PortSwigger · Web Security Academy
Catalog: 262 labs indexed from PortSwigger Web Security Academy. Each lab links to the official exercise and PortSwigger’s solution. The official sitemap coverage is partial; XSS, authentication, business logic and other topics will be added manually over time.Access Control Vulnerabilities (13)
API Testing (5)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Exploiting an API endpoint using documentation | APPRENTICE | API Testing | Open |
| Exploiting server-side parameter pollution in a REST URL | APPRENTICE | API Testing | Open |
| Exploiting a mass assignment vulnerability | PRACTITIONER | API Testing | Open |
| Exploiting server-side parameter pollution in a query string | PRACTITIONER | API Testing | Open |
| Finding and exploiting an unused API endpoint | PRACTITIONER | API Testing | Open |
Authentication Vulnerabilities (14)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| 2FA bypass using a brute-force attack | APPRENTICE | Authentication Vulnerabilities · Remote Code Execution (RCE) | Open |
| 2FA simple bypass | APPRENTICE | Authentication Vulnerabilities | Open |
| Broken brute-force protection, multiple credentials per request | APPRENTICE | Authentication Vulnerabilities · Remote Code Execution (RCE) | Open |
| Password reset broken logic | APPRENTICE | Authentication Vulnerabilities | Open |
| Username enumeration via different responses | APPRENTICE | Authentication Vulnerabilities | Open |
| 2FA broken logic | PRACTITIONER | Authentication Vulnerabilities | Open |
| Broken brute-force protection, IP block | PRACTITIONER | Authentication Vulnerabilities · Remote Code Execution (RCE) | Open |
| Brute-forcing a stay-logged-in cookie | PRACTITIONER | Authentication Vulnerabilities | Open |
| Offline password cracking | PRACTITIONER | Authentication Vulnerabilities | Open |
| Password brute-force via password change | PRACTITIONER | Authentication Vulnerabilities · Remote Code Execution (RCE) | Open |
| Password reset poisoning via middleware | PRACTITIONER | Authentication Vulnerabilities | Open |
| Username enumeration via account lock | PRACTITIONER | Authentication Vulnerabilities | Open |
| Username enumeration via response timing | PRACTITIONER | Authentication Vulnerabilities | Open |
| Username enumeration via subtly different responses | PRACTITIONER | Authentication Vulnerabilities | Open |
Clickjacking (5)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Basic clickjacking with CSRF token protection | APPRENTICE | Clickjacking · CSRF (Cross-Site Request Forgery) | Open |
| Clickjacking with a frame buster script | APPRENTICE | Clickjacking | Open |
| Clickjacking with form input data prefilled from a URL parameter | APPRENTICE | Clickjacking | Open |
| Exploiting clickjacking vulnerability to trigger DOM-based XSS | PRACTITIONER | Clickjacking · Cross-Site Scripting (XSS) | Open |
| Multistep clickjacking | PRACTITIONER | Clickjacking | Open |
CORS (3)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| CORS vulnerability with basic origin reflection | APPRENTICE | CORS (Cross-Origin Resource Sharing) | Open |
| CORS vulnerability with trusted null origin | APPRENTICE | CORS (Cross-Origin Resource Sharing) | Open |
| CORS vulnerability with trusted insecure protocols | PRACTITIONER | CORS (Cross-Origin Resource Sharing) | Open |
Cross-Site Scripting (XSS) (28)
CSRF (Cross-Site Request Forgery) (12)
Insecure Deserialization (10)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Developing a custom gadget chain for Java deserialization | APPRENTICE | Insecure Deserialization | Open |
| Developing a custom gadget chain for PHP deserialization | APPRENTICE | Insecure Deserialization | Open |
| Modifying serialized objects | APPRENTICE | Insecure Deserialization | Open |
| Using PHAR deserialization to deploy a custom gadget chain | APPRENTICE | Insecure Deserialization | Open |
| Arbitrary object injection in PHP | PRACTITIONER | Insecure Deserialization | Open |
| Exploiting Java deserialization with Apache Commons | PRACTITIONER | Insecure Deserialization | Open |
| Exploiting PHP deserialization with a pre-built gadget chain | PRACTITIONER | Insecure Deserialization | Open |
| Exploiting Ruby deserialization using a documented gadget chain | PRACTITIONER | Insecure Deserialization | Open |
