A comprehensive roadmap to mastering web application security through hands-on labs β curated from PortSwigger Web Security Academy
This guide helps both beginners and advanced learners systematically explore web vulnerabilities, practice real-world labs, and track progress like a true hacker π₯·π₯.
Each section includes:
- π§ Short description
β οΈ Potential impact- π» List of labs with difficulty level and emoji reflecting the nature of the exploit
- πΉοΈ Status tracker:
- β Pwned β Youβve exploited it!
- β¬ Not Pwned β Still waiting to be hacked
- Follow the order β Topics are arranged by complexity and learning flow.
- Track your progress β Mark labs as
β Pwnedonce completed. - Practice regularly β Solve labs directly on PortSwigger Web Security Academy.
- Donβt get stuck β Skip tough labs and revisit them later after gaining more experience.
π‘ Tip: Build foundational knowledge before diving into advanced topics.
What? Injecting malicious SQL queries to manipulate databases. Impact: Can lead to full database compromise, data leaks, or even remote code execution.
What? Injecting malicious scripts into trusted websites. Impact: Session hijacking, phishing, defacement, or redirecting users.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | 𧱠Reflected XSS into HTML context with nothing encoded | ⬠Not Pwned | |
| Apprentice | 𧱠Stored XSS into HTML context with nothing encoded | ⬠Not Pwned | |
| Apprentice | 𧩠DOM XSS in document.write sink using source location.search | ⬠Not Pwned | |
| Apprentice | 𧩠DOM XSS in innerHTML sink using source location.search | ⬠Not Pwned | |
| Apprentice | 𧩠DOM XSS in jQuery anchor href attribute sink using location.search source | ⬠Not Pwned | |
| Apprentice | 𧩠DOM XSS in jQuery selector sink using a hashchange event | ⬠Not Pwned | |
| Apprentice | 𧱠Reflected XSS into attribute with angle brackets HTML-encoded | ⬠Not Pwned | |
| Apprentice | 𧱠Stored XSS into anchor href attribute with double quotes HTML-encoded | ⬠Not Pwned | |
| Apprentice | 𧱠Reflected XSS into a JavaScript string with angle brackets HTML encoded | ⬠Not Pwned | |
| Practitioner | 𧩠DOM XSS in document.write sink using source location.search inside a select element | ⬠Not Pwned | |
| Practitioner | 𧩠DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded | ⬠Not Pwned | |
| Practitioner | 𧱠Reflected DOM XSS | ⬠Not Pwned | |
| Practitioner | 𧱠Stored DOM XSS | ⬠Not Pwned | |
| Practitioner | π Reflected XSS into HTML context with most tags and attributes blocked | β¬ Not Pwned | |
| Practitioner | π Reflected XSS into HTML context with all tags blocked except custom ones | β¬ Not Pwned | |
| Practitioner | πΌοΈ Reflected XSS with some SVG markup allowed | β¬ Not Pwned | |
| Practitioner | π Reflected XSS in canonical link tag | β¬ Not Pwned | |
| Practitioner | 𧱠Reflected XSS into a JavaScript string with single quote and backslash escaped | ⬠Not Pwned | |
| Practitioner | 𧱠Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped | ⬠Not Pwned | |
| Practitioner | 𧱠Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped | ⬠Not Pwned | |
| Practitioner | 𧱠Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped | ⬠Not Pwned | |
| Practitioner | πͺ Exploiting cross-site scripting to steal cookies | β¬ Not Pwned | |
| Practitioner | π Exploiting cross-site scripting to capture passwords | β¬ Not Pwned | |
| Practitioner | π‘οΈ Exploiting XSS to bypass CSRF defenses | β¬ Not Pwned | |
| Expert | π§° Reflected XSS with AngularJS sandbox escape without strings | β¬ Not Pwned | |
| Expert | π§° Reflected XSS with AngularJS sandbox escape and CSP | β¬ Not Pwned | |
| Expert | π Reflected XSS with event handlers and href attributes blocked | β¬ Not Pwned | |
| Expert | π Reflected XSS in a JavaScript URL with some characters blocked | β¬ Not Pwned | |
| Expert | π Reflected XSS protected by very strict CSP, with dangling markup attack | β¬ Not Pwned | |
| Expert | 𧨠Reflected XSS protected by CSP, with CSP bypass | ⬠Not Pwned |
