> ## Documentation Index
> Fetch the complete documentation index at: https://rootea.es/llms.txt
> Use this file to discover all available pages before exploring further.

# All

# PortSwigger · Web Security Academy

Catálogo: **262 labs** indexados de PortSwigger Web Security Academy. Cada lab enlaza al ejercicio oficial y a la solución de PortSwigger. La cobertura del sitemap oficial es parcial; falta XSS, autenticación, business logic y otros topics que se irán incorporando manualmente.

## Access Control Vulnerabilities (13)

| Lab                                                                                                                                                                             | Dificultad                                                 | Skills                | Oficial                                                                                                                                |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | --------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
| [Insecure direct object references](/portswigger/labs/access-control/insecure-direct-object-references)                                                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Abrir](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)                                     |
| [Unprotected admin functionality](/portswigger/labs/access-control/unprotected-admin-functionality)                                                                             | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Abrir](https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality)                                       |
| [Unprotected admin functionality with unpredictable URL](/portswigger/labs/access-control/unprotected-admin-functionality-with-unpredictable-url)                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Abrir](https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality-with-unpredictable-url)                |
| [User ID controlled by request parameter](/portswigger/labs/access-control/user-id-controlled-by-request-parameter)                                                             | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Abrir](https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter)                               |
| [User ID controlled by request parameter with data leakage in redirect](/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-data-leakage-in-redirect) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Abrir](https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-data-leakage-in-redirect) |
| [User ID controlled by request parameter with password disclosure](/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-password-disclosure)           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Abrir](https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-password-disclosure)      |
| [User ID controlled by request parameter, with unpredictable user IDs](/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-unpredictable-user-ids)    | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Abrir](https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-unpredictable-user-ids)   |
| [User role can be modified in user profile](/portswigger/labs/access-control/user-role-can-be-modified-in-user-profile)                                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Abrir](https://portswigger.net/web-security/access-control/lab-user-role-can-be-modified-in-user-profile)                             |
| [User role controlled by request parameter](/portswigger/labs/access-control/user-role-controlled-by-request-parameter)                                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control / IDOR | [Abrir](https://portswigger.net/web-security/access-control/lab-user-role-controlled-by-request-parameter)                             |
| [Method-based access control can be circumvented](/portswigger/labs/access-control/method-based-access-control-can-be-circumvented)                                             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Access Control / IDOR | [Abrir](https://portswigger.net/web-security/access-control/lab-method-based-access-control-can-be-circumvented)                       |
| [Multi-step process with no access control on one step](/portswigger/labs/access-control/multi-step-process-with-no-access-control-on-one-step)                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Access Control / IDOR | [Abrir](https://portswigger.net/web-security/access-control/lab-multi-step-process-with-no-access-control-on-one-step)                 |
| [Referer-based access control](/portswigger/labs/access-control/referer-based-access-control)                                                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Access Control / IDOR | [Abrir](https://portswigger.net/web-security/access-control/lab-referer-based-access-control)                                          |
| [URL-based access control can be circumvented](/portswigger/labs/access-control/url-based-access-control-can-be-circumvented)                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Access Control / IDOR | [Abrir](https://portswigger.net/web-security/access-control/lab-url-based-access-control-can-be-circumvented)                          |

