> ## Documentation Index
> Fetch the complete documentation index at: https://rootea.es/llms.txt
> Use this file to discover all available pages before exploring further.

# All

# PortSwigger · Web Security Academy

Catalog: **262 labs** indexed from PortSwigger Web Security Academy. Each lab links to the official exercise and PortSwigger's solution. The official sitemap coverage is partial; XSS, authentication, business logic and other topics will be added manually over time.

## Access Control Vulnerabilities (13)

| Lab                                                                                                                                                                                | Difficulty                                                 | Skills                | Official                                                                                                                              |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
| [Insecure direct object references](/en/portswigger/labs/access-control/insecure-direct-object-references)                                                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Open](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)                                     |
| [Unprotected admin functionality](/en/portswigger/labs/access-control/unprotected-admin-functionality)                                                                             | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Open](https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality)                                       |
| [Unprotected admin functionality with unpredictable URL](/en/portswigger/labs/access-control/unprotected-admin-functionality-with-unpredictable-url)                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Open](https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality-with-unpredictable-url)                |
| [User ID controlled by request parameter](/en/portswigger/labs/access-control/user-id-controlled-by-request-parameter)                                                             | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Open](https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter)                               |
| [User ID controlled by request parameter with data leakage in redirect](/en/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-data-leakage-in-redirect) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Open](https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-data-leakage-in-redirect) |
| [User ID controlled by request parameter with password disclosure](/en/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-password-disclosure)           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Open](https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-password-disclosure)      |
| [User ID controlled by request parameter, with unpredictable user IDs](/en/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-unpredictable-user-ids)    | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Open](https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-unpredictable-user-ids)   |
| [User role can be modified in user profile](/en/portswigger/labs/access-control/user-role-can-be-modified-in-user-profile)                                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Open](https://portswigger.net/web-security/access-control/lab-user-role-can-be-modified-in-user-profile)                             |
| [User role controlled by request parameter](/en/portswigger/labs/access-control/user-role-controlled-by-request-parameter)                                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Open](https://portswigger.net/web-security/access-control/lab-user-role-controlled-by-request-parameter)                             |
| [Method-based access control can be circumvented](/en/portswigger/labs/access-control/method-based-access-control-can-be-circumvented)                                             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Access Control / IDOR | [Open](https://portswigger.net/web-security/access-control/lab-method-based-access-control-can-be-circumvented)                       |
| [Multi-step process with no access control on one step](/en/portswigger/labs/access-control/multi-step-process-with-no-access-control-on-one-step)                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Access Control / IDOR | [Open](https://portswigger.net/web-security/access-control/lab-multi-step-process-with-no-access-control-on-one-step)                 |
| [Referer-based access control](/en/portswigger/labs/access-control/referer-based-access-control)                                                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Access Control / IDOR | [Open](https://portswigger.net/web-security/access-control/lab-referer-based-access-control)                                          |
| [URL-based access control can be circumvented](/en/portswigger/labs/access-control/url-based-access-control-can-be-circumvented)                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Access Control / IDOR | [Open](https://portswigger.net/web-security/access-control/lab-url-based-access-control-can-be-circumvented)                          |

## API Testing (5)

| Lab                                                                                                                                                                                         | Difficulty                                                 | Skills      | Official                                                                                                                                                |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Exploiting an API endpoint using documentation](/en/portswigger/labs/api-testing/exploiting-api-endpoint-using-documentation)                                                              | <span className="dbadge dbadge-easy">APPRENTICE</span>     | API Testing | [Open](https://portswigger.net/web-security/api-testing/lab-exploiting-api-endpoint-using-documentation)                                                |
| [Exploiting server-side parameter pollution in a REST URL](/en/portswigger/labs/api-testing/server-side-parameter-pollution-exploiting-server-side-parameter-pollution-in-rest-url)         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | API Testing | [Open](https://portswigger.net/web-security/api-testing/server-side-parameter-pollution/lab-exploiting-server-side-parameter-pollution-in-rest-url)     |
| [Exploiting a mass assignment vulnerability](/en/portswigger/labs/api-testing/exploiting-mass-assignment-vulnerability)                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | API Testing | [Open](https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability)                                                   |
| [Exploiting server-side parameter pollution in a query string](/en/portswigger/labs/api-testing/server-side-parameter-pollution-exploiting-server-side-parameter-pollution-in-query-string) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | API Testing | [Open](https://portswigger.net/web-security/api-testing/server-side-parameter-pollution/lab-exploiting-server-side-parameter-pollution-in-query-string) |
| [Finding and exploiting an unused API endpoint](/en/portswigger/labs/api-testing/exploiting-unused-api-endpoint)                                                                            | <span className="dbadge dbadge-medium">PRACTITIONER</span> | API Testing | [Open](https://portswigger.net/web-security/api-testing/lab-exploiting-unused-api-endpoint)                                                             |

## Authentication Vulnerabilities (14)

| Lab                                                                                                                                                                                  | Difficulty                                                 | Skills                                                       | Official                                                                                                                                      |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | ------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
| [2FA bypass using a brute-force attack](/en/portswigger/labs/authentication/multi-factor-2fa-bypass-using-a-brute-force-attack)                                                      | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · Remote Code Execution (RCE) | [Open](https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-bypass-using-a-brute-force-attack)                            |
| [2FA simple bypass](/en/portswigger/labs/authentication/multi-factor-2fa-simple-bypass)                                                                                              | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities                               | [Open](https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-simple-bypass)                                                |
| [Broken brute-force protection, multiple credentials per request](/en/portswigger/labs/authentication/password-based-broken-brute-force-protection-multiple-credentials-per-request) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · Remote Code Execution (RCE) | [Open](https://portswigger.net/web-security/authentication/password-based/lab-broken-brute-force-protection-multiple-credentials-per-request) |
| [Password reset broken logic](/en/portswigger/labs/authentication/other-mechanisms-password-reset-broken-logic)                                                                      | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities                               | [Open](https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-broken-logic)                                  |
| [Username enumeration via different responses](/en/portswigger/labs/authentication/password-based-username-enumeration-via-different-responses)                                      | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities                               | [Open](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses)                   |
| [2FA broken logic](/en/portswigger/labs/authentication/multi-factor-2fa-broken-logic)                                                                                                | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities                               | [Open](https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-broken-logic)                                                 |
| [Broken brute-force protection, IP block](/en/portswigger/labs/authentication/password-based-broken-bruteforce-protection-ip-block)                                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · Remote Code Execution (RCE) | [Open](https://portswigger.net/web-security/authentication/password-based/lab-broken-bruteforce-protection-ip-block)                          |
| [Brute-forcing a stay-logged-in cookie](/en/portswigger/labs/authentication/other-mechanisms-brute-forcing-a-stay-logged-in-cookie)                                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities                               | [Open](https://portswigger.net/web-security/authentication/other-mechanisms/lab-brute-forcing-a-stay-logged-in-cookie)                        |
| [Offline password cracking](/en/portswigger/labs/authentication/other-mechanisms-offline-password-cracking)                                                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities                               | [Open](https://portswigger.net/web-security/authentication/other-mechanisms/lab-offline-password-cracking)                                    |
| [Password brute-force via password change](/en/portswigger/labs/authentication/other-mechanisms-password-brute-force-via-password-change)                                            | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · Remote Code Execution (RCE) | [Open](https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-brute-force-via-password-change)                     |
| [Password reset poisoning via middleware](/en/portswigger/labs/authentication/other-mechanisms-password-reset-poisoning-via-middleware)                                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities                               | [Open](https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-poisoning-via-middleware)                      |
| [Username enumeration via account lock](/en/portswigger/labs/authentication/password-based-username-enumeration-via-account-lock)                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities                               | [Open](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-account-lock)                          |
| [Username enumeration via response timing](/en/portswigger/labs/authentication/password-based-username-enumeration-via-response-timing)                                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities                               | [Open](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-response-timing)                       |
| [Username enumeration via subtly different responses](/en/portswigger/labs/authentication/password-based-username-enumeration-via-subtly-different-responses)                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities                               | [Open](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-subtly-different-responses)            |

## Clickjacking (5)

| Lab                                                                                                                                     | Difficulty                                                 | Skills                                           | Official                                                                                          |
| --------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------------------------------ | ------------------------------------------------------------------------------------------------- |
| [Basic clickjacking with CSRF token protection](/en/portswigger/labs/clickjacking/basic-csrf-protected)                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Clickjacking · CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/clickjacking/lab-basic-csrf-protected)                |
| [Clickjacking with a frame buster script](/en/portswigger/labs/clickjacking/frame-buster-script)                                        | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Clickjacking                                     | [Open](https://portswigger.net/web-security/clickjacking/lab-frame-buster-script)                 |
| [Clickjacking with form input data prefilled from a URL parameter](/en/portswigger/labs/clickjacking/prefilled-form-input)              | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Clickjacking                                     | [Open](https://portswigger.net/web-security/clickjacking/lab-prefilled-form-input)                |
| [Exploiting clickjacking vulnerability to trigger DOM-based XSS](/en/portswigger/labs/clickjacking/exploiting-to-trigger-dom-based-xss) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Clickjacking · Cross-Site Scripting (XSS)        | [Open](https://portswigger.net/web-security/clickjacking/lab-exploiting-to-trigger-dom-based-xss) |
| [Multistep clickjacking](/en/portswigger/labs/clickjacking/multistep)                                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Clickjacking                                     | [Open](https://portswigger.net/web-security/clickjacking/lab-multistep)                           |

