Web Security Training Platform

Master cybersecurity vulnerabilities through hands-on labs designed to challenge and enhance your penetration testing skills.

217+
Labs Available
22
Vulnerability Types
3
Difficulty Levels
100%
Hands-On

Vulnerability Categories

Cross-Site Scripting (XSS)

LAB 1
Easy
Reflected XSS - Basic Input
ACCESS THE LAB
LAB 2
Easy
Reflected XSS - Script Tag Filter Evasion
ACCESS THE LAB
LAB 3
Medium
Reflected XSS - Script & Img Tag Filter
ACCESS THE LAB
LAB 4
Medium
Reflected XSS - Case-Insensitive Filter Bypass
ACCESS THE LAB
LAB 5
Hard
Reflected XSS - Less-Than Sign Filter
ACCESS THE LAB
LAB 6
Hard
Reflected XSS in HTML Title Tag
ACCESS THE LAB
LAB 7
Easy
Reflected XSS in Page Heading
ACCESS THE LAB
LAB 8
Easy
Reflected XSS - Function Name Filter
ACCESS THE LAB
LAB 9
Medium
Reflected XSS - Extended Function Filter
ACCESS THE LAB
LAB 10
Medium
Reflected XSS - Event Handler Filter
ACCESS THE LAB
LAB 11
Hard
Reflected XSS - Multi-Parameter Filter Evasion
ACCESS THE LAB
LAB 12
Hard
Reflected XSS - Encoding Bypass Attempts
ACCESS THE LAB
LAB 13
Hard
Reflected XSS - Mixed Security Parameters
ACCESS THE LAB
LAB 14
Hard
Reflected XSS - String Concatenation Bypass
ACCESS THE LAB
LAB 16
Hard
Reflected XSS in Search Function
ACCESS THE LAB
LAB 17
Hard
Reflected XSS in Category Filter
ACCESS THE LAB
LAB 18
Hard
Stored XSS - User Comments System
ACCESS THE LAB
LAB 19
Hard
Stored XSS - User Profile Management
ACCESS THE LAB
LAB 20
Hard
Stored XSS - Blog Post System
ACCESS THE LAB
LAB 21
Hard
Stored XSS - Support Ticket System
ACCESS THE LAB
LAB 22
Hard
Stored XSS - Admin Panel Settings
ACCESS THE LAB
LAB 50
Hard
Self XSS via POST Parameter
ACCESS THE LAB
LAB 51
Hard
POST-Based Reflected XSS
ACCESS THE LAB
LAB 52
Hard
POST XSS in Input Tag Value
ACCESS THE LAB
LAB 53
Hard
POST XSS in Document Title
ACCESS THE LAB
LAB 54
Hard
DOM-based XSS with jQuery
ACCESS THE LAB
LAB 55
Hard Real World
Reflected XSS in JS Analytics Context (Equifax — HackerOne #1818163)
ACCESS THE LAB
LAB 56
Low Real World
Reflected XSS in HTML Attribute Context (PUBG — HackerOne #751870)
ACCESS THE LAB
LAB 57
Low Real World
XSS via javascript: URI in Redirect Parameter (Shopify — HackerOne #1940245)
ACCESS THE LAB
LAB 58
Medium Real World
Reflected XSS in URL Path Segment (Imgur Mobile — HackerOne #149855)
ACCESS THE LAB
LAB 59
Hard Real World
Reflected XSS via Unquoted Attribute Injection (Reddit — HackerOne #1549206)
ACCESS THE LAB
LAB 60
Hard Real World
Stored XSS in Report Name Field (MoPub / Twitter — HackerOne #485748)
ACCESS THE LAB
LAB 61
Medium Real World
Stored XSS via Rich Text Editor HTML Tab in Article Body — Quill CMS (Shopify — HackerOne #1147433)
ACCESS THE LAB
LAB 62
Medium Real World
Stored XSS in Profile Signature Field — DevAsk Forum (Acronis — HackerOne #1084183)
ACCESS THE LAB
LAB 63
Medium Real World
Blind Stored XSS in Company Name (Informatica — HackerOne #1011888)
ACCESS THE LAB
LAB 64
Hard Real World
Blind XSS via Support Ticket Form — ZAP-Hosting (Name, Subject & Message fields)
ACCESS THE LAB
LAB 65
Medium Real World HackerOne #474656
DOM XSS via URL Tracking Parameter — HackerOne Careers
?lever- tracking param → jQuery.append() unsanitized sink
ACCESS THE LAB
LAB 66
Medium Real World HackerOne #324303
DOM XSS via URL Hash Fragment — MyCrypto Wallet
#send-transaction hash → innerHTML unsanitized sink
ACCESS THE LAB
LAB 67
Hard Real World HackerOne #396493
Reflected DOM XSS via URL + prettyPhoto Hash Chain — Starbucks UK
?slug= → canonical link attr injection + prettyPhoto jQuery trigger
ACCESS THE LAB
LAB 68
Medium Real World HackerOne #704266
DOM XSS via Hash in jQuery Fancybox Selector — ForeScout Technologies
window.location.hash → .html() unsanitized sink
ACCESS THE LAB
LAB 69
Medium Real World HackerOne #1004833
DOM XSS via javascript: URI in location.replace — Informatica IQ Card
document.location.search → location.replace() navigation sink
ACCESS THE LAB