| Modifying serialized data types | PRACTITIONER | Insecure Deserialization | Open |
| Using application functionality to exploit insecure deserialization | PRACTITIONER | Insecure Deserialization | Open |
DOM-based Vulnerabilities (7)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Clobbering DOM attributes to bypass HTML filters | APPRENTICE | Clobbering DOM attributes to bypass HTML filters DOM-based Vulnerabilities | Open |
| Exploiting DOM clobbering to enable XSS | APPRENTICE | Cross-Site Scripting (XSS) | Open |
| DOM XSS using web messages | PRACTITIONER | Cross-Site Scripting (XSS) | Open |
| DOM XSS using web messages and a JavaScript URL | PRACTITIONER | Cross-Site Scripting (XSS) | Open |
| DOM XSS using web messages and JSON.parse | PRACTITIONER | Cross-Site Scripting (XSS) | Open |
| DOM-based cookie manipulation | PRACTITIONER | DOM-based cookie manipulation DOM-based Vulnerabilities | Open |
| DOM-based open redirection | PRACTITIONER | DOM-based open redirection DOM-based Vulnerabilities | Open |
Essential Skills (2)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Discovering vulnerabilities quickly with targeted scanning | PRACTITIONER | Discovering vulnerabilities quickly with targeted scanning Essential Skills | Open |
| Scanning non-standard data structures | PRACTITIONER | Scanning non-standard data structures Essential Skills | Open |
Directory / Path Traversal (6)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| File path traversal, simple case | APPRENTICE | Directory / Path Traversal | Open |
| File path traversal, traversal sequences blocked with absolute path bypass | PRACTITIONER | Directory / Path Traversal | Open |
| File path traversal, traversal sequences stripped non-recursively | PRACTITIONER | Directory / Path Traversal | Open |
| File path traversal, traversal sequences stripped with superfluous URL-decode | PRACTITIONER | Directory / Path Traversal | Open |
| File path traversal, validation of file extension with null byte bypass | PRACTITIONER | Directory / Path Traversal | Open |
| File path traversal, validation of start of path | PRACTITIONER | Directory / Path Traversal | Open |
File Upload Vulnerabilities (7)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Remote code execution via web shell upload | APPRENTICE | File Upload Vulnerabilities · Remote Code Execution (RCE) | Open |
| Web shell upload via Content-Type restriction bypass | APPRENTICE | File Upload Vulnerabilities | Open |
| Web shell upload via race condition | APPRENTICE | File Upload Vulnerabilities · Race Conditions | Open |
| Remote code execution via polyglot web shell upload | PRACTITIONER | File Upload Vulnerabilities · Remote Code Execution (RCE) | Open |
| Web shell upload via extension blacklist bypass | PRACTITIONER | File Upload Vulnerabilities | Open |
| Web shell upload via obfuscated file extension | PRACTITIONER | File Upload Vulnerabilities | Open |
| Web shell upload via path traversal | PRACTITIONER | File Upload Vulnerabilities · Directory / Path Traversal | Open |
GraphQL (5)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Accessing private GraphQL posts | APPRENTICE | GraphQL Vulnerabilities | Open |
| Accidental exposure of private GraphQL fields | PRACTITIONER | GraphQL Vulnerabilities | Open |
| Bypassing GraphQL brute force protections | PRACTITIONER | Brute Force / Rate-Limit Bypass · GraphQL Vulnerabilities · Remote Code Execution (RCE) | Open |
| Finding a hidden GraphQL endpoint | PRACTITIONER | GraphQL Vulnerabilities | Open |
| Performing CSRF exploits over GraphQL | PRACTITIONER | GraphQL Vulnerabilities · CSRF (Cross-Site Request Forgery) | Open |
HTTP Host Header Attacks (5)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Host header authentication bypass | APPRENTICE | Authentication Vulnerabilities · HTTP Host Header Attacks | Open |
| Host validation bypass via connection state attack | PRACTITIONER | HTTP Host Header Attacks | Open |
| Routing-based SSRF | PRACTITIONER | HTTP Host Header Attacks · Server-Side Request Forgery | Open |
| SSRF via flawed request parsing | PRACTITIONER | HTTP Host Header Attacks · Server-Side Request Forgery | Open |
| Web cache poisoning via ambiguous requests | PRACTITIONER | Web Cache Attacks (Poisoning / Deception) · HTTP Host Header Attacks | Open |