## CORS (3)

| Lab                                                                                                         | Difficulty                                                 | Skills                               | Official                                                                             |
| ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------------------ | ------------------------------------------------------------------------------------ |
| [CORS vulnerability with basic origin reflection](/en/portswigger/labs/cors/basic-origin-reflection-attack) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | CORS (Cross-Origin Resource Sharing) | [Open](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack) |
| [CORS vulnerability with trusted null origin](/en/portswigger/labs/cors/null-origin-whitelisted-attack)     | <span className="dbadge dbadge-easy">APPRENTICE</span>     | CORS (Cross-Origin Resource Sharing) | [Open](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack) |
| [CORS vulnerability with trusted insecure protocols](/en/portswigger/labs/cors/breaking-https-attack)       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CORS (Cross-Origin Resource Sharing) | [Open](https://portswigger.net/web-security/cors/lab-breaking-https-attack)          |

## Cross-Site Scripting (XSS) (28)

| Lab                                                                                                                                                                                                                                                                         | Difficulty                                                 | Skills                                                         | Official                                                                                                                                                                   |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [DOM XSS in document.write sink using source location.search](/en/portswigger/labs/cross-site-scripting/dom-based-document-write-sink)                                                                                                                                      | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) · Remote Code Execution (RCE)       | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink)                                                                        |
| [DOM XSS in innerHTML sink using source location.search](/en/portswigger/labs/cross-site-scripting/dom-based-innerhtml-sink)                                                                                                                                                | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) · Remote Code Execution (RCE)       | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-innerhtml-sink)                                                                             |
| [DOM XSS in jQuery anchor href attribute sink using location.search source](/en/portswigger/labs/cross-site-scripting/dom-based-jquery-href-attribute-sink)                                                                                                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) · Remote Code Execution (RCE)       | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-href-attribute-sink)                                                                 |
| [DOM XSS in jQuery selector sink using a hashchange event](/en/portswigger/labs/cross-site-scripting/dom-based-jquery-selector-hash-change-event)                                                                                                                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-selector-hash-change-event)                                                          |
| [Reflected XSS in a JavaScript URL with some characters blocked](/en/portswigger/labs/cross-site-scripting/contexts-javascript-url-some-characters-blocked)                                                                                                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-url-some-characters-blocked)                                                      |
| [Reflected XSS into a JavaScript string with angle brackets HTML encoded](/en/portswigger/labs/cross-site-scripting/contexts-javascript-string-angle-brackets-html-encoded)                                                                                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-angle-brackets-html-encoded)                                               |
| [Reflected XSS into attribute with angle brackets HTML-encoded](/en/portswigger/labs/cross-site-scripting/contexts-attribute-angle-brackets-html-encoded)                                                                                                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-attribute-angle-brackets-html-encoded)                                                       |
| [Reflected XSS into HTML context with nothing encoded](/en/portswigger/labs/cross-site-scripting/reflected-html-context-nothing-encoded)                                                                                                                                    | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/reflected/lab-html-context-nothing-encoded)                                                               |
| [Reflected XSS protected by CSP, with CSP bypass](/en/portswigger/labs/cross-site-scripting/content-security-policy-csp-bypass)                                                                                                                                             | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/content-security-policy/lab-csp-bypass)                                                                   |
| [Reflected XSS with event handlers and href attributes blocked](/en/portswigger/labs/cross-site-scripting/contexts-event-handlers-and-href-attributes-blocked)                                                                                                              | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-event-handlers-and-href-attributes-blocked)                                                  |
| [Stored XSS into anchor href attribute with double quotes HTML-encoded](/en/portswigger/labs/cross-site-scripting/contexts-href-attribute-double-quotes-html-encoded)                                                                                                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-href-attribute-double-quotes-html-encoded)                                                   |
| [Stored XSS into HTML context with nothing encoded](/en/portswigger/labs/cross-site-scripting/stored-html-context-nothing-encoded)                                                                                                                                          | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/stored/lab-html-context-nothing-encoded)                                                                  |
| [DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded](/en/portswigger/labs/cross-site-scripting/dom-based-angularjs-expression)                                                                                                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression)                                                                       |
| [DOM XSS in document.write sink using source location.search inside a select element](/en/portswigger/labs/cross-site-scripting/dom-based-document-write-sink-inside-select-element)                                                                                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) · Remote Code Execution (RCE)       | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink-inside-select-element)                                                  |
| [Exploiting cross-site scripting to capture passwords](/en/portswigger/labs/cross-site-scripting/exploiting-capturing-passwords)                                                                                                                                            | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-capturing-passwords)                                                                       |
| [Exploiting cross-site scripting to steal cookies](/en/portswigger/labs/cross-site-scripting/exploiting-stealing-cookies)                                                                                                                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies)                                                                          |
| [Exploiting XSS to bypass CSRF defenses](/en/portswigger/labs/cross-site-scripting/exploiting-perform-csrf)                                                                                                                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) · CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-perform-csrf)                                                                              |
| [Reflected DOM XSS](/en/portswigger/labs/cross-site-scripting/dom-based-dom-xss-reflected)                                                                                                                                                                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-dom-xss-reflected)                                                                          |
| [Reflected XSS in canonical link tag](/en/portswigger/labs/cross-site-scripting/contexts-canonical-link-tag)                                                                                                                                                                | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-canonical-link-tag)                                                                          |
| [Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped](/en/portswigger/labs/cross-site-scripting/contexts-javascript-string-angle-brackets-double-quotes-encoded-single-quotes-escaped)                      | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-angle-brackets-double-quotes-encoded-single-quotes-escaped)                |
| [Reflected XSS into a JavaScript string with single quote and backslash escaped](/en/portswigger/labs/cross-site-scripting/contexts-javascript-string-single-quote-backslash-escaped)                                                                                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-single-quote-backslash-escaped)                                            |
| [Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped](/en/portswigger/labs/cross-site-scripting/contexts-javascript-template-literal-angle-brackets-single-double-quotes-backslash-backticks-escaped) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-template-literal-angle-brackets-single-double-quotes-backslash-backticks-escaped) |
| [Reflected XSS into HTML context with all tags blocked except custom ones](/en/portswigger/labs/cross-site-scripting/contexts-html-context-with-all-standard-tags-blocked)                                                                                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-all-standard-tags-blocked)                                                 |
| [Reflected XSS into HTML context with most tags and attributes blocked](/en/portswigger/labs/cross-site-scripting/contexts-html-context-with-most-tags-and-attributes-blocked)                                                                                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-most-tags-and-attributes-blocked)                                          |
| [Reflected XSS protected by very strict CSP, with dangling markup attack](/en/portswigger/labs/cross-site-scripting/content-security-policy-very-strict-csp-with-dangling-markup-attack)                                                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/content-security-policy/lab-very-strict-csp-with-dangling-markup-attack)                                  |
| [Reflected XSS with some SVG markup allowed](/en/portswigger/labs/cross-site-scripting/contexts-some-svg-markup-allowed)                                                                                                                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-some-svg-markup-allowed)                                                                     |
| [Stored DOM XSS](/en/portswigger/labs/cross-site-scripting/dom-based-dom-xss-stored)                                                                                                                                                                                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-dom-xss-stored)                                                                             |
| [Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped](/en/portswigger/labs/cross-site-scripting/contexts-onclick-event-angle-brackets-double-quotes-html-encoded-single-quotes-backslash-escaped)      | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-onclick-event-angle-brackets-double-quotes-html-encoded-single-quotes-backslash-escaped)     |

## CSRF (Cross-Site Request Forgery) (12)

| Lab                                                                                                                                                                            | Difficulty                                                 | Skills                            | Official                                                                                                                                  |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| [CSRF vulnerability with no defenses](/en/portswigger/labs/csrf/no-defenses)                                                                                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/lab-no-defenses)                                                                         |
| [CSRF where Referer validation depends on header being present](/en/portswigger/labs/csrf/bypassing-referer-based-defenses-referer-validation-depends-on-header-being-present) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses/lab-referer-validation-depends-on-header-being-present) |
| [CSRF where token is duplicated in cookie](/en/portswigger/labs/csrf/bypassing-token-validation-token-duplicated-in-cookie)                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-duplicated-in-cookie)                               |
| [CSRF where token is not tied to user session](/en/portswigger/labs/csrf/bypassing-token-validation-token-not-tied-to-user-session)                                            | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-not-tied-to-user-session)                           |
| [CSRF where token is tied to non-session cookie](/en/portswigger/labs/csrf/bypassing-token-validation-token-tied-to-non-session-cookie)                                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-tied-to-non-session-cookie)                         |
| [CSRF where token validation depends on request method](/en/portswigger/labs/csrf/bypassing-token-validation-token-validation-depends-on-request-method)                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-validation-depends-on-request-method)               |
| [CSRF where token validation depends on token being present](/en/portswigger/labs/csrf/bypassing-token-validation-token-validation-depends-on-token-being-present)             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-validation-depends-on-token-being-present)          |
| [CSRF with broken Referer validation](/en/portswigger/labs/csrf/bypassing-referer-based-defenses-referer-validation-broken)                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses/lab-referer-validation-broken)                          |
| [SameSite Lax bypass via cookie refresh](/en/portswigger/labs/csrf/bypassing-samesite-restrictions-samesite-strict-bypass-via-cookie-refresh)                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-cookie-refresh)           |
| [SameSite Lax bypass via method override](/en/portswigger/labs/csrf/bypassing-samesite-restrictions-samesite-lax-bypass-via-method-override)                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-lax-bypass-via-method-override)             |
| [SameSite Strict bypass via client-side redirect](/en/portswigger/labs/csrf/bypassing-samesite-restrictions-samesite-strict-bypass-via-client-side-redirect)                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-client-side-redirect)     |
| [SameSite Strict bypass via sibling domain](/en/portswigger/labs/csrf/bypassing-samesite-restrictions-samesite-strict-bypass-via-sibling-domain)                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-sibling-domain)           |