## API Testing (5)

| Lab                                                                                                                                                                                      | Dificultad                                                 | Skills      | Oficial                                                                                                                                                  |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Exploiting an API endpoint using documentation](/portswigger/labs/api-testing/exploiting-api-endpoint-using-documentation)                                                              | <span className="dbadge dbadge-easy">APPRENTICE</span>     | API Testing | [Abrir](https://portswigger.net/web-security/api-testing/lab-exploiting-api-endpoint-using-documentation)                                                |
| [Exploiting server-side parameter pollution in a REST URL](/portswigger/labs/api-testing/server-side-parameter-pollution-exploiting-server-side-parameter-pollution-in-rest-url)         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | API Testing | [Abrir](https://portswigger.net/web-security/api-testing/server-side-parameter-pollution/lab-exploiting-server-side-parameter-pollution-in-rest-url)     |
| [Exploiting a mass assignment vulnerability](/portswigger/labs/api-testing/exploiting-mass-assignment-vulnerability)                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | API Testing | [Abrir](https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability)                                                   |
| [Exploiting server-side parameter pollution in a query string](/portswigger/labs/api-testing/server-side-parameter-pollution-exploiting-server-side-parameter-pollution-in-query-string) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | API Testing | [Abrir](https://portswigger.net/web-security/api-testing/server-side-parameter-pollution/lab-exploiting-server-side-parameter-pollution-in-query-string) |
| [Finding and exploiting an unused API endpoint](/portswigger/labs/api-testing/exploiting-unused-api-endpoint)                                                                            | <span className="dbadge dbadge-medium">PRACTITIONER</span> | API Testing | [Abrir](https://portswigger.net/web-security/api-testing/lab-exploiting-unused-api-endpoint)                                                             |

## Authentication Vulnerabilities (14)

| Lab                                                                                                                                                                               | Dificultad                                                 | Skills                                                       | Oficial                                                                                                                                        |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| [2FA bypass using a brute-force attack](/portswigger/labs/authentication/multi-factor-2fa-bypass-using-a-brute-force-attack)                                                      | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · Remote Code Execution (RCE) | [Abrir](https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-bypass-using-a-brute-force-attack)                            |
| [2FA simple bypass](/portswigger/labs/authentication/multi-factor-2fa-simple-bypass)                                                                                              | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities                               | [Abrir](https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-simple-bypass)                                                |
| [Broken brute-force protection, multiple credentials per request](/portswigger/labs/authentication/password-based-broken-brute-force-protection-multiple-credentials-per-request) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · Remote Code Execution (RCE) | [Abrir](https://portswigger.net/web-security/authentication/password-based/lab-broken-brute-force-protection-multiple-credentials-per-request) |
| [Password reset broken logic](/portswigger/labs/authentication/other-mechanisms-password-reset-broken-logic)                                                                      | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities                               | [Abrir](https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-broken-logic)                                  |
| [Username enumeration via different responses](/portswigger/labs/authentication/password-based-username-enumeration-via-different-responses)                                      | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities                               | [Abrir](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses)                   |
| [2FA broken logic](/portswigger/labs/authentication/multi-factor-2fa-broken-logic)                                                                                                | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities                               | [Abrir](https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-broken-logic)                                                 |
| [Broken brute-force protection, IP block](/portswigger/labs/authentication/password-based-broken-bruteforce-protection-ip-block)                                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · Remote Code Execution (RCE) | [Abrir](https://portswigger.net/web-security/authentication/password-based/lab-broken-bruteforce-protection-ip-block)                          |
| [Brute-forcing a stay-logged-in cookie](/portswigger/labs/authentication/other-mechanisms-brute-forcing-a-stay-logged-in-cookie)                                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities                               | [Abrir](https://portswigger.net/web-security/authentication/other-mechanisms/lab-brute-forcing-a-stay-logged-in-cookie)                        |
| [Offline password cracking](/portswigger/labs/authentication/other-mechanisms-offline-password-cracking)                                                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities                               | [Abrir](https://portswigger.net/web-security/authentication/other-mechanisms/lab-offline-password-cracking)                                    |
| [Password brute-force via password change](/portswigger/labs/authentication/other-mechanisms-password-brute-force-via-password-change)                                            | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · Remote Code Execution (RCE) | [Abrir](https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-brute-force-via-password-change)                     |
| [Password reset poisoning via middleware](/portswigger/labs/authentication/other-mechanisms-password-reset-poisoning-via-middleware)                                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities                               | [Abrir](https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-poisoning-via-middleware)                      |
| [Username enumeration via account lock](/portswigger/labs/authentication/password-based-username-enumeration-via-account-lock)                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities                               | [Abrir](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-account-lock)                          |
| [Username enumeration via response timing](/portswigger/labs/authentication/password-based-username-enumeration-via-response-timing)                                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities                               | [Abrir](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-response-timing)                       |
| [Username enumeration via subtly different responses](/portswigger/labs/authentication/password-based-username-enumeration-via-subtly-different-responses)                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities                               | [Abrir](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-subtly-different-responses)            |

