4/26/23, 2:54 PM All labs | Web Security Academy

LOGIN

Academy home 

Web Security Academy >> All labs

All labs
Want to track your progress and
have a more personalized
Mystery lab challenge learning experience? (It's free!)
Try solving a random lab with the title and description hidden. As you'll have no prior knowledge of the type of
vulnerability that you need to find and exploit, this is great for practicing recon and analysis. Sign up Login
Take me to the mystery lab challenge 

SQL injection

APPRENTICE
LAB
SQL injection vulnerability in WHERE clause allowing retrieval of hidden data 

APPRENTICE
LAB
SQL injection vulnerability allowing login bypass 

PRACTITIONER
LAB
SQL injection UNION attack, determining the number of columns returned by the query 

PRACTITIONER
LAB
SQL injection UNION attack, finding a column containing text 

PRACTITIONER
LAB
SQL injection UNION attack, retrieving data from other tables 

PRACTITIONER
LAB
SQL injection UNION attack, retrieving multiple values in a single column 

PRACTITIONER
LAB
SQL injection attack, querying the database type and version on Oracle 

PRACTITIONER
LAB
SQL injection attack, querying the database type and version on MySQL and Microsoft 

PRACTITIONER
LAB
SQL injection attack, listing the database contents on non-Oracle databases 

PRACTITIONER
LAB
SQL injection attack, listing the database contents on Oracle 

https://portswigger.net/web-security/all-labs 1/17
4/26/23, 2:54 PM All labs | Web Security Academy
PRACTITIONER
LAB
Blind SQL injection with conditional responses 

PRACTITIONER
LAB
Blind SQL injection with conditional errors 

PRACTITIONER
LAB
Blind SQL injection with time delays 

PRACTITIONER
LAB
Blind SQL injection with time delays and information retrieval 

PRACTITIONER
LAB
Blind SQL injection with out-of-band interaction 

PRACTITIONER
LAB
Blind SQL injection with out-of-band data exfiltration 

PRACTITIONER
LAB
SQL injection with filter bypass via XML encoding 

Cross-site scripting

APPRENTICE
LAB
Reflected XSS into HTML context with nothing encoded 

APPRENTICE
LAB
Stored XSS into HTML context with nothing encoded 

APPRENTICE
LAB
DOM XSS in document.write sink using source location.search 

APPRENTICE
LAB
DOM XSS in innerHTML sink using source location.search 

APPRENTICE
LAB
DOM XSS in jQuery anchor href attribute sink using location.search source 

APPRENTICE
LAB
DOM XSS in jQuery selector sink using a hashchange event 

APPRENTICE
LAB
Reflected XSS into attribute with angle brackets HTML-encoded 

APPRENTICE
LAB
Stored XSS into anchor href attribute with double quotes HTML-encoded 

https://portswigger.net/web-security/all-labs 2/17
4/26/23, 2:54 PM All labs | Web Security Academy
LAB APPRENTICE

Reflected XSS into a JavaScript string with angle brackets HTML encoded 

PRACTITIONER
LAB DOM XSS in document.write sink using source location.search inside a select
element 

PRACTITIONER
LAB
DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded 

PRACTITIONER
LAB
Reflected DOM XSS 

PRACTITIONER
LAB
Stored DOM XSS 

PRACTITIONER
LAB
Exploiting cross-site scripting to steal cookies 

PRACTITIONER
LAB
Exploiting cross-site scripting to capture passwords 

PRACTITIONER
LAB
Exploiting XSS to perform CSRF 

PRACTITIONER
LAB
Reflected XSS into HTML context with most tags and attributes blocked 

PRACTITIONER
LAB
Reflected XSS into HTML context with all tags blocked except custom ones 

PRACTITIONER
LAB
Reflected XSS with some SVG markup allowed 

PRACTITIONER
LAB
Reflected XSS in canonical link tag 

PRACTITIONER
LAB
Reflected XSS into a JavaScript string with single quote and backslash escaped 

PRACTITIONER
LAB Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded
and single quotes escaped 

PRACTITIONER
LAB Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and
single quotes and backslash escaped 

https://portswigger.net/web-security/all-labs 3/17
4/26/23, 2:54 PM All labs | Web Security Academy
PRACTITIONER
LAB
Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and
backticks Unicode-escaped 

