PortSwigger
Web Security Academy Labs
0/219
Labs Completed
0
Apprentice
0
Practitioner
0
Expert
Exploiting an API endpoint using documentation
API Testing ยท
apprentice
Exploiting a mass assignment vulnerability
API Testing ยท
practitioner
Exploiting server-side parameter pollution in a REST URL
API Testing ยท
practitioner
Exploiting server-side parameter pollution in a query string
API Testing ยท
practitioner
Finding and exploiting an unused API endpoint
API Testing ยท
practitioner
Insecure direct object references
Access Control ยท
apprentice
Unprotected admin functionality
Access Control ยท
apprentice
Unprotected admin functionality with unpredictable URL
Access Control ยท
apprentice
User ID controlled by request parameter
Access Control ยท
apprentice
User ID controlled by request parameter with data leak
Access Control ยท
apprentice
User ID controlled by request parameter with password disclosure
Access Control ยท
apprentice
User role can be modified in user profile
Access Control ยท
apprentice
User role controlled by request parameter
Access Control ยท
apprentice
DOM-based open redirection
Access Control ยท
practitioner
Method-based access control can be circumvented
Access Control ยท
practitioner
Multi-step process with no access control on one step
Access Control ยท
practitioner
Referer-based access control
Access Control ยท
practitioner
URL-based access control can be circumvented
Access Control ยท
practitioner
2FA simple bypass
Authentication ยท
apprentice
Password reset broken logic
Authentication ยท
apprentice
Username enumeration via different responses
Authentication ยท
apprentice
2FA bypass using a brute-force attack
Authentication ยท
expert
Broken brute-force protection, multiple credentials
Authentication ยท
expert
Password reset poisoning via dangling markup
Authentication ยท
expert
2FA broken logic
Authentication ยท
practitioner
Broken brute-force protection, IP block
Authentication ยท
practitioner
Brute-forcing a stay-logged-in cookie
Authentication ยท
practitioner
Offline password cracking
Authentication ยท
practitioner
Password brute-force via password change
Authentication ยท
practitioner
Password reset poisoning via middleware
Authentication ยท
practitioner
Username enumeration via account lock
Authentication ยท
practitioner
Username enumeration via subtly different responses
Authentication ยท
practitioner
Excessive trust in client-side controls
Business Logic ยท
apprentice
Flawed enforcement of business rules
Business Logic ยท
apprentice
High-level logic vulnerability
Business Logic ยท
apprentice
Inconsistent security controls
Business Logic ยท
apprentice
Authentication bypass via encryption oracle
Business Logic ยท
practitioner
Authentication bypass via flawed state machine
Business Logic ยท
practitioner
Inconsistent handling of exceptional input
Business Logic ยท
practitioner
Infinite money logic flaw
Business Logic ยท
practitioner
Insufficient workflow validation
Business Logic ยท
practitioner
Low-level logic flaw
Business Logic ยท
practitioner
Weak isolation on dual-use endpoint
Business Logic ยท
practitioner
CORS vulnerability with basic origin reflection
CORS ยท
apprentice
CORS vulnerability with internal network pivot attack
CORS ยท
expert
CORS vulnerability with trusted insecure protocols
CORS ยท
practitioner
CORS vulnerability with trusted null origin
CORS ยท
practitioner
CSRF vulnerability with no defenses
CSRF ยท
apprentice
CSRF where Referer validation depends on header being present
CSRF ยท
practitioner
CSRF where token is duplicated in cookie
CSRF ยท
practitioner
CSRF where token is not tied to user session
CSRF ยท
practitioner
CSRF where token is tied to a non-session cookie
CSRF ยท
practitioner
CSRF where token validation depends on request method
CSRF ยท
practitioner
CSRF where token validation depends on token being present
CSRF ยท
practitioner
CSRF with broken Referer validation
CSRF ยท
practitioner
SameSite Lax bypass via cookie refresh
CSRF ยท
practitioner
SameSite Lax bypass via method override
CSRF ยท
practitioner
SameSite Strict bypass via client-side redirect