## Clickjacking (5)

| Lab                                                                                                                                  | Dificultad                                                 | Skills                                           | Oficial                                                                                            |
| ------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | ------------------------------------------------ | -------------------------------------------------------------------------------------------------- |
| [Basic clickjacking with CSRF token protection](/portswigger/labs/clickjacking/basic-csrf-protected)                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Clickjacking · CSRF (Cross-Site Request Forgery) | [Abrir](https://portswigger.net/web-security/clickjacking/lab-basic-csrf-protected)                |
| [Clickjacking with a frame buster script](/portswigger/labs/clickjacking/frame-buster-script)                                        | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Clickjacking                                     | [Abrir](https://portswigger.net/web-security/clickjacking/lab-frame-buster-script)                 |
| [Clickjacking with form input data prefilled from a URL parameter](/portswigger/labs/clickjacking/prefilled-form-input)              | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Clickjacking                                     | [Abrir](https://portswigger.net/web-security/clickjacking/lab-prefilled-form-input)                |
| [Exploiting clickjacking vulnerability to trigger DOM-based XSS](/portswigger/labs/clickjacking/exploiting-to-trigger-dom-based-xss) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Clickjacking · Cross-Site Scripting (XSS)        | [Abrir](https://portswigger.net/web-security/clickjacking/lab-exploiting-to-trigger-dom-based-xss) |
| [Multistep clickjacking](/portswigger/labs/clickjacking/multistep)                                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Clickjacking                                     | [Abrir](https://portswigger.net/web-security/clickjacking/lab-multistep)                           |

## CORS (3)

| Lab                                                                                                      | Dificultad                                                 | Skills                               | Oficial                                                                               |
| -------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------------------ | ------------------------------------------------------------------------------------- |
| [CORS vulnerability with basic origin reflection](/portswigger/labs/cors/basic-origin-reflection-attack) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | CORS (Cross-Origin Resource Sharing) | [Abrir](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack) |
| [CORS vulnerability with trusted null origin](/portswigger/labs/cors/null-origin-whitelisted-attack)     | <span className="dbadge dbadge-easy">APPRENTICE</span>     | CORS (Cross-Origin Resource Sharing) | [Abrir](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack) |
| [CORS vulnerability with trusted insecure protocols](/portswigger/labs/cors/breaking-https-attack)       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CORS (Cross-Origin Resource Sharing) | [Abrir](https://portswigger.net/web-security/cors/lab-breaking-https-attack)          |