What? Forcing a user to perform unwanted actions on a web application where they're authenticated. Impact: Unauthorized fund transfers, account modifications, or privilege escalation.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | 𧱠CSRF vulnerability with no defenses | ⬠Not Pwned | |
| Practitioner | π CSRF where token validation depends on request method | β¬ Not Pwned | |
| Practitioner | π CSRF where token validation depends on token being present | β¬ Not Pwned | |
| Practitioner | π CSRF where token is not tied to user session | β¬ Not Pwned | |
| Practitioner | π CSRF where token is tied to non-session cookie | β¬ Not Pwned | |
| Practitioner | π CSRF where token is duplicated in cookie | β¬ Not Pwned | |
| Practitioner | π SameSite Lax bypass via method override | β¬ Not Pwned | |
| Practitioner | π SameSite Strict bypass via client-side redirect | β¬ Not Pwned | |
| Practitioner | π SameSite Strict bypass via sibling domain | β¬ Not Pwned | |
| Practitioner | π SameSite Lax bypass via cookie refresh | β¬ Not Pwned | |
| Practitioner | π‘ CSRF where Referer validation depends on header being present | β¬ Not Pwned | |
| Practitioner | π‘ CSRF with broken Referer validation | β¬ Not Pwned |
What? Tricking a user into clicking something different than intended. Impact: Can be used to steal credentials, enable XSS, or perform actions unknowingly.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | ποΈ Basic clickjacking with CSRF token protection | β¬ Not Pwned | |
| Apprentice | πΌοΈ Clickjacking with form input data prefilled from a URL parameter | β¬ Not Pwned | |
| Apprentice | π‘οΈ Clickjacking with a frame buster script | β¬ Not Pwned | |
| Practitioner | π₯ Exploiting clickjacking vulnerability to trigger DOM-based XSS | β¬ Not Pwned | |
| Practitioner | π Multistep clickjacking | β¬ Not Pwned |
What? Client-side bugs that can be exploited without server-side changes. Impact: XSS, redirections, cookie manipulation, and more.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Practitioner | 𧩠DOM XSS using web messages | ⬠Not Pwned | |
| Practitioner | 𧩠DOM XSS using web messages and a JavaScript URL | ⬠Not Pwned | |
| Practitioner | 𧩠DOM XSS using web messages and JSON.parse | ⬠Not Pwned | |
| Practitioner | 𧲠DOM-based open redirection | ⬠Not Pwned | |
| Practitioner | πͺ DOM-based cookie manipulation | β¬ Not Pwned | |
| Expert | π§ Exploiting DOM clobbering to enable XSS | β¬ Not Pwned | |
| Expert | π§ Clobbering DOM attributes to bypass HTML filters | β¬ Not Pwned |
What? Misconfigured CORS policies can allow unauthorized access to sensitive APIs. Impact: Data leakage, session hijacking, and API abuse.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π CORS vulnerability with basic origin reflection | β¬ Not Pwned | |
| Apprentice | π CORS vulnerability with trusted null origin | β¬ Not Pwned | |
| Practitioner | π CORS vulnerability with trusted insecure protocols | β¬ Not Pwned |
What? Exploiting poorly configured XML processors to read files or interact with internal systems.
Impact: File disclosure, SSRF, and system enumeration.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π Exploiting XXE using external entities to retrieve files | β¬ Not Pwned | |
| Apprentice | π Exploiting XXE to perform SSRF attacks | β¬ Not Pwned | |
| Practitioner | π Blind XXE with out-of-band interaction | β¬ Not Pwned | |
| Practitioner | π Blind XXE with out-of-band interaction via XML parameter entities | β¬ Not Pwned | |
| Practitioner | π¦ Exploiting blind XXE to exfiltrate data using a malicious external DTD | β¬ Not Pwned | |
| Practitioner | π’ Exploiting blind XXE to retrieve data via error messages | β¬ Not Pwned | |
| Practitioner | π Exploiting XInclude to retrieve files | β¬ Not Pwned | |
| Practitioner | π Exploiting XXE via image file upload | β¬ Not Pwned | |
| Expert | π¦ Exploiting XXE to retrieve data by repurposing a local DTD | β¬ Not Pwned |
What? Inducing the server to make requests to arbitrary systems.