## Insecure Deserialization (10)

| Lab                                                                                                                                                                                                        | Difficulty                                                 | Skills                   | Official                                                                                                                                                        |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Developing a custom gadget chain for Java deserialization](/en/portswigger/labs/deserialization/exploiting-deserialization-developing-a-custom-gadget-chain-for-java-deserialization)                     | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-java-deserialization)           |
| [Developing a custom gadget chain for PHP deserialization](/en/portswigger/labs/deserialization/exploiting-deserialization-developing-a-custom-gadget-chain-for-php-deserialization)                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-php-deserialization)            |
| [Modifying serialized objects](/en/portswigger/labs/deserialization/exploiting-deserialization-modifying-serialized-objects)                                                                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-objects)                                        |
| [Using PHAR deserialization to deploy a custom gadget chain](/en/portswigger/labs/deserialization/exploiting-deserialization-using-phar-deserialization-to-deploy-a-custom-gadget-chain)                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-phar-deserialization-to-deploy-a-custom-gadget-chain)          |
| [Arbitrary object injection in PHP](/en/portswigger/labs/deserialization/exploiting-deserialization-arbitrary-object-injection-in-php)                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php)                                   |
| [Exploiting Java deserialization with Apache Commons](/en/portswigger/labs/deserialization/exploiting-deserialization-exploiting-java-deserialization-with-apache-commons)                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-java-deserialization-with-apache-commons)                 |
| [Exploiting PHP deserialization with a pre-built gadget chain](/en/portswigger/labs/deserialization/exploiting-deserialization-exploiting-php-deserialization-with-a-pre-built-gadget-chain)               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-php-deserialization-with-a-pre-built-gadget-chain)        |
| [Exploiting Ruby deserialization using a documented gadget chain](/en/portswigger/labs/deserialization/exploiting-deserialization-exploiting-ruby-deserialization-using-a-documented-gadget-chain)         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-ruby-deserialization-using-a-documented-gadget-chain)     |
| [Modifying serialized data types](/en/portswigger/labs/deserialization/exploiting-deserialization-modifying-serialized-data-types)                                                                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-data-types)                                     |
| [Using application functionality to exploit insecure deserialization](/en/portswigger/labs/deserialization/exploiting-deserialization-using-application-functionality-to-exploit-insecure-deserialization) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-application-functionality-to-exploit-insecure-deserialization) |

## DOM-based Vulnerabilities (7)

| Lab                                                                                                                                                                  | Difficulty                                                 | Skills                                                                      | Official                                                                                                                                      |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | --------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
| [Clobbering DOM attributes to bypass HTML filters](/en/portswigger/labs/dom-based/dom-clobbering-dom-clobbering-attributes-to-bypass-html-filters)                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Clobbering DOM attributes to bypass HTML filters  DOM-based Vulnerabilities | [Open](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-clobbering-attributes-to-bypass-html-filters)                    |
| [Exploiting DOM clobbering to enable XSS](/en/portswigger/labs/dom-based/dom-clobbering-dom-xss-exploiting-dom-clobbering)                                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                                  | [Open](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-xss-exploiting-dom-clobbering)                                   |
| [DOM XSS using web messages](/en/portswigger/labs/dom-based/controlling-the-web-message-source-dom-xss-using-web-messages)                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                                  | [Open](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages)                      |
| [DOM XSS using web messages and a JavaScript URL](/en/portswigger/labs/dom-based/controlling-the-web-message-source-dom-xss-using-web-messages-and-a-javascript-url) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                                  | [Open](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-a-javascript-url) |
| [DOM XSS using web messages and JSON.parse](/en/portswigger/labs/dom-based/controlling-the-web-message-source-dom-xss-using-web-messages-and-json-parse)             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                                  | [Open](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-json-parse)       |
| [DOM-based cookie manipulation](/en/portswigger/labs/dom-based/cookie-manipulation-dom-cookie-manipulation)                                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | DOM-based cookie manipulation  DOM-based Vulnerabilities                    | [Open](https://portswigger.net/web-security/dom-based/cookie-manipulation/lab-dom-cookie-manipulation)                                        |
| [DOM-based open redirection](/en/portswigger/labs/dom-based/open-redirection-dom-open-redirection)                                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | DOM-based open redirection  DOM-based Vulnerabilities                       | [Open](https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection)                                              |

## Essential Skills (2)

| Lab                                                                                                                                                                                                     | Difficulty                                                 | Skills                                                                       | Official                                                                                                                                                              |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Discovering vulnerabilities quickly with targeted scanning](/en/portswigger/labs/essential-skills/using-burp-scanner-during-manual-testing-discovering-vulnerabilities-quickly-with-targeted-scanning) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Discovering vulnerabilities quickly with targeted scanning  Essential Skills | [Open](https://portswigger.net/web-security/essential-skills/using-burp-scanner-during-manual-testing/lab-discovering-vulnerabilities-quickly-with-targeted-scanning) |
| [Scanning non-standard data structures](/en/portswigger/labs/essential-skills/using-burp-scanner-during-manual-testing-scanning-non-standard-data-structures)                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Scanning non-standard data structures  Essential Skills                      | [Open](https://portswigger.net/web-security/essential-skills/using-burp-scanner-during-manual-testing/lab-scanning-non-standard-data-structures)                      |

## Directory / Path Traversal (6)

| Lab                                                                                                                                                          | Difficulty                                                 | Skills                     | Official                                                                                                      |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | -------------------------- | ------------------------------------------------------------------------------------------------------------- |
| [File path traversal, simple case](/en/portswigger/labs/file-path-traversal/simple)                                                                          | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Directory / Path Traversal | [Open](https://portswigger.net/web-security/file-path-traversal/lab-simple)                                   |
| [File path traversal, traversal sequences blocked with absolute path bypass](/en/portswigger/labs/file-path-traversal/absolute-path-bypass)                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Directory / Path Traversal | [Open](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass)                     |
| [File path traversal, traversal sequences stripped non-recursively](/en/portswigger/labs/file-path-traversal/sequences-stripped-non-recursively)             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Directory / Path Traversal | [Open](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively)       |
| [File path traversal, traversal sequences stripped with superfluous URL-decode](/en/portswigger/labs/file-path-traversal/superfluous-url-decode)             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Directory / Path Traversal | [Open](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode)                   |
| [File path traversal, validation of file extension with null byte bypass](/en/portswigger/labs/file-path-traversal/validate-file-extension-null-byte-bypass) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Directory / Path Traversal | [Open](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass) |
| [File path traversal, validation of start of path](/en/portswigger/labs/file-path-traversal/validate-start-of-path)                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Directory / Path Traversal | [Open](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path)                   |

## File Upload Vulnerabilities (7)

| Lab                                                                                                                                                       | Difficulty                                                 | Skills                                                    | Official                                                                                                                      |
| --------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | --------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
| [Remote code execution via web shell upload](/en/portswigger/labs/file-upload/file-upload-remote-code-execution-via-web-shell-upload)                     | <span className="dbadge dbadge-easy">APPRENTICE</span>     | File Upload Vulnerabilities · Remote Code Execution (RCE) | [Open](https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload)           |
| [Web shell upload via Content-Type restriction bypass](/en/portswigger/labs/file-upload/file-upload-web-shell-upload-via-content-type-restriction-bypass) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | File Upload Vulnerabilities                               | [Open](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-content-type-restriction-bypass) |
| [Web shell upload via race condition](/en/portswigger/labs/file-upload/file-upload-web-shell-upload-via-race-condition)                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | File Upload Vulnerabilities · Race Conditions             | [Open](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-race-condition)                  |
| [Remote code execution via polyglot web shell upload](/en/portswigger/labs/file-upload/file-upload-remote-code-execution-via-polyglot-web-shell-upload)   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | File Upload Vulnerabilities · Remote Code Execution (RCE) | [Open](https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-polyglot-web-shell-upload)  |
| [Web shell upload via extension blacklist bypass](/en/portswigger/labs/file-upload/file-upload-web-shell-upload-via-extension-blacklist-bypass)           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | File Upload Vulnerabilities                               | [Open](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-extension-blacklist-bypass)      |
| [Web shell upload via obfuscated file extension](/en/portswigger/labs/file-upload/file-upload-web-shell-upload-via-obfuscated-file-extension)             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | File Upload Vulnerabilities                               | [Open](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-obfuscated-file-extension)       |
| [Web shell upload via path traversal](/en/portswigger/labs/file-upload/file-upload-web-shell-upload-via-path-traversal)                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | File Upload Vulnerabilities · Directory / Path Traversal  | [Open](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-path-traversal)                  |

## GraphQL (5)

| Lab                                                                                                             | Difficulty                                                 | Skills                                                                                  | Official                                                                                       |
| --------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | --------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
| [Accessing private GraphQL posts](/en/portswigger/labs/graphql/graphql-reading-private-posts)                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | GraphQL Vulnerabilities                                                                 | [Open](https://portswigger.net/web-security/graphql/lab-graphql-reading-private-posts)         |
| [Accidental exposure of private GraphQL fields](/en/portswigger/labs/graphql/graphql-accidental-field-exposure) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | GraphQL Vulnerabilities                                                                 | [Open](https://portswigger.net/web-security/graphql/lab-graphql-accidental-field-exposure)     |
| [Bypassing GraphQL brute force protections](/en/portswigger/labs/graphql/graphql-brute-force-protection-bypass) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Brute Force / Rate-Limit Bypass · GraphQL Vulnerabilities · Remote Code Execution (RCE) | [Open](https://portswigger.net/web-security/graphql/lab-graphql-brute-force-protection-bypass) |
| [Finding a hidden GraphQL endpoint](/en/portswigger/labs/graphql/graphql-find-the-endpoint)                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | GraphQL Vulnerabilities                                                                 | [Open](https://portswigger.net/web-security/graphql/lab-graphql-find-the-endpoint)             |
| [Performing CSRF exploits over GraphQL](/en/portswigger/labs/graphql/graphql-csrf-via-graphql-api)              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | GraphQL Vulnerabilities · CSRF (Cross-Site Request Forgery)                             | [Open](https://portswigger.net/web-security/graphql/lab-graphql-csrf-via-graphql-api)          |