EXPERT
LAB
Reflected XSS with event handlers and href attributes blocked 

EXPERT
LAB
Reflected XSS in a JavaScript URL with some characters blocked 

EXPERT
LAB
Reflected XSS with AngularJS sandbox escape without strings 

EXPERT
LAB
Reflected XSS with AngularJS sandbox escape and CSP 

EXPERT
LAB
Reflected XSS protected by very strict CSP, with dangling markup attack 

EXPERT
LAB
Reflected XSS protected by CSP, with CSP bypass 

Cross-site request forgery (CSRF)

APPRENTICE
LAB
CSRF vulnerability with no defenses 

PRACTITIONER
LAB
CSRF where token validation depends on request method 

PRACTITIONER
LAB
CSRF where token validation depends on token being present 

PRACTITIONER
LAB
CSRF where token is not tied to user session 

PRACTITIONER
LAB
CSRF where token is tied to non-session cookie 

PRACTITIONER
LAB
CSRF where token is duplicated in cookie 

PRACTITIONER
LAB
SameSite Lax bypass via method override 

PRACTITIONER
LAB
SameSite Strict bypass via client-side redirect 

https://portswigger.net/web-security/all-labs 4/17
4/26/23, 2:54 PM All labs | Web Security Academy

PRACTITIONER
LAB
SameSite Strict bypass via sibling domain 

PRACTITIONER
LAB
SameSite Lax bypass via cookie refresh 

PRACTITIONER
LAB
CSRF where Referer validation depends on header being present 

PRACTITIONER
LAB
CSRF with broken Referer validation 

Clickjacking

APPRENTICE
LAB
Basic clickjacking with CSRF token protection 

APPRENTICE
LAB
Clickjacking with form input data prefilled from a URL parameter 

APPRENTICE
LAB
Clickjacking with a frame buster script 

PRACTITIONER
LAB
Exploiting clickjacking vulnerability to trigger DOM-based XSS 

PRACTITIONER
LAB
Multistep clickjacking 

DOM-based vulnerabilities

PRACTITIONER
LAB
DOM XSS using web messages 

PRACTITIONER
LAB
DOM XSS using web messages and a JavaScript URL 

PRACTITIONER
LAB
DOM XSS using web messages and JSON.parse 

PRACTITIONER
LAB
DOM-based open redirection 

PRACTITIONER
LAB
DOM-based cookie manipulation 

EXPERT
LAB

https://portswigger.net/web-security/all-labs 5/17
4/26/23, 2:54 PM All labs | Web Security Academy
Exploiting DOM clobbering to enable XSS 

EXPERT
LAB
Clobbering DOM attributes to bypass HTML filters 

Cross-origin resource sharing (CORS)

APPRENTICE
LAB
CORS vulnerability with basic origin reflection 

APPRENTICE
LAB
CORS vulnerability with trusted null origin 

PRACTITIONER
LAB
CORS vulnerability with trusted insecure protocols 

EXPERT
LAB
CORS vulnerability with internal network pivot attack 

XML external entity (XXE) injection

APPRENTICE
LAB
Exploiting XXE using external entities to retrieve files 

APPRENTICE
LAB
Exploiting XXE to perform SSRF attacks 

PRACTITIONER
LAB
Blind XXE with out-of-band interaction 

PRACTITIONER
LAB
Blind XXE with out-of-band interaction via XML parameter entities 

PRACTITIONER
LAB
Exploiting blind XXE to exfiltrate data using a malicious external DTD 

PRACTITIONER
LAB
Exploiting blind XXE to retrieve data via error messages 

PRACTITIONER
LAB
Exploiting XInclude to retrieve files 

PRACTITIONER
LAB
Exploiting XXE via image file upload 

EXPERT
LAB
Exploiting XXE to retrieve data by repurposing a local DTD 

https://portswigger.net/web-security/all-labs 6/17
4/26/23, 2:54 PM All labs | Web Security Academy

Server-side request forgery (SSRF)