## Cross-Site Scripting (XSS) (28)

| Lab                                                                                                                                                                                                                                                                      | Dificultad                                                 | Skills                                                         | Oficial                                                                                                                                                                     |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | -------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [DOM XSS in document.write sink using source location.search](/portswigger/labs/cross-site-scripting/dom-based-document-write-sink)                                                                                                                                      | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) · Remote Code Execution (RCE)       | [Abrir](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink)                                                                        |
| [DOM XSS in innerHTML sink using source location.search](/portswigger/labs/cross-site-scripting/dom-based-innerhtml-sink)                                                                                                                                                | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) · Remote Code Execution (RCE)       | [Abrir](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-innerhtml-sink)                                                                             |
| [DOM XSS in jQuery anchor href attribute sink using location.search source](/portswigger/labs/cross-site-scripting/dom-based-jquery-href-attribute-sink)                                                                                                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) · Remote Code Execution (RCE)       | [Abrir](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-href-attribute-sink)                                                                 |
| [DOM XSS in jQuery selector sink using a hashchange event](/portswigger/labs/cross-site-scripting/dom-based-jquery-selector-hash-change-event)                                                                                                                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-selector-hash-change-event)                                                          |
| [Reflected XSS in a JavaScript URL with some characters blocked](/portswigger/labs/cross-site-scripting/contexts-javascript-url-some-characters-blocked)                                                                                                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-url-some-characters-blocked)                                                      |
| [Reflected XSS into a JavaScript string with angle brackets HTML encoded](/portswigger/labs/cross-site-scripting/contexts-javascript-string-angle-brackets-html-encoded)                                                                                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-angle-brackets-html-encoded)                                               |
| [Reflected XSS into attribute with angle brackets HTML-encoded](/portswigger/labs/cross-site-scripting/contexts-attribute-angle-brackets-html-encoded)                                                                                                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-attribute-angle-brackets-html-encoded)                                                       |
| [Reflected XSS into HTML context with nothing encoded](/portswigger/labs/cross-site-scripting/reflected-html-context-nothing-encoded)                                                                                                                                    | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/reflected/lab-html-context-nothing-encoded)                                                               |
| [Reflected XSS protected by CSP, with CSP bypass](/portswigger/labs/cross-site-scripting/content-security-policy-csp-bypass)                                                                                                                                             | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/content-security-policy/lab-csp-bypass)                                                                   |
| [Reflected XSS with event handlers and href attributes blocked](/portswigger/labs/cross-site-scripting/contexts-event-handlers-and-href-attributes-blocked)                                                                                                              | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-event-handlers-and-href-attributes-blocked)                                                  |
| [Stored XSS into anchor href attribute with double quotes HTML-encoded](/portswigger/labs/cross-site-scripting/contexts-href-attribute-double-quotes-html-encoded)                                                                                                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-href-attribute-double-quotes-html-encoded)                                                   |
| [Stored XSS into HTML context with nothing encoded](/portswigger/labs/cross-site-scripting/stored-html-context-nothing-encoded)                                                                                                                                          | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/stored/lab-html-context-nothing-encoded)                                                                  |
| [DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded](/portswigger/labs/cross-site-scripting/dom-based-angularjs-expression)                                                                                                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression)                                                                       |
| [DOM XSS in document.write sink using source location.search inside a select element](/portswigger/labs/cross-site-scripting/dom-based-document-write-sink-inside-select-element)                                                                                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) · Remote Code Execution (RCE)       | [Abrir](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink-inside-select-element)                                                  |
| [Exploiting cross-site scripting to capture passwords](/portswigger/labs/cross-site-scripting/exploiting-capturing-passwords)                                                                                                                                            | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-capturing-passwords)                                                                       |
| [Exploiting cross-site scripting to steal cookies](/portswigger/labs/cross-site-scripting/exploiting-stealing-cookies)                                                                                                                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies)                                                                          |
| [Exploiting XSS to bypass CSRF defenses](/portswigger/labs/cross-site-scripting/exploiting-perform-csrf)                                                                                                                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) · CSRF (Cross-Site Request Forgery) | [Abrir](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-perform-csrf)                                                                              |
| [Reflected DOM XSS](/portswigger/labs/cross-site-scripting/dom-based-dom-xss-reflected)                                                                                                                                                                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-dom-xss-reflected)                                                                          |
| [Reflected XSS in canonical link tag](/portswigger/labs/cross-site-scripting/contexts-canonical-link-tag)                                                                                                                                                                | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-canonical-link-tag)                                                                          |
| [Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped](/portswigger/labs/cross-site-scripting/contexts-javascript-string-angle-brackets-double-quotes-encoded-single-quotes-escaped)                      | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-angle-brackets-double-quotes-encoded-single-quotes-escaped)                |
| [Reflected XSS into a JavaScript string with single quote and backslash escaped](/portswigger/labs/cross-site-scripting/contexts-javascript-string-single-quote-backslash-escaped)                                                                                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-single-quote-backslash-escaped)                                            |
| [Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped](/portswigger/labs/cross-site-scripting/contexts-javascript-template-literal-angle-brackets-single-double-quotes-backslash-backticks-escaped) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-template-literal-angle-brackets-single-double-quotes-backslash-backticks-escaped) |
| [Reflected XSS into HTML context with all tags blocked except custom ones](/portswigger/labs/cross-site-scripting/contexts-html-context-with-all-standard-tags-blocked)                                                                                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-all-standard-tags-blocked)                                                 |
| [Reflected XSS into HTML context with most tags and attributes blocked](/portswigger/labs/cross-site-scripting/contexts-html-context-with-most-tags-and-attributes-blocked)                                                                                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-most-tags-and-attributes-blocked)                                          |
| [Reflected XSS protected by very strict CSP, with dangling markup attack](/portswigger/labs/cross-site-scripting/content-security-policy-very-strict-csp-with-dangling-markup-attack)                                                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/content-security-policy/lab-very-strict-csp-with-dangling-markup-attack)                                  |
| [Reflected XSS with some SVG markup allowed](/portswigger/labs/cross-site-scripting/contexts-some-svg-markup-allowed)                                                                                                                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-some-svg-markup-allowed)                                                                     |
| [Stored DOM XSS](/portswigger/labs/cross-site-scripting/dom-based-dom-xss-stored)                                                                                                                                                                                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-dom-xss-stored)                                                                             |
| [Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped](/portswigger/labs/cross-site-scripting/contexts-onclick-event-angle-brackets-double-quotes-html-encoded-single-quotes-backslash-escaped)      | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                     | [Abrir](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-onclick-event-angle-brackets-double-quotes-html-encoded-single-quotes-backslash-escaped)     |