## HTTP Host Header Attacks (5)

| Lab                                                                                                                                                              | Difficulty                                                 | Skills                                                               | Official                                                                                                                               |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
| [Host header authentication bypass](/en/portswigger/labs/host-header/exploiting-host-header-authentication-bypass)                                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · HTTP Host Header Attacks            | [Open](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass)                              |
| [Host validation bypass via connection state attack](/en/portswigger/labs/host-header/exploiting-host-header-host-validation-bypass-via-connection-state-attack) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Host Header Attacks                                             | [Open](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-host-validation-bypass-via-connection-state-attack) |
| [Routing-based SSRF](/en/portswigger/labs/host-header/exploiting-host-header-routing-based-ssrf)                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Host Header Attacks · Server-Side Request Forgery               | [Open](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-routing-based-ssrf)                                 |
| [SSRF via flawed request parsing](/en/portswigger/labs/host-header/exploiting-host-header-ssrf-via-flawed-request-parsing)                                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Host Header Attacks · Server-Side Request Forgery               | [Open](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-ssrf-via-flawed-request-parsing)                    |
| [Web cache poisoning via ambiguous requests](/en/portswigger/labs/host-header/exploiting-host-header-web-cache-poisoning-via-ambiguous-requests)                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) · HTTP Host Header Attacks | [Open](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-web-cache-poisoning-via-ambiguous-requests)         |

## Information Disclosure (5)

| Lab                                                                                                                                             | Difficulty                                                 | Skills                                               | Official                                                                                                               |
| ----------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
| [Authentication bypass via information disclosure](/en/portswigger/labs/information-disclosure/exploiting-infoleak-authentication-bypass)       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Information Leakage · Authentication Vulnerabilities | [Open](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-authentication-bypass)      |
| [Information disclosure in error messages](/en/portswigger/labs/information-disclosure/exploiting-infoleak-in-error-messages)                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Information Leakage                                  | [Open](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-in-error-messages)          |
| [Information disclosure on debug page](/en/portswigger/labs/information-disclosure/exploiting-infoleak-on-debug-page)                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Information Leakage                                  | [Open](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-on-debug-page)              |
| [Source code disclosure via backup files](/en/portswigger/labs/information-disclosure/exploiting-infoleak-via-backup-files)                     | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Information Leakage · Remote Code Execution (RCE)    | [Open](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-via-backup-files)           |
| [Information disclosure in version control history](/en/portswigger/labs/information-disclosure/exploiting-infoleak-in-version-control-history) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Information Leakage                                  | [Open](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-in-version-control-history) |

## JWT (JSON Web Tokens) (8)

| Lab                                                                                                                                                                                         | Difficulty                                                 | Skills                                                                              | Official                                                                                                                                       |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ----------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| [JWT authentication bypass via algorithm confusion](/en/portswigger/labs/jwt/algorithm-confusion-jwt-authentication-bypass-via-algorithm-confusion)                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · JSON Web Tokens (JWT)                              | [Open](https://portswigger.net/web-security/jwt/algorithm-confusion/lab-jwt-authentication-bypass-via-algorithm-confusion)                     |
| [JWT authentication bypass via algorithm confusion with no exposed key](/en/portswigger/labs/jwt/algorithm-confusion-jwt-authentication-bypass-via-algorithm-confusion-with-no-exposed-key) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · JSON Web Tokens (JWT)                              | [Open](https://portswigger.net/web-security/jwt/algorithm-confusion/lab-jwt-authentication-bypass-via-algorithm-confusion-with-no-exposed-key) |
| [JWT authentication bypass via flawed signature verification](/en/portswigger/labs/jwt/jwt-authentication-bypass-via-flawed-signature-verification)                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · JSON Web Tokens (JWT)                              | [Open](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-flawed-signature-verification)                               |
| [JWT authentication bypass via unverified signature](/en/portswigger/labs/jwt/jwt-authentication-bypass-via-unverified-signature)                                                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · JSON Web Tokens (JWT)                              | [Open](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature)                                        |
| [JWT authentication bypass via jku header injection](/en/portswigger/labs/jwt/jwt-authentication-bypass-via-jku-header-injection)                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · JSON Web Tokens (JWT)                              | [Open](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection)                                        |
| [JWT authentication bypass via jwk header injection](/en/portswigger/labs/jwt/jwt-authentication-bypass-via-jwk-header-injection)                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · JSON Web Tokens (JWT)                              | [Open](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jwk-header-injection)                                        |
| [JWT authentication bypass via kid header path traversal](/en/portswigger/labs/jwt/jwt-authentication-bypass-via-kid-header-path-traversal)                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · JSON Web Tokens (JWT) · Directory / Path Traversal | [Open](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal)                                   |
| [JWT authentication bypass via weak signing key](/en/portswigger/labs/jwt/jwt-authentication-bypass-via-weak-signing-key)                                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · JSON Web Tokens (JWT)                              | [Open](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-weak-signing-key)                                            |

## LLM Attacks (8)

| Lab                                                                                                                                                                                                        | Difficulty                                                 | Skills                         | Official                                                                                                                                                          |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Exploiting AI agents to exfiltrate sensitive information](/en/portswigger/labs/llm-attacks/ai-powered-scanner-vulnerabilities-sensitive-information-exfiltration)                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | LLM Attacks (Prompt Injection) | [Open](https://portswigger.net/web-security/llm-attacks/ai-powered-scanner-vulnerabilities/lab-sensitive-information-exfiltration)                                |
| [Exploiting AI agents to perform destructive actions](/en/portswigger/labs/llm-attacks/ai-powered-scanner-vulnerabilities-indirect-prompt-injection-via-ai-powered-scan)                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | LLM Attacks (Prompt Injection) | [Open](https://portswigger.net/web-security/llm-attacks/ai-powered-scanner-vulnerabilities/lab-indirect-prompt-injection-via-ai-powered-scan)                     |
| [Exploiting insecure output handling in LLMs](/en/portswigger/labs/llm-attacks/exploiting-insecure-output-handling-in-llms)                                                                                | <span className="dbadge dbadge-easy">APPRENTICE</span>     | LLM Attacks (Prompt Injection) | [Open](https://portswigger.net/web-security/llm-attacks/lab-exploiting-insecure-output-handling-in-llms)                                                          |
| [Exploiting LLM APIs with excessive agency](/en/portswigger/labs/llm-attacks/exploiting-llm-apis-with-excessive-agency)                                                                                    | <span className="dbadge dbadge-easy">APPRENTICE</span>     | LLM Attacks (Prompt Injection) | [Open](https://portswigger.net/web-security/llm-attacks/lab-exploiting-llm-apis-with-excessive-agency)                                                            |
| [Bypassing AI scanner defenses to exfiltrate sensitive information](/en/portswigger/labs/llm-attacks/ai-powered-scanner-vulnerabilities-bypassing-ai-scanner-defenses-to-exfiltrate-sensitive-information) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | LLM Attacks (Prompt Injection) | [Open](https://portswigger.net/web-security/llm-attacks/ai-powered-scanner-vulnerabilities/lab-bypassing-ai-scanner-defenses-to-exfiltrate-sensitive-information) |
| [Exploiting AI agents to trigger secondary vulnerabilities](/en/portswigger/labs/llm-attacks/ai-powered-scanner-vulnerabilities-exploiting-target-website-vulnerabilities-to-bypass-restrictions)          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | LLM Attacks (Prompt Injection) | [Open](https://portswigger.net/web-security/llm-attacks/ai-powered-scanner-vulnerabilities/lab-exploiting-target-website-vulnerabilities-to-bypass-restrictions)  |
| [Exploiting vulnerabilities in LLM APIs](/en/portswigger/labs/llm-attacks/exploiting-vulnerabilities-in-llm-apis)                                                                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | LLM Attacks (Prompt Injection) | [Open](https://portswigger.net/web-security/llm-attacks/lab-exploiting-vulnerabilities-in-llm-apis)                                                               |
| [Indirect prompt injection](/en/portswigger/labs/llm-attacks/indirect-prompt-injection)                                                                                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | LLM Attacks (Prompt Injection) | [Open](https://portswigger.net/web-security/llm-attacks/lab-indirect-prompt-injection)                                                                            |