Impact: Internal network scanning, service interaction, and data leakage.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π Basic SSRF against the local server | β¬ Not Pwned | |
| Apprentice | π Basic SSRF against another back-end system | β¬ Not Pwned | |
| Practitioner | π Blind SSRF with out-of-band detection | β¬ Not Pwned | |
| Practitioner | π SSRF with blacklist-based input filter | β¬ Not Pwned | |
| Practitioner | π SSRF with filter bypass via open redirection vulnerability | β¬ Not Pwned | |
| Expert | π Blind SSRF with Shellshock exploitation | β¬ Not Pwned | |
| Expert | π’ SSRF with whitelist-based input filter | β¬ Not Pwned |
What? Exploiting discrepancies between how HTTP requests are parsed by front-end and back-end servers.
Impact: Bypassing security controls, cache poisoning, XSS, and session fixation.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Practitioner | π§ͺ HTTP request smuggling, confirming a CL.TE vulnerability via differential responses | β¬ Not Pwned | |
| Practitioner | π§ͺ HTTP request smuggling, confirming a TE.CL vulnerability via differential responses | β¬ Not Pwned | |
| Practitioner | π Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability | β¬ Not Pwned | |
| Practitioner | π Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability | β¬ Not Pwned | |
| Practitioner | π§ͺ Exploiting HTTP request smuggling to reveal front-end request rewriting | β¬ Not Pwned | |
| Practitioner | π§ͺ Exploiting HTTP request smuggling to capture other users' requests | β¬ Not Pwned | |
| Practitioner | π¬ Exploiting HTTP request smuggling to deliver reflected XSS | β¬ Not Pwned | |
| Practitioner | π§ͺ Response queue poisoning via H2.TE request smuggling | β¬ Not Pwned | |
| Practitioner | π§ͺ H2.CL request smuggling | β¬ Not Pwned | |
| Practitioner | π§ͺ HTTP/2 request smuggling via CRLF injection | β¬ Not Pwned | |
| Practitioner | π§ͺ HTTP/2 request splitting via CRLF injection | β¬ Not Pwned | |
| Practitioner | π§ͺ CL.0 request smuggling | β¬ Not Pwned | |
| Practitioner | π§ͺ HTTP request smuggling, basic CL.TE vulnerability | β¬ Not Pwned | |
| Practitioner | π§ͺ HTTP request smuggling, basic TE.CL vulnerability | β¬ Not Pwned | |
| Practitioner | π§ͺ HTTP request smuggling, obfuscating the TE header | β¬ Not Pwned | |
| Expert | π§ͺ Exploiting HTTP request smuggling to perform web cache poisoning | β¬ Not Pwned | |
| Expert | π§ͺ Exploiting HTTP request smuggling to perform web cache deception | β¬ Not Pwned | |
| Expert | π Bypassing access controls via HTTP/2 request tunnelling | β¬ Not Pwned | |
| Expert | π§ͺ Web cache poisoning via HTTP/2 request tunnelling | β¬ Not Pwned | |
| Expert | π§ͺ Client-side desync | β¬ Not Pwned | |
| Expert | π§ͺ Server-side pause-based request smuggling | β¬ Not Pwned |
What? Injecting arbitrary operating system commands via vulnerable web inputs.
Impact: Full remote code execution on the server β potentially leading to full system compromise.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π£ OS command injection, simple case | β¬ Not Pwned | |
| Practitioner | β³ Blind OS command injection with time delays | β¬ Not Pwned | |
| Practitioner | π€ Blind OS command injection with output redirection | β¬ Not Pwned | |
| Practitioner | π Blind OS command injection with out-of-band interaction | β¬ Not Pwned | |
| Practitioner | π¦ Blind OS command injection with out-of-band data exfiltration | β¬ Not Pwned |
What? Exploiting template engines that allow user input to be parsed as code.
Impact: Can lead to remote code execution or sensitive data leakage depending on the template engine.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Practitioner | π§ͺ Basic server-side template injection | β¬ Not Pwned | |
| Practitioner | π§ͺ Server-side template injection (code context) | β¬ Not Pwned | |
| Practitioner | π Server-side template injection using documentation | β¬ Not Pwned | |
| Practitioner | π οΈ Server-side template injection in an unknown language with a documented exploit | β¬ Not Pwned | |
| Practitioner | π‘ Server-side template injection with information disclosure via user-supplied objects | β¬ Not Pwned | |
| Expert | π Server-side template injection in a sandboxed environment | β¬ Not Pwned | |
| Expert | 𧩠Server-side template injection with a custom exploit | ⬠Not Pwned |
What? Manipulating file paths to access unauthorized files or directories.