## CSRF (Cross-Site Request Forgery) (12)

| Lab                                                                                                                                                                         | Dificultad                                                 | Skills                            | Oficial                                                                                                                                    |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
| [CSRF vulnerability with no defenses](/portswigger/labs/csrf/no-defenses)                                                                                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | CSRF (Cross-Site Request Forgery) | [Abrir](https://portswigger.net/web-security/csrf/lab-no-defenses)                                                                         |
| [CSRF where Referer validation depends on header being present](/portswigger/labs/csrf/bypassing-referer-based-defenses-referer-validation-depends-on-header-being-present) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Abrir](https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses/lab-referer-validation-depends-on-header-being-present) |
| [CSRF where token is duplicated in cookie](/portswigger/labs/csrf/bypassing-token-validation-token-duplicated-in-cookie)                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Abrir](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-duplicated-in-cookie)                               |
| [CSRF where token is not tied to user session](/portswigger/labs/csrf/bypassing-token-validation-token-not-tied-to-user-session)                                            | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Abrir](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-not-tied-to-user-session)                           |
| [CSRF where token is tied to non-session cookie](/portswigger/labs/csrf/bypassing-token-validation-token-tied-to-non-session-cookie)                                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Abrir](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-tied-to-non-session-cookie)                         |
| [CSRF where token validation depends on request method](/portswigger/labs/csrf/bypassing-token-validation-token-validation-depends-on-request-method)                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Abrir](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-validation-depends-on-request-method)               |
| [CSRF where token validation depends on token being present](/portswigger/labs/csrf/bypassing-token-validation-token-validation-depends-on-token-being-present)             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Abrir](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-validation-depends-on-token-being-present)          |
| [CSRF with broken Referer validation](/portswigger/labs/csrf/bypassing-referer-based-defenses-referer-validation-broken)                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Abrir](https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses/lab-referer-validation-broken)                          |
| [SameSite Lax bypass via cookie refresh](/portswigger/labs/csrf/bypassing-samesite-restrictions-samesite-strict-bypass-via-cookie-refresh)                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Abrir](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-cookie-refresh)           |
| [SameSite Lax bypass via method override](/portswigger/labs/csrf/bypassing-samesite-restrictions-samesite-lax-bypass-via-method-override)                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Abrir](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-lax-bypass-via-method-override)             |
| [SameSite Strict bypass via client-side redirect](/portswigger/labs/csrf/bypassing-samesite-restrictions-samesite-strict-bypass-via-client-side-redirect)                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Abrir](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-client-side-redirect)     |
| [SameSite Strict bypass via sibling domain](/portswigger/labs/csrf/bypassing-samesite-restrictions-samesite-strict-bypass-via-sibling-domain)                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Abrir](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-sibling-domain)           |

