hr.	8730	PRO
Authorization 06 This exercise is one of our challenges on Authorisation issues	< 1 Hr.	15167	PRO
Code Execution 08 This exercise is one of our challenges on Code Execution	< 1 Hr.	11139	PRO
Authorization 04 This exercise is one of our challenges on Authorisation issues	< 1 Hr.	16497	PRO
Authorization 05 This exercise is one of our challenges on Authorisation issues	< 1 Hr.	15792	PRO
Server Side Template Injection 01 This exercise is one of our challenges on Server-Side Template Injection	< 1 Hr.	8725	PRO
Code Execution 05 This exercise is one of our challenges on Code Execution	< 1 Hr.	12703	PRO
Code Execution 07 This exercise is one of our challenges on Code Execution	< 1 Hr.	12156	PRO

‹ 1 … 4 5 6 7 8 9 ›

Showing 181–210 of 260 exercises