APPRENTICE
LAB
Basic SSRF against the local server 

APPRENTICE
LAB
Basic SSRF against another back-end system 

PRACTITIONER
LAB
SSRF with blacklist-based input filter 

PRACTITIONER
LAB
SSRF with filter bypass via open redirection vulnerability 

PRACTITIONER
LAB
Blind SSRF with out-of-band detection 

EXPERT
LAB
SSRF with whitelist-based input filter 

EXPERT
LAB
Blind SSRF with Shellshock exploitation 

HTTP request smuggling

PRACTITIONER
LAB
HTTP request smuggling, basic CL.TE vulnerability 

PRACTITIONER
LAB
HTTP request smuggling, basic TE.CL vulnerability 

PRACTITIONER
LAB
HTTP request smuggling, obfuscating the TE header 

PRACTITIONER
LAB
HTTP request smuggling, confirming a CL.TE vulnerability via differential responses 

PRACTITIONER
LAB
HTTP request smuggling, confirming a TE.CL vulnerability via differential responses 

PRACTITIONER
LAB Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE
vulnerability 

PRACTITIONER
LAB
Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL
vulnerability 

https://portswigger.net/web-security/all-labs 7/17
4/26/23, 2:54 PM All labs | Web Security Academy

PRACTITIONER
LAB
Exploiting HTTP request smuggling to reveal front-end request rewriting 

PRACTITIONER
LAB
Exploiting HTTP request smuggling to capture other users' requests 

PRACTITIONER
LAB
Exploiting HTTP request smuggling to deliver reflected XSS 

PRACTITIONER
LAB
Response queue poisoning via H2.TE request smuggling 

PRACTITIONER
LAB
H2.CL request smuggling 

PRACTITIONER
LAB
HTTP/2 request smuggling via CRLF injection 

PRACTITIONER
LAB
HTTP/2 request splitting via CRLF injection 

PRACTITIONER
LAB
CL.0 request smuggling 

EXPERT
LAB
Exploiting HTTP request smuggling to perform web cache poisoning 

EXPERT
LAB
Exploiting HTTP request smuggling to perform web cache deception 

EXPERT
LAB
Bypassing access controls via HTTP/2 request tunnelling 

EXPERT
LAB
Web cache poisoning via HTTP/2 request tunnelling 

EXPERT
LAB
Client-side desync 

EXPERT
LAB
Browser cache poisoning via client-side desync 

EXPERT
LAB
Server-side pause-based request smuggling 

OS command injection

https://portswigger.net/web-security/all-labs 8/17
4/26/23, 2:54 PM All labs | Web Security Academy
APPRENTICE
LAB
OS command injection, simple case 

PRACTITIONER
LAB
Blind OS command injection with time delays 

PRACTITIONER
LAB
Blind OS command injection with output redirection 

PRACTITIONER
LAB
Blind OS command injection with out-of-band interaction 

PRACTITIONER
LAB
Blind OS command injection with out-of-band data exfiltration 

Server-side template injection

PRACTITIONER
LAB
Basic server-side template injection 

PRACTITIONER
LAB
Basic server-side template injection (code context) 

PRACTITIONER
LAB
Server-side template injection using documentation 

PRACTITIONER
LAB
Server-side template injection in an unknown language with a documented exploit 

PRACTITIONER
LAB
Server-side template injection with information disclosure via user-supplied objects 

EXPERT
LAB
Server-side template injection in a sandboxed environment 

EXPERT
LAB
Server-side template injection with a custom exploit 

Directory traversal

APPRENTICE
LAB
File path traversal, simple case 

PRACTITIONER
LAB
File path traversal, traversal sequences blocked with absolute path bypass 

PRACTITIONER
LAB
File path traversal, traversal sequences stripped non-recursively 

https://portswigger.net/web-security/all-labs 9/17
4/26/23, 2:54 PM All labs | Web Security Academy

PRACTITIONER
LAB
File path traversal, traversal sequences stripped with superfluous URL-decode 

PRACTITIONER
LAB
File path traversal, validation of start of path 

PRACTITIONER
LAB
File path traversal, validation of file extension with null byte bypass 

Access control vulnerabilities

APPRENTICE
LAB
Unprotected admin functionality 

APPRENTICE
LAB
Unprotected admin functionality with unpredictable URL 

APPRENTICE
LAB
User role controlled by request parameter 

APPRENTICE
LAB
User role can be modified in user profile 

APPRENTICE
LAB
User ID controlled by request parameter 

APPRENTICE
LAB
User ID controlled by request parameter, with unpredictable user IDs 

APPRENTICE
LAB
User ID controlled by request parameter with data leakage in redirect 