## Business Logic Vulnerabilities (12)

| Lab                                                                                                                                                                                              | Difficulty                                                 | Skills                                                          | Official                                                                                                                                              |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | --------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Bypassing access controls using email address parsing discrepancies](/en/portswigger/labs/logic-flaws/examples-logic-flaws-bypassing-access-controls-using-email-address-parsing-discrepancies) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Business Logic Vulnerabilities · Access Control / IDOR          | [Open](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-bypassing-access-controls-using-email-address-parsing-discrepancies) |
| [Excessive trust in client-side controls](/en/portswigger/labs/logic-flaws/examples-logic-flaws-excessive-trust-in-client-side-controls)                                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Business Logic Vulnerabilities                                  | [Open](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls)                             |
| [Flawed enforcement of business rules](/en/portswigger/labs/logic-flaws/examples-logic-flaws-flawed-enforcement-of-business-rules)                                                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Business Logic Vulnerabilities · Remote Code Execution (RCE)    | [Open](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-flawed-enforcement-of-business-rules)                                |
| [High-level logic vulnerability](/en/portswigger/labs/logic-flaws/examples-logic-flaws-high-level)                                                                                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Business Logic Vulnerabilities                                  | [Open](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-high-level)                                                          |
| [Inconsistent security controls](/en/portswigger/labs/logic-flaws/examples-logic-flaws-inconsistent-security-controls)                                                                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Business Logic Vulnerabilities                                  | [Open](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-inconsistent-security-controls)                                      |
| [Authentication bypass via encryption oracle](/en/portswigger/labs/logic-flaws/examples-logic-flaws-authentication-bypass-via-encryption-oracle)                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · Business Logic Vulnerabilities | [Open](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-authentication-bypass-via-encryption-oracle)                         |
| [Authentication bypass via flawed state machine](/en/portswigger/labs/logic-flaws/examples-logic-flaws-authentication-bypass-via-flawed-state-machine)                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · Business Logic Vulnerabilities | [Open](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-authentication-bypass-via-flawed-state-machine)                      |
| [Inconsistent handling of exceptional input](/en/portswigger/labs/logic-flaws/examples-logic-flaws-inconsistent-handling-of-exceptional-input)                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Business Logic Vulnerabilities                                  | [Open](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-inconsistent-handling-of-exceptional-input)                          |
| [Infinite money logic flaw](/en/portswigger/labs/logic-flaws/examples-logic-flaws-infinite-money)                                                                                                | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Business Logic Vulnerabilities                                  | [Open](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-infinite-money)                                                      |
| [Insufficient workflow validation](/en/portswigger/labs/logic-flaws/examples-logic-flaws-insufficient-workflow-validation)                                                                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Business Logic Vulnerabilities                                  | [Open](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-insufficient-workflow-validation)                                    |
| [Low-level logic flaw](/en/portswigger/labs/logic-flaws/examples-logic-flaws-low-level)                                                                                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Business Logic Vulnerabilities                                  | [Open](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-low-level)                                                           |
| [Weak isolation on dual-use endpoint](/en/portswigger/labs/logic-flaws/examples-logic-flaws-weak-isolation-on-dual-use-endpoint)                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Business Logic Vulnerabilities                                  | [Open](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-weak-isolation-on-dual-use-endpoint)                                 |

## NoSQL Injection (4)

| Lab                                                                                                                                          | Difficulty                                                 | Skills        | Official                                                                                                |
| -------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------- | ------------------------------------------------------------------------------------------------------- |
| [Detecting NoSQL injection](/en/portswigger/labs/nosql-injection/nosql-injection-detection)                                                  | <span className="dbadge dbadge-easy">APPRENTICE</span>     | SQL Injection | [Open](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-detection)              |
| [Exploiting NoSQL operator injection to bypass authentication](/en/portswigger/labs/nosql-injection/nosql-injection-bypass-authentication)   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | SQL Injection | [Open](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-bypass-authentication)  |
| [Exploiting NoSQL injection to extract data](/en/portswigger/labs/nosql-injection/nosql-injection-extract-data)                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-extract-data)           |
| [Exploiting NoSQL operator injection to extract unknown fields](/en/portswigger/labs/nosql-injection/nosql-injection-extract-unknown-fields) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-extract-unknown-fields) |

## OAuth Authentication (6)

| Lab                                                                                                                                     | Difficulty                                                 | Skills                                                                | Official                                                                                                        |
| --------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | --------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- |
| [Authentication bypass via OAuth implicit flow](/en/portswigger/labs/oauth/oauth-authentication-bypass-via-oauth-implicit-flow)         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · OAuth Authentication Vulnerabilities | [Open](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow)      |
| [Stealing OAuth access tokens via a proxy page](/en/portswigger/labs/oauth/oauth-stealing-oauth-access-tokens-via-a-proxy-page)         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | OAuth Authentication Vulnerabilities                                  | [Open](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page)      |
| [Forced OAuth profile linking](/en/portswigger/labs/oauth/oauth-forced-oauth-profile-linking)                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OAuth Authentication Vulnerabilities · Remote Code Execution (RCE)    | [Open](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking)                       |
| [OAuth account hijacking via redirect\_uri](/en/portswigger/labs/oauth/oauth-account-hijacking-via-redirect-uri)                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OAuth Authentication Vulnerabilities                                  | [Open](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri)                 |
| [SSRF via OpenID dynamic client registration](/en/portswigger/labs/oauth/openid-oauth-ssrf-via-openid-dynamic-client-registration)      | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OAuth Authentication Vulnerabilities · Server-Side Request Forgery    | [Open](https://portswigger.net/web-security/oauth/openid/lab-oauth-ssrf-via-openid-dynamic-client-registration) |
| [Stealing OAuth access tokens via an open redirect](/en/portswigger/labs/oauth/oauth-stealing-oauth-access-tokens-via-an-open-redirect) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OAuth Authentication Vulnerabilities                                  | [Open](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect)  |

## OS Command Injection (5)

| Lab                                                                                                                                            | Difficulty                                                 | Skills               | Official                                                                                                  |
| ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------------------- | --------------------------------------------------------------------------------------------------------- |
| [OS command injection, simple case](/en/portswigger/labs/os-command-injection/simple)                                                          | <span className="dbadge dbadge-easy">APPRENTICE</span>     | OS Command Injection | [Open](https://portswigger.net/web-security/os-command-injection/lab-simple)                              |
| [Blind OS command injection with out-of-band data exfiltration](/en/portswigger/labs/os-command-injection/blind-out-of-band-data-exfiltration) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OS Command Injection | [Open](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration) |
| [Blind OS command injection with out-of-band interaction](/en/portswigger/labs/os-command-injection/blind-out-of-band)                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OS Command Injection | [Open](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band)                   |
| [Blind OS command injection with output redirection](/en/portswigger/labs/os-command-injection/blind-output-redirection)                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OS Command Injection | [Open](https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection)            |
| [Blind OS command injection with time delays](/en/portswigger/labs/os-command-injection/blind-time-delays)                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OS Command Injection | [Open](https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays)                   |

## Prototype Pollution (9)

| Lab                                                                                                                                                                                                                   | Difficulty                                                 | Skills                                            | Official                                                                                                                                                        |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Exfiltrating sensitive data via server-side prototype pollution](/en/portswigger/labs/prototype-pollution/server-side-exfiltrating-sensitive-data-via-server-side-prototype-pollution)                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Prototype Pollution                               | [Open](https://portswigger.net/web-security/prototype-pollution/server-side/lab-exfiltrating-sensitive-data-via-server-side-prototype-pollution)                |
| [Bypassing flawed input filters for server-side prototype pollution](/en/portswigger/labs/prototype-pollution/server-side-bypassing-flawed-input-filters-for-server-side-prototype-pollution)                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution                               | [Open](https://portswigger.net/web-security/prototype-pollution/server-side/lab-bypassing-flawed-input-filters-for-server-side-prototype-pollution)             |
| [Client-side prototype pollution in third-party libraries](/en/portswigger/labs/prototype-pollution/client-side-prototype-pollution-client-side-prototype-pollution-in-third-party-libraries)                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution                               | [Open](https://portswigger.net/web-security/prototype-pollution/client-side/lab-prototype-pollution-client-side-prototype-pollution-in-third-party-libraries)   |
| [Client-side prototype pollution via flawed sanitization](/en/portswigger/labs/prototype-pollution/client-side-prototype-pollution-client-side-prototype-pollution-via-flawed-sanitization)                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution                               | [Open](https://portswigger.net/web-security/prototype-pollution/client-side/lab-prototype-pollution-client-side-prototype-pollution-via-flawed-sanitization)    |
| [Detecting server-side prototype pollution without polluted property reflection](/en/portswigger/labs/prototype-pollution/server-side-detecting-server-side-prototype-pollution-without-polluted-property-reflection) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution                               | [Open](https://portswigger.net/web-security/prototype-pollution/server-side/lab-detecting-server-side-prototype-pollution-without-polluted-property-reflection) |
| [DOM XSS via an alternative prototype pollution vector](/en/portswigger/labs/prototype-pollution/client-side-prototype-pollution-dom-xss-via-an-alternative-prototype-pollution-vector)                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution · Cross-Site Scripting (XSS)  | [Open](https://portswigger.net/web-security/prototype-pollution/client-side/lab-prototype-pollution-dom-xss-via-an-alternative-prototype-pollution-vector)      |
| [DOM XSS via client-side prototype pollution](/en/portswigger/labs/prototype-pollution/client-side-prototype-pollution-dom-xss-via-client-side-prototype-pollution)                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution · Cross-Site Scripting (XSS)  | [Open](https://portswigger.net/web-security/prototype-pollution/client-side/lab-prototype-pollution-dom-xss-via-client-side-prototype-pollution)                |
| [Privilege escalation via server-side prototype pollution](/en/portswigger/labs/prototype-pollution/server-side-privilege-escalation-via-server-side-prototype-pollution)                                             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution                               | [Open](https://portswigger.net/web-security/prototype-pollution/server-side/lab-privilege-escalation-via-server-side-prototype-pollution)                       |
| [Remote code execution via server-side prototype pollution](/en/portswigger/labs/prototype-pollution/server-side-remote-code-execution-via-server-side-prototype-pollution)                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Remote Code Execution (RCE) · Prototype Pollution | [Open](https://portswigger.net/web-security/prototype-pollution/server-side/lab-remote-code-execution-via-server-side-prototype-pollution)                      |