Impact: Allows attackers to read or execute sensitive files like /etc/passwd.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π File path traversal, simple case | β Pwned | |
| Practitioner | π« File path traversal, traversal sequences blocked with absolute path bypass | β Pwned | |
| Practitioner | π§Ή File path traversal, traversal sequences stripped non-recursively | β Pwned | |
| Practitioner | π File path traversal, traversal sequences stripped with superfluous URL-decode | β Pwned | |
| Practitioner | π File path traversal, validation of start of path | β Pwned | |
| Practitioner | π§ͺ File path traversal, validation of file extension with null byte bypass | β Pwned |
What? Flaws in how users are authorized to access certain resources.
Impact: Unauthorized access to admin functions, user accounts, or sensitive data.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | πͺ Unprotected admin functionality | β¬ Not Pwned | |
| Apprentice | π Unprotected admin functionality with unpredictable URL | β¬ Not Pwned | |
| Apprentice | π§βπΌ User role controlled by request parameter | β¬ Not Pwned | |
| Apprentice | π§Ύ User role can be modified in user profile | β¬ Not Pwned | |
| Apprentice | π User ID controlled by request parameter | β¬ Not Pwned | |
| Apprentice | π User ID controlled by request parameter, with unpredictable user IDs | β¬ Not Pwned | |
| Apprentice | π€ User ID controlled by request parameter with data leakage in redirect | β¬ Not Pwned | |
| Apprentice | π€ User ID controlled by request parameter with password disclosure | β¬ Not Pwned | |
| Apprentice | π Insecure direct object references | β¬ Not Pwned | |
| Practitioner | π URL-based access control can be circumvented | β¬ Not Pwned | |
| Practitioner | 𧱠Method-based access control can be circumvented | ⬠Not Pwned | |
| Practitioner | π Multi-step process with no access control on one step | β¬ Not Pwned | |
| Practitioner | π‘ Referer-based access control | β¬ Not Pwned |
What? Mechanisms used to verify user identity. Flaws can allow attackers to bypass or brute-force authentication.
Impact: Account takeover, privilege escalation, and unauthorized access.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π€ Username enumeration via different responses | β¬ Not Pwned | |
| Apprentice | π 2FA simple bypass | β¬ Not Pwned | |
| Apprentice | π Password reset broken logic | β¬ Not Pwned | |
| Practitioner | π Username enumeration via subtly different responses | β¬ Not Pwned | |
| Practitioner | π Username enumeration via response timing | β¬ Not Pwned | |
| Practitioner | π Broken brute-force protection, IP block | β¬ Not Pwned | |
| Practitioner | π Username enumeration via account lock | β¬ Not Pwned | |
| Practitioner | π― 2FA broken logic | β¬ Not Pwned | |
| Practitioner | π Brute-forcing a stay-logged-in cookie | β¬ Not Pwned | |
| Practitioner | πͺ Offline password cracking | β¬ Not Pwned | |
| Practitioner | π Password reset poisoning via middleware | β¬ Not Pwned | |
| Practitioner | π Password brute-force via password change | β¬ Not Pwned | |
| Expert | π« Broken brute-force protection, multiple credentials per request | β¬ Not Pwned | |
| Expert | π 2FA bypass using a brute-force attack | β¬ Not Pwned |
What? Bidirectional communication channels between client and server. Vulnerabilities often stem from insecure implementations.
Impact: Session hijacking, cross-site WebSocket hijacking, or message manipulation.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π‘ Manipulating WebSocket messages to exploit vulnerabilities | β¬ Not Pwned | |
| Practitioner | π Cross-site WebSocket hijacking | β¬ Not Pwned | |
| Practitioner | π§ͺ Manipulating the WebSocket handshake to exploit vulnerabilities | β¬ Not Pwned |
What? Exploiting caching mechanisms to serve malicious content to users.