Information Disclosure (5)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Authentication bypass via information disclosure | APPRENTICE | Information Leakage · Authentication Vulnerabilities | Open |
| Information disclosure in error messages | APPRENTICE | Information Leakage | Open |
| Information disclosure on debug page | APPRENTICE | Information Leakage | Open |
| Source code disclosure via backup files | APPRENTICE | Information Leakage · Remote Code Execution (RCE) | Open |
| Information disclosure in version control history | PRACTITIONER | Information Leakage | Open |
JWT (JSON Web Tokens) (8)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| JWT authentication bypass via algorithm confusion | APPRENTICE | Authentication Vulnerabilities · JSON Web Tokens (JWT) | Open |
| JWT authentication bypass via algorithm confusion with no exposed key | APPRENTICE | Authentication Vulnerabilities · JSON Web Tokens (JWT) | Open |
| JWT authentication bypass via flawed signature verification | APPRENTICE | Authentication Vulnerabilities · JSON Web Tokens (JWT) | Open |
| JWT authentication bypass via unverified signature | APPRENTICE | Authentication Vulnerabilities · JSON Web Tokens (JWT) | Open |
| JWT authentication bypass via jku header injection | PRACTITIONER | Authentication Vulnerabilities · JSON Web Tokens (JWT) | Open |
| JWT authentication bypass via jwk header injection | PRACTITIONER | Authentication Vulnerabilities · JSON Web Tokens (JWT) | Open |
| JWT authentication bypass via kid header path traversal | PRACTITIONER | Authentication Vulnerabilities · JSON Web Tokens (JWT) · Directory / Path Traversal | Open |
| JWT authentication bypass via weak signing key | PRACTITIONER | Authentication Vulnerabilities · JSON Web Tokens (JWT) | Open |
LLM Attacks (8)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Exploiting AI agents to exfiltrate sensitive information | APPRENTICE | LLM Attacks (Prompt Injection) | Open |
| Exploiting AI agents to perform destructive actions | APPRENTICE | LLM Attacks (Prompt Injection) | Open |
| Exploiting insecure output handling in LLMs | APPRENTICE | LLM Attacks (Prompt Injection) | Open |
| Exploiting LLM APIs with excessive agency | APPRENTICE | LLM Attacks (Prompt Injection) | Open |
| Bypassing AI scanner defenses to exfiltrate sensitive information | PRACTITIONER | LLM Attacks (Prompt Injection) | Open |
| Exploiting AI agents to trigger secondary vulnerabilities | PRACTITIONER | LLM Attacks (Prompt Injection) | Open |
| Exploiting vulnerabilities in LLM APIs | PRACTITIONER | LLM Attacks (Prompt Injection) | Open |
| Indirect prompt injection | PRACTITIONER | LLM Attacks (Prompt Injection) | Open |
Business Logic Vulnerabilities (12)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Bypassing access controls using email address parsing discrepancies | APPRENTICE | Business Logic Vulnerabilities · Access Control / IDOR | Open |
| Excessive trust in client-side controls | APPRENTICE | Business Logic Vulnerabilities | Open |
| Flawed enforcement of business rules | APPRENTICE | Business Logic Vulnerabilities · Remote Code Execution (RCE) | Open |
| High-level logic vulnerability | APPRENTICE | Business Logic Vulnerabilities | Open |
| Inconsistent security controls | APPRENTICE | Business Logic Vulnerabilities | Open |
| Authentication bypass via encryption oracle | PRACTITIONER | Authentication Vulnerabilities · Business Logic Vulnerabilities | Open |
| Authentication bypass via flawed state machine | PRACTITIONER | Authentication Vulnerabilities · Business Logic Vulnerabilities | Open |
| Inconsistent handling of exceptional input | PRACTITIONER | Business Logic Vulnerabilities | Open |
| Infinite money logic flaw | PRACTITIONER | Business Logic Vulnerabilities | Open |
| Insufficient workflow validation | PRACTITIONER | Business Logic Vulnerabilities | Open |
| Low-level logic flaw | PRACTITIONER | Business Logic Vulnerabilities | Open |
| Weak isolation on dual-use endpoint | PRACTITIONER | Business Logic Vulnerabilities | Open |
NoSQL Injection (4)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Detecting NoSQL injection | APPRENTICE | SQL Injection | Open |
| Exploiting NoSQL operator injection to bypass authentication | APPRENTICE | SQL Injection | Open |