HTML Injection (HTMLI)

LAB 1
Easy Real World
HTML Injection in Support Chat (LinkedIn — HackerOne #3079966)
ACCESS THE LAB
LAB 2
Easy Real World
Reflected HTML Injection via Search Parameter (E-commerce — Common Real-World Pattern)
ACCESS THE LAB
LAB 3
Easy Real World
Stored HTML Injection via Nickname in Wallet-Share Email (Romit - HackerOne #57914)
ACCESS THE LAB
LAB 4
Easy Real World
Stored HTML Tag Injection via Profile Name in Snippets Page (GitLab — HackerOne #358001)
ACCESS THE LAB
LAB 5
Medium Real World
HTML Injection via First/Last Name in Confirmation Email (HackerOne — #1374017)
ACCESS THE LAB

Open Redirect

LAB 1
Easy
Basic URL Parameter Redirect
ACCESS THE LAB
LAB 2
Easy Real World
Open Redirect via URL Path Manipulation (Omise — HackerOne #504751)
ACCESS THE LAB
LAB 3
Easy Real World
Open Redirect via URL Parameter (?url=) — Semrush · HackerOne #311330
ACCESS THE LAB
LAB 4
Medium Real World
Open Redirect via \@ Validator Bypass (Tumblr — HackerOne #2812583)
ACCESS THE LAB

Authentication Bypass

LAB 1
Medium Real World
Admin Auth Bypass via Response Manipulation (UPS — HackerOne #1490470)
ACCESS THE LAB
LAB 2
Medium
OTP Verification Bypass via Response Manipulation
ACCESS THE LAB
LAB 3
Medium
Phone OTP Bypass via Response Manipulation
ACCESS THE LAB

SQL Injection (SQLI)