## Insecure Deserialization (10)

| Lab                                                                                                                                                                                                     | Dificultad                                                 | Skills                   | Oficial                                                                                                                                                          |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Developing a custom gadget chain for Java deserialization](/portswigger/labs/deserialization/exploiting-deserialization-developing-a-custom-gadget-chain-for-java-deserialization)                     | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Insecure Deserialization | [Abrir](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-java-deserialization)           |
| [Developing a custom gadget chain for PHP deserialization](/portswigger/labs/deserialization/exploiting-deserialization-developing-a-custom-gadget-chain-for-php-deserialization)                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Insecure Deserialization | [Abrir](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-php-deserialization)            |
| [Modifying serialized objects](/portswigger/labs/deserialization/exploiting-deserialization-modifying-serialized-objects)                                                                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Insecure Deserialization | [Abrir](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-objects)                                        |
| [Using PHAR deserialization to deploy a custom gadget chain](/portswigger/labs/deserialization/exploiting-deserialization-using-phar-deserialization-to-deploy-a-custom-gadget-chain)                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Insecure Deserialization | [Abrir](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-phar-deserialization-to-deploy-a-custom-gadget-chain)          |
| [Arbitrary object injection in PHP](/portswigger/labs/deserialization/exploiting-deserialization-arbitrary-object-injection-in-php)                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Abrir](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php)                                   |
| [Exploiting Java deserialization with Apache Commons](/portswigger/labs/deserialization/exploiting-deserialization-exploiting-java-deserialization-with-apache-commons)                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Abrir](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-java-deserialization-with-apache-commons)                 |
| [Exploiting PHP deserialization with a pre-built gadget chain](/portswigger/labs/deserialization/exploiting-deserialization-exploiting-php-deserialization-with-a-pre-built-gadget-chain)               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Abrir](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-php-deserialization-with-a-pre-built-gadget-chain)        |
| [Exploiting Ruby deserialization using a documented gadget chain](/portswigger/labs/deserialization/exploiting-deserialization-exploiting-ruby-deserialization-using-a-documented-gadget-chain)         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Abrir](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-ruby-deserialization-using-a-documented-gadget-chain)     |
| [Modifying serialized data types](/portswigger/labs/deserialization/exploiting-deserialization-modifying-serialized-data-types)                                                                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Abrir](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-data-types)                                     |
| [Using application functionality to exploit insecure deserialization](/portswigger/labs/deserialization/exploiting-deserialization-using-application-functionality-to-exploit-insecure-deserialization) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Abrir](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-application-functionality-to-exploit-insecure-deserialization) |

## DOM-based Vulnerabilities (7)

| Lab                                                                                                                                                               | Dificultad                                                 | Skills                                                                      | Oficial                                                                                                                                        |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | --------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| [Clobbering DOM attributes to bypass HTML filters](/portswigger/labs/dom-based/dom-clobbering-dom-clobbering-attributes-to-bypass-html-filters)                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Clobbering DOM attributes to bypass HTML filters  DOM-based Vulnerabilities | [Abrir](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-clobbering-attributes-to-bypass-html-filters)                    |
| [Exploiting DOM clobbering to enable XSS](/portswigger/labs/dom-based/dom-clobbering-dom-xss-exploiting-dom-clobbering)                                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS)                                                  | [Abrir](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-xss-exploiting-dom-clobbering)                                   |
| [DOM XSS using web messages](/portswigger/labs/dom-based/controlling-the-web-message-source-dom-xss-using-web-messages)                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                                  | [Abrir](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages)                      |
| [DOM XSS using web messages and a JavaScript URL](/portswigger/labs/dom-based/controlling-the-web-message-source-dom-xss-using-web-messages-and-a-javascript-url) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                                  | [Abrir](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-a-javascript-url) |
| [DOM XSS using web messages and JSON.parse](/portswigger/labs/dom-based/controlling-the-web-message-source-dom-xss-using-web-messages-and-json-parse)             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)                                                  | [Abrir](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-json-parse)       |
| [DOM-based cookie manipulation](/portswigger/labs/dom-based/cookie-manipulation-dom-cookie-manipulation)                                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | DOM-based cookie manipulation  DOM-based Vulnerabilities                    | [Abrir](https://portswigger.net/web-security/dom-based/cookie-manipulation/lab-dom-cookie-manipulation)                                        |
| [DOM-based open redirection](/portswigger/labs/dom-based/open-redirection-dom-open-redirection)                                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | DOM-based open redirection  DOM-based Vulnerabilities                       | [Abrir](https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection)                                              |