APPRENTICE
LAB
User ID controlled by request parameter with password disclosure 

APPRENTICE
LAB
Insecure direct object references 

PRACTITIONER
LAB
URL-based access control can be circumvented 

PRACTITIONER
LAB
Method-based access control can be circumvented 

PRACTITIONER
LAB
Multi-step process with no access control on one step 

https://portswigger.net/web-security/all-labs 10/17
4/26/23, 2:54 PM All labs | Web Security Academy
PRACTITIONER
LAB
Referer-based access control 

Authentication

APPRENTICE
LAB
Username enumeration via different responses 

APPRENTICE
LAB
2FA simple bypass 

APPRENTICE
LAB
Password reset broken logic 

PRACTITIONER
LAB
Username enumeration via subtly different responses 

PRACTITIONER
LAB
Username enumeration via response timing 

PRACTITIONER
LAB
Broken brute-force protection, IP block 

PRACTITIONER
LAB
Username enumeration via account lock 

PRACTITIONER
LAB
2FA broken logic 

PRACTITIONER
LAB
Brute-forcing a stay-logged-in cookie 

PRACTITIONER
LAB
Offline password cracking 

PRACTITIONER
LAB
Password reset poisoning via middleware 

PRACTITIONER
LAB
Password brute-force via password change 

EXPERT
LAB
Broken brute-force protection, multiple credentials per request 

EXPERT
LAB
2FA bypass using a brute-force attack 

https://portswigger.net/web-security/all-labs 11/17
4/26/23, 2:54 PM All labs | Web Security Academy

WebSockets

APPRENTICE
LAB
Manipulating WebSocket messages to exploit vulnerabilities 

PRACTITIONER
LAB
Manipulating the WebSocket handshake to exploit vulnerabilities 

PRACTITIONER
LAB
Cross-site WebSocket hijacking 

Web cache poisoning

PRACTITIONER
LAB
Web cache poisoning with an unkeyed header 

PRACTITIONER
LAB
Web cache poisoning with an unkeyed cookie 

PRACTITIONER
LAB
Web cache poisoning with multiple headers 

PRACTITIONER
LAB
Targeted web cache poisoning using an unknown header 

PRACTITIONER
LAB
Web cache poisoning via an unkeyed query string 

PRACTITIONER
LAB
Web cache poisoning via an unkeyed query parameter 

PRACTITIONER
LAB
Parameter cloaking 

PRACTITIONER
LAB
Web cache poisoning via a fat GET request 

PRACTITIONER
LAB
URL normalization 

EXPERT
LAB Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability
criteria 

EXPERT
LAB
Combining web cache poisoning vulnerabilities 

https://portswigger.net/web-security/all-labs 12/17
4/26/23, 2:54 PM All labs | Web Security Academy
LAB EXPERT

Cache key injection 

EXPERT
LAB
Internal cache poisoning 

Insecure deserialization

APPRENTICE
LAB
Modifying serialized objects 

PRACTITIONER
LAB
Modifying serialized data types 

PRACTITIONER
LAB
Using application functionality to exploit insecure deserialization 

PRACTITIONER
LAB
Arbitrary object injection in PHP 

PRACTITIONER
LAB
Exploiting Java deserialization with Apache Commons 

PRACTITIONER
LAB
Exploiting PHP deserialization with a pre-built gadget chain 

PRACTITIONER
LAB
Exploiting Ruby deserialization using a documented gadget chain 

EXPERT
LAB
Developing a custom gadget chain for Java deserialization 

EXPERT
LAB
Developing a custom gadget chain for PHP deserialization 

EXPERT
LAB
Using PHAR deserialization to deploy a custom gadget chain 

Information disclosure

APPRENTICE
LAB
Information disclosure in error messages 

APPRENTICE
LAB
Information disclosure on debug page 

APPRENTICE
LAB
Source code disclosure via backup files 

https://portswigger.net/web-security/all-labs 13/17
4/26/23, 2:54 PM All labs | Web Security Academy