## Race Conditions (6)

| Lab                                                                                                                                         | Difficulty                                                 | Skills          | Official                                                                                                                   |
| ------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | --------------- | -------------------------------------------------------------------------------------------------------------------------- |
| [Limit overrun race conditions](/en/portswigger/labs/race-conditions/race-conditions-limit-overrun)                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Race Conditions | [Open](https://portswigger.net/web-security/race-conditions/lab-race-conditions-limit-overrun)                             |
| [Partial construction race conditions](/en/portswigger/labs/race-conditions/race-conditions-partial-construction)                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Race Conditions | [Open](https://portswigger.net/web-security/race-conditions/lab-race-conditions-partial-construction)                      |
| [Bypassing rate limits via race conditions](/en/portswigger/labs/race-conditions/race-conditions-bypassing-rate-limits)                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Race Conditions | [Open](https://portswigger.net/web-security/race-conditions/lab-race-conditions-bypassing-rate-limits)                     |
| [Exploiting time-sensitive vulnerabilities](/en/portswigger/labs/race-conditions/race-conditions-exploiting-time-sensitive-vulnerabilities) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Race Conditions | [Open](https://portswigger.net/web-security/race-conditions/lab-race-conditions-exploiting-time-sensitive-vulnerabilities) |
| [Multi-endpoint race conditions](/en/portswigger/labs/race-conditions/race-conditions-multi-endpoint)                                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Race Conditions | [Open](https://portswigger.net/web-security/race-conditions/lab-race-conditions-multi-endpoint)                            |
| [Single-endpoint race conditions](/en/portswigger/labs/race-conditions/race-conditions-single-endpoint)                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Race Conditions | [Open](https://portswigger.net/web-security/race-conditions/lab-race-conditions-single-endpoint)                           |

## HTTP Request Smuggling (16)

| Lab                                                                                                                                                                               | Difficulty                                                 | Skills                                                             | Official                                                                                                                              |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- |
| [0.CL request smuggling](/en/portswigger/labs/request-smuggling/advanced-request-smuggling-0cl-request-smuggling)                                                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | HTTP Request Smuggling                                             | [Open](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-0cl-request-smuggling)                   |
| [Exploiting HTTP request smuggling to perform web cache deception](/en/portswigger/labs/request-smuggling/exploiting-perform-web-cache-deception)                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | HTTP Request Smuggling · Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/request-smuggling/exploiting/lab-perform-web-cache-deception)                             |
| [Exploiting HTTP request smuggling to perform web cache poisoning](/en/portswigger/labs/request-smuggling/exploiting-perform-web-cache-poisoning)                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | HTTP Request Smuggling · Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/request-smuggling/exploiting/lab-perform-web-cache-poisoning)                             |
| [Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability](/en/portswigger/labs/request-smuggling/exploiting-bypass-front-end-controls-cl-te) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Open](https://portswigger.net/web-security/request-smuggling/exploiting/lab-bypass-front-end-controls-cl-te)                         |
| [Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability](/en/portswigger/labs/request-smuggling/exploiting-bypass-front-end-controls-te-cl) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Open](https://portswigger.net/web-security/request-smuggling/exploiting/lab-bypass-front-end-controls-te-cl)                         |
| [Exploiting HTTP request smuggling to capture other users' requests](/en/portswigger/labs/request-smuggling/exploiting-capture-other-users-requests)                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Open](https://portswigger.net/web-security/request-smuggling/exploiting/lab-capture-other-users-requests)                            |
| [Exploiting HTTP request smuggling to deliver reflected XSS](/en/portswigger/labs/request-smuggling/exploiting-deliver-reflected-xss)                                             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling · Cross-Site Scripting (XSS)                | [Open](https://portswigger.net/web-security/request-smuggling/exploiting/lab-deliver-reflected-xss)                                   |
| [Exploiting HTTP request smuggling to reveal front-end request rewriting](/en/portswigger/labs/request-smuggling/exploiting-reveal-front-end-request-rewriting)                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Open](https://portswigger.net/web-security/request-smuggling/exploiting/lab-reveal-front-end-request-rewriting)                      |
| [H2.CL request smuggling](/en/portswigger/labs/request-smuggling/advanced-request-smuggling-h2-cl-request-smuggling)                                                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Open](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-cl-request-smuggling)                 |
| [HTTP request smuggling, basic CL.TE vulnerability](/en/portswigger/labs/request-smuggling/basic-cl-te)                                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Open](https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te)                                                        |
| [HTTP request smuggling, basic TE.CL vulnerability](/en/portswigger/labs/request-smuggling/basic-te-cl)                                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Open](https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl)                                                        |
| [HTTP request smuggling, confirming a CL.TE vulnerability via differential responses](/en/portswigger/labs/request-smuggling/finding-confirming-cl-te-via-differential-responses) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Open](https://portswigger.net/web-security/request-smuggling/finding/lab-confirming-cl-te-via-differential-responses)                |
| [HTTP request smuggling, confirming a TE.CL vulnerability via differential responses](/en/portswigger/labs/request-smuggling/finding-confirming-te-cl-via-differential-responses) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Open](https://portswigger.net/web-security/request-smuggling/finding/lab-confirming-te-cl-via-differential-responses)                |
| [HTTP request smuggling, obfuscating the TE header](/en/portswigger/labs/request-smuggling/obfuscating-te-header)                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Open](https://portswigger.net/web-security/request-smuggling/lab-obfuscating-te-header)                                              |
| [HTTP/2 request smuggling via CRLF injection](/en/portswigger/labs/request-smuggling/advanced-request-smuggling-h2-request-smuggling-via-crlf-injection)                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Open](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-smuggling-via-crlf-injection) |
| [HTTP/2 request splitting via CRLF injection](/en/portswigger/labs/request-smuggling/advanced-request-smuggling-h2-request-splitting-via-crlf-injection)                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Open](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection) |

## Server-Side Template Injection (SSTI) (7)

| Lab                                                                                                                                                                                                                                         | Difficulty                                                 | Skills                                                      | Official                                                                                                                                                                        |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Server-side template injection in a sandboxed environment](/en/portswigger/labs/server-side-template-injection/exploiting-server-side-template-injection-in-a-sandboxed-environment)                                                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | SSTI (Server-Side Template Injection)                       | [Open](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-a-sandboxed-environment)                            |
| [Server-side template injection with a custom exploit](/en/portswigger/labs/server-side-template-injection/exploiting-server-side-template-injection-with-a-custom-exploit)                                                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | SSTI (Server-Side Template Injection)                       | [Open](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-with-a-custom-exploit)                                 |
| [Basic server-side template injection](/en/portswigger/labs/server-side-template-injection/exploiting-server-side-template-injection-basic)                                                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SSTI (Server-Side Template Injection)                       | [Open](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic)                                                 |
| [Basic server-side template injection (code context)](/en/portswigger/labs/server-side-template-injection/exploiting-server-side-template-injection-basic-code-context)                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SSTI (Server-Side Template Injection)                       | [Open](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic-code-context)                                    |
| [Server-side template injection in an unknown language with a documented exploit](/en/portswigger/labs/server-side-template-injection/exploiting-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit)           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SSTI (Server-Side Template Injection)                       | [Open](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit)      |
| [Server-side template injection using documentation](/en/portswigger/labs/server-side-template-injection/exploiting-server-side-template-injection-using-documentation)                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SSTI (Server-Side Template Injection)                       | [Open](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-using-documentation)                                   |
| [Server-side template injection with information disclosure via user-supplied objects](/en/portswigger/labs/server-side-template-injection/exploiting-server-side-template-injection-with-information-disclosure-via-user-supplied-objects) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SSTI (Server-Side Template Injection) · Information Leakage | [Open](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-with-information-disclosure-via-user-supplied-objects) |

## SQL Injection (18)

| Lab                                                                                                                                                                                        | Difficulty                                                 | Skills        | Official                                                                                                                        |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------- |
| [SQL injection vulnerability allowing login bypass](/en/portswigger/labs/sql-injection/login-bypass)                                                                                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/lab-login-bypass)                                                     |
| [SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](/en/portswigger/labs/sql-injection/retrieve-hidden-data)                                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data)                                             |
| [Blind SQL injection with conditional errors](/en/portswigger/labs/sql-injection/blind-conditional-errors)                                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors)                                         |
| [Blind SQL injection with conditional responses](/en/portswigger/labs/sql-injection/blind-conditional-responses)                                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses)                                      |
| [Blind SQL injection with out-of-band data exfiltration](/en/portswigger/labs/sql-injection/blind-out-of-band-data-exfiltration)                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band-data-exfiltration)                              |
| [Blind SQL injection with out-of-band interaction](/en/portswigger/labs/sql-injection/blind-out-of-band)                                                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band)                                                |
| [Blind SQL injection with time delays](/en/portswigger/labs/sql-injection/blind-time-delays)                                                                                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/blind/lab-time-delays)                                                |
| [Blind SQL injection with time delays and information retrieval](/en/portswigger/labs/sql-injection/blind-time-delays-info-retrieval)                                                      | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval)                                 |
| [SQL injection attack, listing the database contents on non-Oracle databases](/en/portswigger/labs/sql-injection/examining-the-database-listing-database-contents-non-oracle)              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle)      |
| [SQL injection attack, listing the database contents on Oracle](/en/portswigger/labs/sql-injection/examining-the-database-listing-database-contents-oracle)                                | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle)          |
| [SQL injection attack, querying the database type and version on MySQL and Microsoft](/en/portswigger/labs/sql-injection/examining-the-database-querying-database-version-mysql-microsoft) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft) |
| [SQL injection attack, querying the database type and version on Oracle](/en/portswigger/labs/sql-injection/examining-the-database-querying-database-version-oracle)                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-oracle)          |
| [SQL injection UNION attack, determining the number of columns returned by the query](/en/portswigger/labs/sql-injection/union-attacks-determine-number-of-columns)                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns)                        |
| [SQL injection UNION attack, finding a column containing text](/en/portswigger/labs/sql-injection/union-attacks-find-column-containing-text)                                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text)                        |
| [SQL injection UNION attack, retrieving data from other tables](/en/portswigger/labs/sql-injection/union-attacks-retrieve-data-from-other-tables)                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables)                    |
| [SQL injection UNION attack, retrieving multiple values in a single column](/en/portswigger/labs/sql-injection/union-attacks-retrieve-multiple-values-in-single-column)                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-multiple-values-in-single-column)          |
| [SQL injection with filter bypass via XML encoding](/en/portswigger/labs/sql-injection/sql-injection-with-filter-bypass-via-xml-encoding)                                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding)                |
| [Visible error-based SQL injection](/en/portswigger/labs/sql-injection/blind-sql-injection-visible-error-based)                                                                            | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Open](https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based)                          |