CSRF ยท
practitioner
SameSite Strict bypass via sibling domain
CSRF ยท
practitioner
Basic clickjacking with CSRF token protection
Clickjacking ยท
apprentice
Clickjacking with form input data prefilled from URL parameter
Clickjacking ยท
apprentice
Clickjacking with a frame buster script
Clickjacking ยท
practitioner
Exploiting clickjacking vulnerability to trigger DOM-based XSS
Clickjacking ยท
practitioner
Multistep clickjacking
Clickjacking ยท
practitioner
OS command injection, simple case
Command Injection ยท
apprentice
Blind OS command injection with out-of-band data exfiltration
Command Injection ยท
practitioner
Blind OS command injection with out-of-band interaction
Command Injection ยท
practitioner
Blind OS command injection with output redirection
Command Injection ยท
practitioner
Blind OS command injection with time delays
Command Injection ยท
practitioner
Modifying serialized objects
Deserialization ยท
apprentice
Developing a custom gadget chain for Java deserialization
Deserialization ยท
expert
Developing a custom gadget chain for PHP deserialization
Deserialization ยท
expert
Using PHAR deserialization to deploy a custom gadget chain
Deserialization ยท
expert
Arbitrary object injection in PHP
Deserialization ยท
practitioner
Exploiting Java deserialization with Apache Commons
Deserialization ยท
practitioner
Exploiting PHP deserialization with pre-built gadget chain
Deserialization ยท
practitioner
Exploiting Ruby deserialization using a documented gadget
Deserialization ยท
practitioner
Modifying serialized data types
Deserialization ยท
practitioner
Using application functionality to exploit deserialization
Deserialization ยท
practitioner
Discovering vulnerabilities quickly with targeted scanning
Essential Skills ยท
apprentice
Scanning non-standard data structures
Essential Skills ยท
practitioner
Using Burp Scanner during manual testing
Essential Skills ยท
practitioner
Web security testing with Burp Scanner
Essential Skills ยท
practitioner
Remote code execution via web shell upload
File Upload ยท
apprentice
Web shell upload via Content-Type restriction bypass
File Upload ยท
apprentice
Web shell upload via race condition
File Upload ยท
expert
Remote code execution via polyglot web shell upload
File Upload ยท
practitioner
Web shell upload via extension blacklist bypass
File Upload ยท
practitioner
Web shell upload via obfuscated file extension
File Upload ยท
practitioner
Web shell upload via path traversal
File Upload ยท
practitioner
Accessing private GraphQL posts
GraphQL ยท
apprentice
Accidental exposure of private GraphQL fields
GraphQL ยท
practitioner
Bypassing GraphQL brute force protections
GraphQL ยท
practitioner
Finding a hidden GraphQL endpoint
GraphQL ยท
practitioner
Performing CSRF exploits over GraphQL
GraphQL ยท
practitioner
Browser cache poisoning via client-side desync
HTTP Request Smuggling ยท
expert
Bypassing access controls via HTTP/2 smuggling
HTTP Request Smuggling ยท
expert
CL.0 request smuggling via browser
HTTP Request Smuggling ยท
expert
Client-side desync (web timing)
HTTP Request Smuggling ยท
expert
Exploiting HTTP request smuggling to perform cache deception
HTTP Request Smuggling ยท
expert
HTTP request smuggling via client-side desync
HTTP Request Smuggling ยท
expert
HTTP request smuggling, basic TE.TE
HTTP Request Smuggling ยท
expert
Server-side pause-based request smuggling
HTTP Request Smuggling ยท
expert
CL.0 request smuggling
HTTP Request Smuggling ยท
practitioner
Exploiting HTTP request smuggling to bypass access
HTTP Request Smuggling ยท
practitioner
Exploiting HTTP request smuggling to capture request
HTTP Request Smuggling ยท
practitioner
Exploiting HTTP request smuggling to deliver XSS
HTTP Request Smuggling ยท
practitioner
Exploiting HTTP request smuggling to reveal headers
HTTP Request Smuggling ยท
practitioner
H2.CL request smuggling
HTTP Request Smuggling ยท
practitioner
HTTP request smuggling, basic CL.TE
HTTP Request Smuggling ยท
practitioner
HTTP request smuggling, basic TE.CL
HTTP Request Smuggling ยท
practitioner
HTTP request smuggling, confirming CL.TE via response