| Exploiting NoSQL injection to extract data | PRACTITIONER | SQL Injection | Open |
| Exploiting NoSQL operator injection to extract unknown fields | PRACTITIONER | SQL Injection | Open |
OAuth Authentication (6)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Authentication bypass via OAuth implicit flow | APPRENTICE | Authentication Vulnerabilities · OAuth Authentication Vulnerabilities | Open |
| Stealing OAuth access tokens via a proxy page | APPRENTICE | OAuth Authentication Vulnerabilities | Open |
| Forced OAuth profile linking | PRACTITIONER | OAuth Authentication Vulnerabilities · Remote Code Execution (RCE) | Open |
| OAuth account hijacking via redirect_uri | PRACTITIONER | OAuth Authentication Vulnerabilities | Open |
| SSRF via OpenID dynamic client registration | PRACTITIONER | OAuth Authentication Vulnerabilities · Server-Side Request Forgery | Open |
| Stealing OAuth access tokens via an open redirect | PRACTITIONER | OAuth Authentication Vulnerabilities | Open |
OS Command Injection (5)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| OS command injection, simple case | APPRENTICE | OS Command Injection | Open |
| Blind OS command injection with out-of-band data exfiltration | PRACTITIONER | OS Command Injection | Open |
| Blind OS command injection with out-of-band interaction | PRACTITIONER | OS Command Injection | Open |
| Blind OS command injection with output redirection | PRACTITIONER | OS Command Injection | Open |
| Blind OS command injection with time delays | PRACTITIONER | OS Command Injection | Open |
Prototype Pollution (9)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Exfiltrating sensitive data via server-side prototype pollution | APPRENTICE | Prototype Pollution | Open |
| Bypassing flawed input filters for server-side prototype pollution | PRACTITIONER | Prototype Pollution | Open |
| Client-side prototype pollution in third-party libraries | PRACTITIONER | Prototype Pollution | Open |
| Client-side prototype pollution via flawed sanitization | PRACTITIONER | Prototype Pollution | Open |
| Detecting server-side prototype pollution without polluted property reflection | PRACTITIONER | Prototype Pollution | Open |
| DOM XSS via an alternative prototype pollution vector | PRACTITIONER | Prototype Pollution · Cross-Site Scripting (XSS) | Open |
| DOM XSS via client-side prototype pollution | PRACTITIONER | Prototype Pollution · Cross-Site Scripting (XSS) | Open |
| Privilege escalation via server-side prototype pollution | PRACTITIONER | Prototype Pollution | Open |
| Remote code execution via server-side prototype pollution | PRACTITIONER | Remote Code Execution (RCE) · Prototype Pollution | Open |
Race Conditions (6)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Limit overrun race conditions | APPRENTICE | Race Conditions | Open |
| Partial construction race conditions | APPRENTICE | Race Conditions | Open |
| Bypassing rate limits via race conditions | PRACTITIONER | Race Conditions | Open |
| Exploiting time-sensitive vulnerabilities | PRACTITIONER | Race Conditions | Open |
| Multi-endpoint race conditions | PRACTITIONER | Race Conditions | Open |
| Single-endpoint race conditions | PRACTITIONER | Race Conditions | Open |
HTTP Request Smuggling (16)
Server-Side Template Injection (SSTI) (7)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Server-side template injection in a sandboxed environment | APPRENTICE | SSTI (Server-Side Template Injection) | Open |
| Server-side template injection with a custom exploit | APPRENTICE | SSTI (Server-Side Template Injection) | Open |
| Basic server-side template injection | PRACTITIONER | SSTI (Server-Side Template Injection) | Open |
| Basic server-side template injection (code context) | PRACTITIONER | SSTI (Server-Side Template Injection) | Open |
| Server-side template injection in an unknown language with a documented exploit | PRACTITIONER | SSTI (Server-Side Template Injection) | Open |
| Server-side template injection using documentation | PRACTITIONER | SSTI (Server-Side Template Injection) | Open |
| Server-side template injection with information disclosure via user-supplied objects | PRACTITIONER | SSTI (Server-Side Template Injection) · Information Leakage | Open |
SQL Injection (18)