LAB 1
Easy
SQL Injection - Login Bypass
ACCESS THE LAB
LAB 2
Easy
INSERT SQL Injection - Comment System
ACCESS THE LAB
LAB 3
Medium
CRUD SQL Injection - Book Management
ACCESS THE LAB
LAB 4
Medium
Time-based Blind SQL Injection
ACCESS THE LAB
LAB 5
Medium
Integer-based SQL Injection
ACCESS THE LAB
LAB 6
Hard
User-Agent Header Blind SQL Injection
ACCESS THE LAB
LAB 7
Hard
Referer Header Blind SQL Injection
ACCESS THE LAB
LAB 8
Hard
X-Forwarded-For Header Blind SQL Injection
ACCESS THE LAB
LAB 9
Hard Real World
Time-based Blind SQLi via item_id + WAF Bypass (Zomato — #403616)
ACCESS THE LAB
LAB 10
Hard Real World
Time-based Blind SQLi via User-Agent + XOR Arithmetic (labs.data.gov — #297478)
ACCESS THE LAB
LAB 11
Hard Real World
UNION-based SQLi via URL siteId — Results Reflected in Page (IntenseDebate — #1046084)
ACCESS THE LAB
LAB 12
Hard Real World
Blind SQLi via phone_number Login Field + XOR Payload (MTN FutExpert — #1069531)
ACCESS THE LAB
LAB 13
Hard Real World
ORDER BY SQLi via WordPress Shortcode Parameter (drivegrab.com / Grab — #273946)
ACCESS THE LAB
LAB 14
Hard Real World
Boolean-blind SQLi via REST API Path Segment (inDrive — #2051931)
ACCESS THE LAB
LAB 15
Hard Real World
Time-Based Blind SQLi via JSONP Analytics Tracker (Rocket.Chat / AgileCRM — #433792)
ACCESS THE LAB
LAB 16
Hard Real World
Boolean-Blind SQLi in PUT API Path Segment (Hyperpure / Zomato — #1044716)
ACCESS THE LAB
LAB 17
Hard Real World
UNION-Based SQLi in Bearer-Auth Admin Search API (Acronis — #923020)
ACCESS THE LAB
LAB 18
Hard Real World
UNION SQLi in WooCommerce Coupon Usage Report (Automattic — #3198980)
ACCESS THE LAB
LAB 19
Hard Real World
Time-Based Blind SQLi + XOR WAF Bypass in WordPress Login (Acronis — #1224660)
ACCESS THE LAB
LAB 20
Hard Real World
UNION SQLi via Integer entryid in DoD Form Confirmation AJAX Endpoint (U.S. DoD — #3127198)
ACCESS THE LAB
LAB 21
Hard Real World
Blind SQLi via CASE/**/ WHEN + Comment-Space WAF Bypass in Zomato Banner API (Zomato — #838855)
ACCESS THE LAB
LAB 22
Medium Real World
Time-Based Blind SQLi via GET Parameter in IntenseDebate Comment Settings (Automattic — #1042746)
ACCESS THE LAB
LAB 23
Hard Real World
String SQLi via Nested Subquery WAF Bypass in DoD Publications (U.S. DoD — #491191)
ACCESS THE LAB
LAB 24
Medium Real World
Time-Based Blind SQLi via XOR in DoD Publications Search (U.S. DoD — #2312334)
ACCESS THE LAB

Cross-Site Request Forgery (CSRF)

LAB 1
Easy Real World
Login CSRF — Token Never Validated (HackerOne — HackerOne #834366)
ACCESS THE LAB

Server-Side Request Forgery (SSRF)

LAB 1
Easy
Source Code Viewer - Basic cURL SSRF
ACCESS THE LAB
LAB 2
Easy
Screenshot Tool - URL to Image
ACCESS THE LAB
LAB 3
Medium
Port-based Timing Attack
ACCESS THE LAB
LAB 4
Medium
Domain Restriction Bypass with Redirects
ACCESS THE LAB
LAB 5
Medium
Website Checker with IP Blacklist
ACCESS THE LAB
LAB 6
Medium
AWS Metadata Filter Bypass
ACCESS THE LAB
LAB 7
Easy
PDF Generator - URL to PDF
ACCESS THE LAB

Insecure Direct Object Reference (IDOR)

LAB 1
Easy
User Account Information Disclosure
ACCESS THE LAB

Server-Side Template Injection (SSTI)

LAB 1
Easy
Template Engine Code Injection
ACCESS THE LAB

Local File Inclusion (LFI)

LAB 1
Easy
Path Traversal - Basic
ACCESS THE LAB
LAB 2
Medium
CMS Local File Inclusion
ACCESS THE LAB
LAB 3
Hard
File Upload with LFI Vulnerability
ACCESS THE LAB
LAB 4
Easy
Image Gallery File Inclusion
ACCESS THE LAB

Remote File Inclusion (RFI)

LAB 1
Easy
Remote File Inclusion via URL
ACCESS THE LAB

Remote Code Execution (RCE)

LAB 1
Easy
OS Command Injection
ACCESS THE LAB