Impact: Delivering XSS payloads, phishing pages, or malware through trusted caches.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Practitioner | 𧴠Web cache poisoning with an unkeyed header | ⬠Not Pwned | |
| Practitioner | πͺ Web cache poisoning with an unkeyed cookie | β¬ Not Pwned | |
| Practitioner | π§ͺ Web cache poisoning with multiple headers | β¬ Not Pwned | |
| Practitioner | π¦ Targeted web cache poisoning using an unknown header | β¬ Not Pwned | |
| Practitioner | π Web cache poisoning via an unkeyed query string | β¬ Not Pwned | |
| Practitioner | π Web cache poisoning via an unkeyed query parameter | β¬ Not Pwned | |
| Practitioner | 𧱠Parameter cloaking | ⬠Not Pwned | |
| Practitioner | π¦ Web cache poisoning via a fat GET request | β¬ Not Pwned | |
| Practitioner | π§ URL normalization | β¬ Not Pwned | |
| Expert | 𧲠Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria | ⬠Not Pwned | |
| Expert | π Combining web cache poisoning vulnerabilities | β¬ Not Pwned | |
| Expert | 𧨠Cache key injection | ⬠Not Pwned | |
| Expert | π§ Internal cache poisoning | β¬ Not Pwned |
What? Exploiting unsafe deserialization of untrusted data, leading to RCE or session tampering.
Impact: Remote code execution, privilege escalation, or object manipulation.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | 𧱠Modifying serialized objects | ⬠Not Pwned | |
| Practitioner | 𧩠Modifying serialized data types | ⬠Not Pwned | |
| Practitioner | π Using application functionality to exploit insecure deserialization | β¬ Not Pwned | |
| Practitioner | π Arbitrary object injection in PHP | β¬ Not Pwned | |
| Practitioner | π§° Exploiting Java deserialization with Apache Commons | β¬ Not Pwned | |
| Practitioner | π¦ Exploiting PHP deserialization with a pre-built gadget chain | β¬ Not Pwned | |
| Practitioner | π Exploiting Ruby deserialization using a documented gadget chain | β¬ Not Pwned | |
| Expert | π§ Developing a custom gadget chain for Java deserialization | β¬ Not Pwned | |
| Expert | π§ Developing a custom gadget chain for PHP deserialization | β¬ Not Pwned | |
| Expert | π¦ Using PHAR deserialization to deploy a custom gadget chain | β¬ Not Pwned |
What? Accidental exposure of sensitive information like error messages, debug pages, or source code.
Impact: Can expose internal logic, credentials, or vulnerabilities to attackers.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π Information disclosure in error messages | β¬ Not Pwned | |
| Apprentice | π οΈ Information disclosure on debug page | β¬ Not Pwned | |
| Apprentice | π Source code disclosure via backup files | β¬ Not Pwned | |
| Apprentice | π Authentication bypass via information disclosure | β¬ Not Pwned | |
| Practitioner | π Information disclosure in version control history | β¬ Not Pwned |
What? Logical flaws in how the application enforces business rules. Often overlooked by traditional scanners.
Impact: Financial fraud, privilege escalation, unauthorized access.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π€ Excessive trust in client-side controls | β¬ Not Pwned | |
| Apprentice | 𧱠High-level logic vulnerability | ⬠Not Pwned | |
| Apprentice | π Inconsistent security controls | β¬ Not Pwned | |
| Apprentice | 𧨠Flawed enforcement of business rules | ⬠Not Pwned | |
| Practitioner | 𧩠Low-level logic flaw | ⬠Not Pwned | |
| Practitioner | π Inconsistent handling of exceptional input | β¬ Not Pwned | |
| Practitioner | π Weak isolation on dual-use endpoint | β¬ Not Pwned | |
| Practitioner | π§ Insufficient workflow validation | β¬ Not Pwned | |
| Practitioner | π Authentication bypass via flawed state machine | β¬ Not Pwned | |
| Practitioner | π° Infinite money logic flaw | β¬ Not Pwned | |
| Expert | π« Bypassing access controls using email address parsing discrepancies | β¬ Not Pwned |
What? Exploiting misconfigured server behavior based on the Host header.