## SSRF (Server-Side Request Forgery) (7)

| Lab                                                                                                                             | Difficulty                                                 | Skills                                                   | Official                                                                                      |
| ------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------------------------------------------------------- | --------------------------------------------------------------------------------------------- |
| [Basic SSRF against another back-end system](/en/portswigger/labs/ssrf/basic-ssrf-against-backend-system)                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Server-Side Request Forgery                              | [Open](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system)       |
| [Basic SSRF against the local server](/en/portswigger/labs/ssrf/basic-ssrf-against-localhost)                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Server-Side Request Forgery                              | [Open](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost)            |
| [Blind SSRF with Shellshock exploitation](/en/portswigger/labs/ssrf/blind-shellshock-exploitation)                              | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Shellshock (CVE-2014-6271) · Server-Side Request Forgery | [Open](https://portswigger.net/web-security/ssrf/blind/lab-shellshock-exploitation)           |
| [SSRF with whitelist-based input filter](/en/portswigger/labs/ssrf/ssrf-with-whitelist-filter)                                  | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Server-Side Request Forgery                              | [Open](https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter)              |
| [Blind SSRF with out-of-band detection](/en/portswigger/labs/ssrf/blind-out-of-band-detection)                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Server-Side Request Forgery                              | [Open](https://portswigger.net/web-security/ssrf/blind/lab-out-of-band-detection)             |
| [SSRF with blacklist-based input filter](/en/portswigger/labs/ssrf/ssrf-with-blacklist-filter)                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Server-Side Request Forgery                              | [Open](https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter)              |
| [SSRF with filter bypass via open redirection vulnerability](/en/portswigger/labs/ssrf/ssrf-filter-bypass-via-open-redirection) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Server-Side Request Forgery                              | [Open](https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection) |

## Web Cache Deception (5)

| Lab                                                                                                                                                   | Difficulty                                                 | Skills                                    | Official                                                                                                        |
| ----------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ----------------------------------------- | --------------------------------------------------------------------------------------------------------------- |
| [Exploiting exact-match cache rules for web cache deception](/en/portswigger/labs/web-cache-deception/wcd-exploiting-exact-match-cache-rules)         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-deception/lab-wcd-exploiting-exact-match-cache-rules)     |
| [Exploiting path mapping for web cache deception](/en/portswigger/labs/web-cache-deception/wcd-exploiting-path-mapping)                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-deception/lab-wcd-exploiting-path-mapping)                |
| [Exploiting cache server normalization for web cache deception](/en/portswigger/labs/web-cache-deception/wcd-exploiting-cache-server-normalization)   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-deception/lab-wcd-exploiting-cache-server-normalization)  |
| [Exploiting origin server normalization for web cache deception](/en/portswigger/labs/web-cache-deception/wcd-exploiting-origin-server-normalization) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-deception/lab-wcd-exploiting-origin-server-normalization) |
| [Exploiting path delimiters for web cache deception](/en/portswigger/labs/web-cache-deception/wcd-exploiting-path-delimiters)                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-deception/lab-wcd-exploiting-path-delimiters)             |

## Web Cache Poisoning (13)

| Lab                                                                                                                                                                                                                                                                   | Difficulty                                                 | Skills                                    | Official                                                                                                                                                                                      |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ----------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Cache key injection](/en/portswigger/labs/web-cache-poisoning/exploiting-implementation-flaws-web-cache-poisoning-cache-key-injection)                                                                                                                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-cache-key-injection)                                                  |
| [Combining web cache poisoning vulnerabilities](/en/portswigger/labs/web-cache-poisoning/exploiting-design-flaws-web-cache-poisoning-combining-vulnerabilities)                                                                                                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-combining-vulnerabilities)                                                    |
| [Internal cache poisoning](/en/portswigger/labs/web-cache-poisoning/exploiting-implementation-flaws-web-cache-poisoning-internal)                                                                                                                                     | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-internal)                                                             |
| [Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria](/en/portswigger/labs/web-cache-poisoning/exploiting-design-flaws-web-cache-poisoning-to-exploit-a-dom-vulnerability-via-a-cache-with-strict-cacheability-criteria) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-to-exploit-a-dom-vulnerability-via-a-cache-with-strict-cacheability-criteria) |
| [Parameter cloaking](/en/portswigger/labs/web-cache-poisoning/exploiting-implementation-flaws-web-cache-poisoning-param-cloaking)                                                                                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking)                                                       |
| [Targeted web cache poisoning using an unknown header](/en/portswigger/labs/web-cache-poisoning/exploiting-design-flaws-web-cache-poisoning-targeted-using-an-unknown-header)                                                                                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-targeted-using-an-unknown-header)                                             |
| [URL normalization](/en/portswigger/labs/web-cache-poisoning/exploiting-implementation-flaws-web-cache-poisoning-normalization)                                                                                                                                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-normalization)                                                        |
| [Web cache poisoning via a fat GET request](/en/portswigger/labs/web-cache-poisoning/exploiting-implementation-flaws-web-cache-poisoning-fat-get)                                                                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get)                                                              |
| [Web cache poisoning via an unkeyed query parameter](/en/portswigger/labs/web-cache-poisoning/exploiting-implementation-flaws-web-cache-poisoning-unkeyed-param)                                                                                                      | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-unkeyed-param)                                                        |
| [Web cache poisoning via an unkeyed query string](/en/portswigger/labs/web-cache-poisoning/exploiting-implementation-flaws-web-cache-poisoning-unkeyed-query)                                                                                                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-unkeyed-query)                                                        |
| [Web cache poisoning with an unkeyed cookie](/en/portswigger/labs/web-cache-poisoning/exploiting-design-flaws-web-cache-poisoning-with-an-unkeyed-cookie)                                                                                                             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-with-an-unkeyed-cookie)                                                       |
| [Web cache poisoning with an unkeyed header](/en/portswigger/labs/web-cache-poisoning/exploiting-design-flaws-web-cache-poisoning-with-an-unkeyed-header)                                                                                                             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-with-an-unkeyed-header)                                                       |
| [Web cache poisoning with multiple headers](/en/portswigger/labs/web-cache-poisoning/exploiting-design-flaws-web-cache-poisoning-with-multiple-headers)                                                                                                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Open](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-with-multiple-headers)                                                        |

## WebSockets (2)

| Lab                                                                                                                                                  | Difficulty                                                 | Skills                     | Official                                                                                                      |
| ---------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------------------------- | ------------------------------------------------------------------------------------------------------------- |
| [Manipulating WebSocket messages to exploit vulnerabilities](/en/portswigger/labs/websockets/manipulating-messages-to-exploit-vulnerabilities)       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | WebSockets Vulnerabilities | [Open](https://portswigger.net/web-security/websockets/lab-manipulating-messages-to-exploit-vulnerabilities)  |
| [Manipulating the WebSocket handshake to exploit vulnerabilities](/en/portswigger/labs/websockets/manipulating-handshake-to-exploit-vulnerabilities) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | WebSockets Vulnerabilities | [Open](https://portswigger.net/web-security/websockets/lab-manipulating-handshake-to-exploit-vulnerabilities) |

## XXE (XML External Entity) (9)

| Lab                                                                                                                                                           | Difficulty                                                 | Skills                                            | Official                                                                                                             |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- |
| [Exploiting XXE to perform SSRF attacks](/en/portswigger/labs/xxe/exploiting-xxe-to-perform-ssrf)                                                             | <span className="dbadge dbadge-easy">APPRENTICE</span>     | XML External Entity · Server-Side Request Forgery | [Open](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf)                                  |
| [Exploiting XXE to retrieve data by repurposing a local DTD](/en/portswigger/labs/xxe/blind-xxe-trigger-error-message-by-repurposing-local-dtd)               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | XML External Entity                               | [Open](https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd)        |
| [Exploiting XXE using external entities to retrieve files](/en/portswigger/labs/xxe/exploiting-xxe-to-retrieve-files)                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | XML External Entity                               | [Open](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files)                                |
| [Blind XXE with out-of-band interaction](/en/portswigger/labs/xxe/blind-xxe-with-out-of-band-interaction)                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XML External Entity                               | [Open](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction)                          |
| [Blind XXE with out-of-band interaction via XML parameter entities](/en/portswigger/labs/xxe/blind-xxe-with-out-of-band-interaction-using-parameter-entities) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XML External Entity                               | [Open](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities) |
| [Exploiting blind XXE to exfiltrate data using a malicious external DTD](/en/portswigger/labs/xxe/blind-xxe-with-out-of-band-exfiltration)                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XML External Entity                               | [Open](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration)                         |
| [Exploiting blind XXE to retrieve data via error messages](/en/portswigger/labs/xxe/blind-xxe-with-data-retrieval-via-error-messages)                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XML External Entity                               | [Open](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages)                |
| [Exploiting XInclude to retrieve files](/en/portswigger/labs/xxe/xinclude-attack)                                                                             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XML External Entity                               | [Open](https://portswigger.net/web-security/xxe/lab-xinclude-attack)                                                 |
| [Exploiting XXE via image file upload](/en/portswigger/labs/xxe/xxe-via-file-upload)                                                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XML External Entity · File Upload Vulnerabilities | [Open](https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload)                                             |