HTTP Request Smuggling ยท
practitioner
HTTP request smuggling, confirming TE.CL via response
HTTP Request Smuggling ยท
practitioner
HTTP request smuggling, obfuscating TE header
HTTP Request Smuggling ยท
practitioner
HTTP/2 request smuggling via CRLF injection
HTTP Request Smuggling ยท
practitioner
HTTP/2 request splitting via CRLF injection
HTTP Request Smuggling ยท
practitioner
Response queue poisoning via H2.TE request smuggling
HTTP Request Smuggling ยท
practitioner
Authentication bypass via information disclosure
Information Disclosure ยท
apprentice
Information disclosure in error messages
Information Disclosure ยท
apprentice
Information disclosure on debug page
Information Disclosure ยท
apprentice
Source code disclosure via backup files
Information Disclosure ยท
apprentice
Information disclosure in version control history
Information Disclosure ยท
practitioner
JWT authentication bypass via flawed signature verification
JWT ยท
apprentice
JWT authentication bypass via unverified signature
JWT ยท
apprentice
JWT authentication bypass via algorithm confusion
JWT ยท
expert
JWT authentication bypass via algorithm confusion with no key
JWT ยท
expert
JWT authentication bypass via jku header injection
JWT ยท
practitioner
JWT authentication bypass via jwk header injection
JWT ยท
practitioner
JWT authentication bypass via kid header path traversal
JWT ยท
practitioner
JWT authentication bypass via weak signing key
JWT ยท
practitioner
Authentication bypass via OAuth implicit flow
OAuth ยท
apprentice
Stealing OAuth access tokens via a proxy page
OAuth ยท
expert
Forced OAuth profile linking
OAuth ยท
practitioner
OAuth account hijacking via redirect_uri
OAuth ยท
practitioner
SSRF via OpenID dynamic client registration
OAuth ยท
practitioner
Stealing OAuth access tokens via an open redirect
OAuth ยท
practitioner
File path traversal, simple case
Path Traversal ยท
apprentice
File path traversal, traversal sequences blocked with absolute path bypass
Path Traversal ยท
practitioner
File path traversal, traversal sequences stripped non-recursively
Path Traversal ยท
practitioner
File path traversal, traversal sequences stripped with superfluous URL-decode
Path Traversal ยท
practitioner
File path traversal, validation of file extension with null byte bypass
Path Traversal ยท
practitioner
File path traversal, validation of start of path
Path Traversal ยท
practitioner
Exfiltrating sensitive data via server-side prototype pollution
Prototype Pollution ยท
expert
Bypassing flawed input filters for server-side prototype pollution
Prototype Pollution ยท
practitioner
Client-side prototype pollution in third-party libraries
Prototype Pollution ยท
practitioner
Client-side prototype pollution via browser APIs
Prototype Pollution ยท
practitioner
Client-side prototype pollution via flawed sanitization
Prototype Pollution ยท
practitioner
DOM XSS via an alternative prototype pollution vector
Prototype Pollution ยท
practitioner
DOM XSS via client-side prototype pollution
Prototype Pollution ยท
practitioner
Detecting server-side prototype pollution without polluted property reflection
Prototype Pollution ยท
practitioner
Privilege escalation via server-side prototype pollution
Prototype Pollution ยท
practitioner
Remote code execution via server-side prototype pollution
Prototype Pollution ยท
practitioner
SQL injection vulnerability allowing login bypass
SQL Injection ยท
apprentice
SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
SQL Injection ยท
apprentice
Blind SQL injection with conditional errors
SQL Injection ยท
practitioner
Blind SQL injection with conditional responses
SQL Injection ยท
practitioner
Blind SQL injection with out-of-band data exfiltration
SQL Injection ยท
practitioner
Blind SQL injection with out-of-band interaction
SQL Injection ยท
practitioner
Blind SQL injection with time delays
SQL Injection ยท
practitioner
Blind SQL injection with time delays and information retrieval
SQL Injection ยท
practitioner
SQL injection UNION attack, determining the number of columns
SQL Injection ยท
practitioner