Impact: Password reset poisoning, SSRF, cache poisoning, or backend interaction.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π Basic password reset poisoning | β¬ Not Pwned | |
| Apprentice | 𧲠Host header authentication bypass | ⬠Not Pwned | |
| Practitioner | 𧫠Web cache poisoning via ambiguous requests | ⬠Not Pwned | |
| Practitioner | π Routing-based SSRF | β¬ Not Pwned | |
| Practitioner | π§ͺ SSRF via flawed request parsing | β¬ Not Pwned | |
| Practitioner | π Host validation bypass via connection state attack | β¬ Not Pwned | |
| Expert | 𧨠Password reset poisoning via dangling markup | ⬠Not Pwned |
What? Misconfigurations in OAuth implementations that can allow token theft or account takeover.
Impact: Unauthorized access to user accounts or services.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π Authentication bypass via OAuth implicit flow | β¬ Not Pwned | |
| Practitioner | π SSRF via OpenID dynamic client registration | β¬ Not Pwned | |
| Practitioner | π Forced OAuth profile linking | β¬ Not Pwned | |
| Practitioner | π OAuth account hijacking via redirect_uri | β¬ Not Pwned | |
| Practitioner | π¦ Stealing OAuth access tokens via an open redirect | β¬ Not Pwned | |
| Expert | π΅οΈ Stealing OAuth access tokens via a proxy page | β¬ Not Pwned |
What? Exploiting insecure file upload functionality to execute malicious files or gain remote code execution.
Impact: Full server compromise, data exfiltration, or persistent backdoor access.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | 𧨠Remote code execution via web shell upload | ⬠Not Pwned | |
| Apprentice | π Web shell upload via Content-Type restriction bypass | β¬ Not Pwned | |
| Practitioner | π€οΈ Web shell upload via path traversal | β¬ Not Pwned | |
| Practitioner | π§― Web shell upload via extension blacklist bypass | β¬ Not Pwned | |
| Practitioner | π§ͺ Web shell upload via obfuscated file extension | β¬ Not Pwned | |
| Practitioner | π₯ Remote code execution via polyglot web shell upload | β¬ Not Pwned | |
| Expert | πββοΈ Web shell upload via race condition | β¬ Not Pwned |
What? Exploiting weaknesses in JSON Web Token (JWT) implementations.
Impact: Session hijacking, privilege escalation, or unauthorized access to protected endpoints.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | 𧱠JWT authentication bypass via unverified signature | ⬠Not Pwned | |
| Apprentice | π‘οΈ JWT authentication bypass via flawed signature verification | β¬ Not Pwned | |
| Practitioner | π JWT authentication bypass via weak signing key | β¬ Not Pwned | |
| Practitioner | 𧩠JWT authentication bypass via jwk header injection | ⬠Not Pwned | |
| Practitioner | π JWT authentication bypass via jku header injection | β¬ Not Pwned | |
| Practitioner | π JWT authentication bypass via kid header path traversal | β¬ Not Pwned | |
| Expert | π JWT authentication bypass via algorithm confusion | β¬ Not Pwned | |
| Expert | π JWT authentication bypass via algorithm confusion with no exposed key | β¬ Not Pwned |
What? Core techniques used during real-world assessments to discover vulnerabilities faster.
Impact: Improves efficiency and effectiveness of bug hunting.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Practitioner | π Discovering vulnerabilities quickly with targeted scanning | β¬ Not Pwned | |
| Practitioner | π§Ή Scanning non-standard data structures | β¬ Not Pwned |
What? Exploiting JavaScript object prototype manipulation to affect application logic.
Impact: Can lead to XSS, privilege escalation, or RCE depending on implementation.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Practitioner | π Client-side prototype pollution via browser APIs | β¬ Not Pwned | |
| Practitioner | π¬ DOM XSS via client-side prototype pollution | β¬ Not Pwned | |
| Practitioner | π DOM XSS via an alternative prototype pollution vector | β¬ Not Pwned | |
| Practitioner | π§Ό Client-side prototype pollution via flawed sanitization | β¬ Not Pwned | |
| Practitioner | 𧱠Client-side prototype pollution in third-party libraries | ⬠Not Pwned | |
| Practitioner | π Privilege escalation via server-side prototype pollution | β¬ Not Pwned | |
| Practitioner | π Detecting server-side prototype pollution without polluted property reflection | β¬ Not Pwned | |
| Practitioner | π§― Bypassing flawed input filters for server-side prototype pollution | β¬ Not Pwned | |
| Practitioner | π₯ Remote code execution via server-side prototype pollution | β¬ Not Pwned | |
| Expert | π¦ Exfiltrating sensitive data via server-side prototype pollution | β¬ Not Pwned |
What? Misconfigurations or logical flaws in GraphQL APIs that allow data leakage or abuse.