*Last updated: 2026-05-08*

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"ItemList","name":"PortSwigger Web Security Academy labs","numberOfItems":262,"url":"https://rootea.es/en/portswigger/all","itemListElement":[{"@type":"ListItem","position":1,"url":"https://rootea.es/en/portswigger/labs/access-control/insecure-direct-object-references","name":"Insecure direct object references"},{"@type":"ListItem","position":2,"url":"https://rootea.es/en/portswigger/labs/access-control/method-based-access-control-can-be-circumvented","name":"Method-based access control can be circumvented"},{"@type":"ListItem","position":3,"url":"https://rootea.es/en/portswigger/labs/access-control/multi-step-process-with-no-access-control-on-one-step","name":"Multi-step process with no access control on one step"},{"@type":"ListItem","position":4,"url":"https://rootea.es/en/portswigger/labs/access-control/referer-based-access-control","name":"Referer-based access control"},{"@type":"ListItem","position":5,"url":"https://rootea.es/en/portswigger/labs/access-control/unprotected-admin-functionality","name":"Unprotected admin functionality"},{"@type":"ListItem","position":6,"url":"https://rootea.es/en/portswigger/labs/access-control/unprotected-admin-functionality-with-unpredictable-url","name":"Unprotected admin functionality with unpredictable URL"},{"@type":"ListItem","position":7,"url":"https://rootea.es/en/portswigger/labs/access-control/url-based-access-control-can-be-circumvented","name":"URL-based access control can be circumvented"},{"@type":"ListItem","position":8,"url":"https://rootea.es/en/portswigger/labs/access-control/user-id-controlled-by-request-parameter","name":"User ID controlled by request parameter"},{"@type":"ListItem","position":9,"url":"https://rootea.es/en/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-data-leakage-in-redirect","name":"User ID controlled by request parameter with data leakage in redirect"},{"@type":"ListItem","position":10,"url":"https://rootea.es/en/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-password-disclosure","name":"User ID controlled by request parameter with password disclosure"},{"@type":"ListItem","position":11,"url":"https://rootea.es/en/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-unpredictable-user-ids","name":"User ID controlled by request parameter, with unpredictable user IDs"},{"@type":"ListItem","position":12,"url":"https://rootea.es/en/portswigger/labs/access-control/user-role-can-be-modified-in-user-profile","name":"User role can be modified in user profile"},{"@type":"ListItem","position":13,"url":"https://rootea.es/en/portswigger/labs/access-control/user-role-controlled-by-request-parameter","name":"User role controlled by request parameter"},{"@type":"ListItem","position":14,"url":"https://rootea.es/en/portswigger/labs/api-testing/exploiting-mass-assignment-vulnerability","name":"Exploiting a mass assignment vulnerability"},{"@type":"ListItem","position":15,"url":"https://rootea.es/en/portswigger/labs/api-testing/exploiting-api-endpoint-using-documentation","name":"Exploiting an API endpoint using documentation"},{"@type":"ListItem","position":16,"url":"https://rootea.es/en/portswigger/labs/api-testing/server-side-parameter-pollution-exploiting-server-side-parameter-pollution-in-query-string","name":"Exploiting server-side parameter pollution in a query string"},{"@type":"ListItem","position":17,"url":"https://rootea.es/en/portswigger/labs/api-testing/server-side-parameter-pollution-exploiting-server-side-parameter-pollution-in-rest-url","name":"Exploiting server-side parameter pollution in a REST URL"},{"@type":"ListItem","position":18,"url":"https://rootea.es/en/portswigger/labs/api-testing/exploiting-unused-api-endpoint","name":"Finding and exploiting an unused API endpoint"},{"@type":"ListItem","position":19,"url":"https://rootea.es/en/portswigger/labs/authentication/multi-factor-2fa-broken-logic","name":"2FA broken logic"},{"@type":"ListItem","position":20,"url":"https://rootea.es/en/portswigger/labs/authentication/multi-factor-2fa-bypass-using-a-brute-force-attack","name":"2FA bypass using a brute-force attack"},{"@type":"ListItem","position":21,"url":"https://rootea.es/en/portswigger/labs/authentication/multi-factor-2fa-simple-bypass","name":"2FA simple bypass"},{"@type":"ListItem","position":22,"url":"https://rootea.es/en/portswigger/labs/authentication/password-based-broken-bruteforce-protection-ip-block","name":"Broken brute-force protection, IP block"},{"@type":"ListItem","position":23,"url":"https://rootea.es/en/portswigger/labs/authentication/password-based-broken-brute-force-protection-multiple-credentials-per-request","name":"Broken brute-force protection, multiple credentials per request"},{"@type":"ListItem","position":24,"url":"https://rootea.es/en/portswigger/labs/authentication/other-mechanisms-brute-forcing-a-stay-logged-in-cookie","name":"Brute-forcing a stay-logged-in cookie"},{"@type":"ListItem","position":25,"url":"https://rootea.es/en/portswigger/labs/authentication/other-mechanisms-offline-password-cracking","name":"Offline password cracking"},{"@type":"ListItem","position":26,"url":"https://rootea.es/en/portswigger/labs/authentication/other-mechanisms-password-brute-force-via-password-change","name":"Password brute-force via password change"},{"@type":"ListItem","position":27,"url":"https://rootea.es/en/portswigger/labs/authentication/other-mechanisms-password-reset-broken-logic","name":"Password reset broken logic"},{"@type":"ListItem","position":28,"url":"https://rootea.es/en/portswigger/labs/authentication/other-mechanisms-password-reset-poisoning-via-middleware","name":"Password reset poisoning via middleware"},{"@type":"ListItem","position":29,"url":"https://rootea.es/en/portswigger/labs/authentication/password-based-username-enumeration-via-account-lock","name":"Username enumeration via account lock"},{"@type":"ListItem","position":30,"url":"https://rootea.es/en/portswigger/labs/authentication/password-based-username-enumeration-via-different-responses","name":"Username enumeration via different responses"},{"@type":"ListItem","position":31,"url":"https://rootea.es/en/portswigger/labs/authentication/password-based-username-enumeration-via-response-timing","name":"Username enumeration via response timing"},{"@type":"ListItem","position":32,"url":"https://rootea.es/en/portswigger/labs/authentication/password-based-username-enumeration-via-subtly-different-responses","name":"Username enumeration via subtly different responses"},{"@type":"ListItem","position":33,"url":"https://rootea.es/en/portswigger/labs/clickjacking/basic-csrf-protected","name":"Basic clickjacking with CSRF token protection"},{"@type":"ListItem","position":34,"url":"https://rootea.es/en/portswigger/labs/clickjacking/frame-buster-script","name":"Clickjacking with a frame buster script"},{"@type":"ListItem","position":35,"url":"https://rootea.es/en/portswigger/labs/clickjacking/prefilled-form-input","name":"Clickjacking with form input data prefilled from a URL parameter"},{"@type":"ListItem","position":36,"url":"https://rootea.es/en/portswigger/labs/clickjacking/exploiting-to-trigger-dom-based-xss","name":"Exploiting clickjacking vulnerability to trigger DOM-based XSS"},{"@type":"ListItem","position":37,"url":"https://rootea.es/en/portswigger/labs/clickjacking/multistep","name":"Multistep clickjacking"},{"@type":"ListItem","position":38,"url":"https://rootea.es/en/portswigger/labs/cors/basic-origin-reflection-attack","name":"CORS vulnerability with basic origin reflection"},{"@type":"ListItem","position":39,"url":"https://rootea.es/en/portswigger/labs/cors/breaking-https-attack","name":"CORS vulnerability with trusted insecure protocols"},{"@type":"ListItem","position":40,"url":"https://rootea.es/en/portswigger/labs/cors/null-origin-whitelisted-attack","name":"CORS vulnerability with trusted null origin"},{"@type":"ListItem","position":41,"url":"https://rootea.es/en/portswigger/labs/cross-site-scripting/dom-based-angularjs-expression","name":"DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded"},{"@type":"ListItem","position":42,"url":"https://rootea.es/en/portswigger/labs/cross-site-scripting/dom-based-document-write-sink","name":"DOM XSS in document.write sink using source location.search"},{"@type":"ListItem","position":43,"url":"https://rootea.es/en/portswigger/labs/cross-site-scripting/dom-based-document-write-sink-inside-select-element","name":"DOM XSS in document.write sink using source location.search inside a select element"},{"@type":"ListItem","position":44,"url":"https://rootea.es/en/portswigger/labs/cross-site-scripting/dom-based-innerhtml-sink","name":"DOM XSS in innerHTML sink using source location.search"},{"@type":"ListItem","position":45,"url":"https://rootea.es/en/portswigger/labs/cross-site-scripting/dom-based-jquery-href-attribute-sink","name":"DOM XSS in jQuery anchor href attribute sink using location.search source"},{"@type":"ListItem","position":46,"url":"https://rootea.es/en/portswigger/labs/cross-site-scripting/dom-based-jquery-selector-hash-change-event","name":"DOM XSS in jQuery selector sink using a hashchange event"},{"@type":"ListItem","position":47,"url":"https://rootea.es/en/portswigger/labs/cross-site-scripting/exploiting-capturing-passwords","name":"Exploiting cross-site scripting to capture passwords"},{"@type":"ListItem","position":48,"url":"https://rootea.es/en/portswigger/labs/cross-site-scripting/exploiting-stealing-cookies","name":"Exploiting cross-site scripting to steal cookies"},{"@type":"ListItem","position":49,"url":"https://rootea.es/en/portswigger/labs/cross-site-scripting/exploiting-perform-csrf","name":"Exploiting XSS to bypass CSRF defenses"},{"@type":"ListItem","position":50,"url":"https://rootea.es/en/portswigger/labs/cross-site-scripting/dom-based-dom-xss-reflected","name":"Reflected DOM XSS"}]}`}
</script>