SQL injection UNION attack, finding a column containing text
SQL Injection ยท
practitioner
SQL injection UNION attack, retrieving data from other tables
SQL Injection ยท
practitioner
SQL injection UNION attack, retrieving multiple values
SQL Injection ยท
practitioner
SQL injection attack, listing database contents on Oracle
SQL Injection ยท
practitioner
SQL injection attack, listing database contents on non-Oracle
SQL Injection ยท
practitioner
SQL injection attack, querying the database type and version on MySQL
SQL Injection ยท
practitioner
SQL injection attack, querying the database type and version on Oracle
SQL Injection ยท
practitioner
SQL injection with filter bypass via XML encoding
SQL Injection ยท
practitioner
Visible error-based SQL injection
SQL Injection ยท
practitioner
Basic SSRF against another back-end system
SSRF ยท
apprentice
Basic SSRF against the local server
SSRF ยท
apprentice
SSRF with Shellshock exploitation
SSRF ยท
expert
SSRF with whitelist-based input filter
SSRF ยท
expert
Blind SSRF with out-of-band detection
SSRF ยท
practitioner
SSRF with blacklist-based input filter
SSRF ยท
practitioner
SSRF with filter bypass via open redirection
SSRF ยท
practitioner
Manipulating WebSocket messages to exploit vulnerabilities
WebSockets ยท
apprentice
Cross-site WebSocket hijacking
WebSockets ยท
practitioner
Manipulating the WebSocket handshake to exploit vulnerabilities
WebSockets ยท
practitioner
DOM XSS in document.write sink using source location.search
XSS ยท
apprentice
DOM XSS in innerHTML sink using source location.search
XSS ยท
apprentice
DOM XSS in jQuery anchor href attribute sink
XSS ยท
apprentice
DOM XSS in jQuery selector sink using hashchange event
XSS ยท
apprentice
Reflected XSS into HTML context with nothing encoded
XSS ยท
apprentice
Reflected XSS into JavaScript string with angle brackets
XSS ยท
apprentice
Reflected XSS into attribute with angle brackets HTML-encoded
XSS ยท
apprentice
Stored XSS into HTML context with nothing encoded
XSS ยท
apprentice
Stored XSS into anchor href attribute with double quotes
XSS ยท
apprentice
Exploiting cross-site scripting to capture passwords
XSS ยท
expert
Reflected XSS in a JavaScript URL with some blocked
XSS ยท
expert
Reflected XSS protected by CSP with nonce
XSS ยท
expert
Reflected XSS protected by very strict CSP with dangling
XSS ยท
expert
Reflected XSS with AngularJS sandbox escape and CSP
XSS ยท
expert
Reflected XSS with AngularJS sandbox escape without strings
XSS ยท
expert
Reflected XSS with event handlers and href blocked
XSS ยท
expert
DOM XSS in AngularJS expression with angle brackets
XSS ยท
practitioner
DOM XSS in document.write sink inside select element
XSS ยท
practitioner
Exploiting XSS to perform CSRF
XSS ยท
practitioner
Reflected DOM XSS
XSS ยท
practitioner
Reflected XSS in canonical link tag
XSS ยท
practitioner
Reflected XSS into HTML context with all tags blocked
XSS ยท
practitioner
Reflected XSS into HTML context with most tags blocked
XSS ยท
practitioner
Reflected XSS into JavaScript string with escape sequence
XSS ยท
practitioner
Reflected XSS into JavaScript string with single quote
XSS ยท
practitioner
Reflected XSS into JavaScript with angle brackets encoded
XSS ยท
practitioner
Reflected XSS into template literal with angle brackets
XSS ยท
practitioner
Reflected XSS with some SVG markup allowed
XSS ยท
practitioner
Stored DOM XSS
XSS ยท
practitioner
Stored XSS into onclick event with angle brackets encoded
XSS ยท
practitioner
Exploiting XXE to perform SSRF attacks
XXE ยท
apprentice
Exploiting XXE using external entities to retrieve files
XXE ยท
apprentice
Exploiting XXE to retrieve data by repurposing a local DTD
XXE ยท
expert
Blind XXE with out-of-band interaction
XXE ยท
practitioner
Blind XXE with out-of-band interaction via XML parameter
XXE ยท
practitioner
Exploiting XInclude to retrieve files
XXE ยท
practitioner
Exploiting XXE via image file upload
XXE ยท
practitioner
Exploiting blind XXE to exfiltrate data using malicious DTD
XXE ยท
practitioner
Exploiting blind XXE to retrieve data via error messages
XXE ยท
practitioner