APPRENTICE
LAB
Authentication bypass via information disclosure 

PRACTITIONER
LAB
Information disclosure in version control history 

Business logic vulnerabilities

APPRENTICE
LAB
Excessive trust in client-side controls 

APPRENTICE
LAB
High-level logic vulnerability 

APPRENTICE
LAB
Inconsistent security controls 

APPRENTICE
LAB
Flawed enforcement of business rules 

PRACTITIONER
LAB
Low-level logic flaw 

PRACTITIONER
LAB
Inconsistent handling of exceptional input 

PRACTITIONER
LAB
Weak isolation on dual-use endpoint 

PRACTITIONER
LAB
Insufficient workflow validation 

PRACTITIONER
LAB
Authentication bypass via flawed state machine 

PRACTITIONER
LAB
Infinite money logic flaw 

PRACTITIONER
LAB
Authentication bypass via encryption oracle 

HTTP Host header attacks

APPRENTICE
LAB
Basic password reset poisoning 

APPRENTICE
LAB

https://portswigger.net/web-security/all-labs 14/17
4/26/23, 2:54 PM All labs | Web Security Academy
Host header authentication bypass 

PRACTITIONER
LAB
Web cache poisoning via ambiguous requests 

PRACTITIONER
LAB
Routing-based SSRF 

PRACTITIONER
LAB
SSRF via flawed request parsing 

PRACTITIONER
LAB
Host validation bypass via connection state attack 

EXPERT
LAB
Password reset poisoning via dangling markup 

OAuth authentication

APPRENTICE
LAB
Authentication bypass via OAuth implicit flow 

PRACTITIONER
LAB
Forced OAuth profile linking 

PRACTITIONER
LAB
OAuth account hijacking via redirect_uri 

PRACTITIONER
LAB
Stealing OAuth access tokens via an open redirect 

PRACTITIONER
LAB
SSRF via OpenID dynamic client registration 

EXPERT
LAB
Stealing OAuth access tokens via a proxy page 

File upload vulnerabilities

APPRENTICE
LAB
Remote code execution via web shell upload 

APPRENTICE
LAB
Web shell upload via Content-Type restriction bypass 

PRACTITIONER
LAB
Web shell upload via path traversal 

https://portswigger.net/web-security/all-labs 15/17
4/26/23, 2:54 PM All labs | Web Security Academy
PRACTITIONER
LAB
Web shell upload via extension blacklist bypass 

PRACTITIONER
LAB
Web shell upload via obfuscated file extension 

PRACTITIONER
LAB
Remote code execution via polyglot web shell upload 

EXPERT
LAB
Web shell upload via race condition 

JWT

APPRENTICE
LAB
JWT authentication bypass via unverified signature 

APPRENTICE
LAB
JWT authentication bypass via flawed signature verification 

PRACTITIONER
LAB
JWT authentication bypass via weak signing key 

PRACTITIONER
LAB
JWT authentication bypass via jwk header injection 

PRACTITIONER
LAB
JWT authentication bypass via jku header injection 

PRACTITIONER
LAB
JWT authentication bypass via kid header path traversal 

EXPERT
LAB
JWT authentication bypass via algorithm confusion 

EXPERT
LAB
JWT authentication bypass via algorithm confusion with no exposed key 

Essential skills

PRACTITIONER
LAB
Discovering vulnerabilities quickly with targeted scanning 

Prototype pollution

PRACTITIONER
LAB
DOM XSS via client-side prototype pollution 

https://portswigger.net/web-security/all-labs 16/17
4/26/23, 2:54 PM All labs | Web Security Academy
PRACTITIONER
LAB
DOM XSS via an alternative prototype pollution vector 

PRACTITIONER
LAB
Client-side prototype pollution via flawed sanitization 

PRACTITIONER
LAB
Client-side prototype pollution in third-party libraries 

PRACTITIONER
LAB
Client-side prototype pollution via browser APIs 

PRACTITIONER
LAB
Privilege escalation via server-side prototype pollution 

PRACTITIONER
LAB
Detecting server-side prototype pollution without polluted property reflection 

PRACTITIONER
LAB
Bypassing flawed input filters for server-side prototype pollution 

PRACTITIONER
LAB
Remote code execution via server-side prototype pollution 

EXPERT
LAB
Exfiltrating sensitive data via server-side prototype pollution 

Burp Suite Vulnerabilities Customers Company Insights

Web vulnerability scanner Cross-site scripting (XSS) Organizations About Web Security Academy
Burp Suite Editions SQL injection Testers PortSwigger News Blog
Release Notes Cross-site request forgery Developers Careers Research  Follow us
XML external entity injection Contact
Directory traversal Legal © 2023 PortSwigger Ltd.
Server-side request forgery Privacy Notice

https://portswigger.net/web-security/all-labs 17/17