Impact: Unauthorized access to private data, account takeover, or SSRF.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π§Ύ Accessing private GraphQL posts | β¬ Not Pwned | |
| Practitioner | π Accidental exposure of private GraphQL fields | β¬ Not Pwned | |
| Practitioner | π Finding a hidden GraphQL endpoint | β¬ Not Pwned | |
| Practitioner | π΅οΈ Bypassing GraphQL brute force protections | β¬ Not Pwned | |
| Practitioner | π Performing CSRF exploits over GraphQL | β¬ Not Pwned |
What? Exploiting timing flaws in how a system handles concurrent requests.
Impact: Bypassing rate limits, gaining unauthorized access, or manipulating transactions.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | 𧱠Limit overrun race conditions | ⬠Not Pwned | |
| Practitioner | π Bypassing rate limits via race conditions | β¬ Not Pwned | |
| Practitioner | π Multi-endpoint race conditions | β¬ Not Pwned | |
| Practitioner | π Single-endpoint race conditions | β¬ Not Pwned | |
| Practitioner | π§ͺ Exploiting time-sensitive vulnerabilities | β¬ Not Pwned | |
| Expert | 𧩠Partial construction race conditions | ⬠Not Pwned |
What? Injecting malicious queries into NoSQL databases like MongoDB to bypass authentication or extract data.
Impact: Can lead to full database compromise and privilege escalation.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π Detecting NoSQL injection | β¬ Not Pwned | |
| Apprentice | π Exploiting NoSQL operator injection to bypass authentication | β¬ Not Pwned | |
| Practitioner | π Exploiting NoSQL injection to extract data | β¬ Not Pwned | |
| Practitioner | 𧲠Exploiting NoSQL operator injection to extract unknown fields | ⬠Not Pwned |
What? Identifying and exploiting misconfigurations or vulnerabilities in RESTful APIs.
Impact: Data leakage, account takeover, or privilege escalation.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π Exploiting an API endpoint using documentation | β¬ Not Pwned | |
| Practitioner | π₯ Exploiting server-side parameter pollution in a query string | β¬ Not Pwned | |
| Practitioner | π Finding and exploiting an unused API endpoint | β¬ Not Pwned | |
| Practitioner | 𧨠Exploiting a mass assignment vulnerability | ⬠Not Pwned | |
| Expert | π‘ Exploiting server-side parameter pollution in a REST URL | β¬ Not Pwned |
What? Exploiting Large Language Model (LLM) integrations in web apps for prompt manipulation or data exfiltration.
Impact: Prompt injections, data leaks, or unintended behavior from AI models.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π€ Exploiting LLM APIs with excessive agency | β¬ Not Pwned | |
| Practitioner | π§ Exploiting vulnerabilities in LLM APIs | β¬ Not Pwned | |
| Practitioner | π§ Indirect prompt injection | β¬ Not Pwned | |
| Expert | π§ Exploiting insecure output handling in LLMs | β¬ Not Pwned |
What? Tricking caching systems into storing sensitive user data like session tokens or private content.
Impact: Stealing sensitive data from cache servers accessible to attackers.
| Difficulty | Title | Status | Writeup |
|---|---|---|---|
| Apprentice | π°οΈ Exploiting path mapping for web cache deception | β¬ Not Pwned | |
| Practitioner | π Exploiting path delimiters for web cache deception | β¬ Not Pwned | |
| Practitioner | π§Ή Exploiting origin server normalization for web cache deception | β¬ Not Pwned | |
| Practitioner | π§Ό Exploiting cache server normalization for web cache deception | β¬ Not Pwned | |
| Expert | π― Exploiting exact-match cache rules for web cache deception | β¬ Not Pwned |
You now have a complete, and interactive README file that tracks all 146+ labs across:
- π Server-Side Vulnerabilities
- π¬ Client-Side Vulnerabilities
- π§ Advanced Topics
This README can be used as a personal tracker, study guide, or shared with others looking to learn web security systematically through PortSwiggerβs labs.