SSRF (Server-Side Request Forgery) (7)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Basic SSRF against another back-end system | APPRENTICE | Server-Side Request Forgery | Open |
| Basic SSRF against the local server | APPRENTICE | Server-Side Request Forgery | Open |
| Blind SSRF with Shellshock exploitation | APPRENTICE | Shellshock (CVE-2014-6271) · Server-Side Request Forgery | Open |
| SSRF with whitelist-based input filter | APPRENTICE | Server-Side Request Forgery | Open |
| Blind SSRF with out-of-band detection | PRACTITIONER | Server-Side Request Forgery | Open |
| SSRF with blacklist-based input filter | PRACTITIONER | Server-Side Request Forgery | Open |
| SSRF with filter bypass via open redirection vulnerability | PRACTITIONER | Server-Side Request Forgery | Open |
Web Cache Deception (5)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Exploiting exact-match cache rules for web cache deception | APPRENTICE | Web Cache Attacks (Poisoning / Deception) | Open |
| Exploiting path mapping for web cache deception | APPRENTICE | Web Cache Attacks (Poisoning / Deception) | Open |
| Exploiting cache server normalization for web cache deception | PRACTITIONER | Web Cache Attacks (Poisoning / Deception) | Open |
| Exploiting origin server normalization for web cache deception | PRACTITIONER | Web Cache Attacks (Poisoning / Deception) | Open |
| Exploiting path delimiters for web cache deception | PRACTITIONER | Web Cache Attacks (Poisoning / Deception) | Open |
Web Cache Poisoning (13)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Cache key injection | APPRENTICE | Web Cache Attacks (Poisoning / Deception) | Open |
| Combining web cache poisoning vulnerabilities | APPRENTICE | Web Cache Attacks (Poisoning / Deception) | Open |
| Internal cache poisoning | APPRENTICE | Web Cache Attacks (Poisoning / Deception) | Open |
| Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria | APPRENTICE | Web Cache Attacks (Poisoning / Deception) | Open |
| Parameter cloaking | PRACTITIONER | Web Cache Attacks (Poisoning / Deception) | Open |
| Targeted web cache poisoning using an unknown header | PRACTITIONER | Web Cache Attacks (Poisoning / Deception) | Open |
| URL normalization | PRACTITIONER | Web Cache Attacks (Poisoning / Deception) | Open |
| Web cache poisoning via a fat GET request | PRACTITIONER | Web Cache Attacks (Poisoning / Deception) | Open |
| Web cache poisoning via an unkeyed query parameter | PRACTITIONER | Web Cache Attacks (Poisoning / Deception) | Open |
| Web cache poisoning via an unkeyed query string | PRACTITIONER | Web Cache Attacks (Poisoning / Deception) | Open |
| Web cache poisoning with an unkeyed cookie | PRACTITIONER | Web Cache Attacks (Poisoning / Deception) | Open |
| Web cache poisoning with an unkeyed header | PRACTITIONER | Web Cache Attacks (Poisoning / Deception) | Open |
| Web cache poisoning with multiple headers | PRACTITIONER | Web Cache Attacks (Poisoning / Deception) | Open |
WebSockets (2)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Manipulating WebSocket messages to exploit vulnerabilities | APPRENTICE | WebSockets Vulnerabilities | Open |
| Manipulating the WebSocket handshake to exploit vulnerabilities | PRACTITIONER | WebSockets Vulnerabilities | Open |
XXE (XML External Entity) (9)
| Lab | Difficulty | Skills | Official |
|---|---|---|---|
| Exploiting XXE to perform SSRF attacks | APPRENTICE | XML External Entity · Server-Side Request Forgery | Open |
| Exploiting XXE to retrieve data by repurposing a local DTD | APPRENTICE | XML External Entity | Open |
| Exploiting XXE using external entities to retrieve files | APPRENTICE | XML External Entity | Open |
| Blind XXE with out-of-band interaction | PRACTITIONER | XML External Entity | Open |
| Blind XXE with out-of-band interaction via XML parameter entities | PRACTITIONER | XML External Entity | Open |
| Exploiting blind XXE to exfiltrate data using a malicious external DTD | PRACTITIONER | XML External Entity | Open |
| Exploiting blind XXE to retrieve data via error messages | PRACTITIONER | XML External Entity | Open |
| Exploiting XInclude to retrieve files | PRACTITIONER | XML External Entity | Open |
| Exploiting XXE via image file upload | PRACTITIONER | XML External Entity · File Upload Vulnerabilities | Open |