## Essential Skills (2)

| Lab                                                                                                                                                                                                  | Dificultad                                                 | Skills                                                                       | Oficial                                                                                                                                                                |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Discovering vulnerabilities quickly with targeted scanning](/portswigger/labs/essential-skills/using-burp-scanner-during-manual-testing-discovering-vulnerabilities-quickly-with-targeted-scanning) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Discovering vulnerabilities quickly with targeted scanning  Essential Skills | [Abrir](https://portswigger.net/web-security/essential-skills/using-burp-scanner-during-manual-testing/lab-discovering-vulnerabilities-quickly-with-targeted-scanning) |
| [Scanning non-standard data structures](/portswigger/labs/essential-skills/using-burp-scanner-during-manual-testing-scanning-non-standard-data-structures)                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Scanning non-standard data structures  Essential Skills                      | [Abrir](https://portswigger.net/web-security/essential-skills/using-burp-scanner-during-manual-testing/lab-scanning-non-standard-data-structures)                      |

## Directory / Path Traversal (6)

| Lab                                                                                                                                                       | Dificultad                                                 | Skills                     | Oficial                                                                                                        |
| --------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------------------------- | -------------------------------------------------------------------------------------------------------------- |
| [File path traversal, simple case](/portswigger/labs/file-path-traversal/simple)                                                                          | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Directory / Path Traversal | [Abrir](https://portswigger.net/web-security/file-path-traversal/lab-simple)                                   |
| [File path traversal, traversal sequences blocked with absolute path bypass](/portswigger/labs/file-path-traversal/absolute-path-bypass)                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Directory / Path Traversal | [Abrir](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass)                     |
| [File path traversal, traversal sequences stripped non-recursively](/portswigger/labs/file-path-traversal/sequences-stripped-non-recursively)             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Directory / Path Traversal | [Abrir](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively)       |
| [File path traversal, traversal sequences stripped with superfluous URL-decode](/portswigger/labs/file-path-traversal/superfluous-url-decode)             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Directory / Path Traversal | [Abrir](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode)                   |
| [File path traversal, validation of file extension with null byte bypass](/portswigger/labs/file-path-traversal/validate-file-extension-null-byte-bypass) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Directory / Path Traversal | [Abrir](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass) |
| [File path traversal, validation of start of path](/portswigger/labs/file-path-traversal/validate-start-of-path)                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Directory / Path Traversal | [Abrir](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path)                   |

## File Upload Vulnerabilities (7)

| Lab                                                                                                                                                    | Dificultad                                                 | Skills                                                    | Oficial                                                                                                                        |
| ------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | --------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ |
| [Remote code execution via web shell upload](/portswigger/labs/file-upload/file-upload-remote-code-execution-via-web-shell-upload)                     | <span className="dbadge dbadge-easy">APPRENTICE</span>     | File Upload Vulnerabilities · Remote Code Execution (RCE) | [Abrir](https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload)           |
| [Web shell upload via Content-Type restriction bypass](/portswigger/labs/file-upload/file-upload-web-shell-upload-via-content-type-restriction-bypass) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | File Upload Vulnerabilities                               | [Abrir](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-content-type-restriction-bypass) |
| [Web shell upload via race condition](/portswigger/labs/file-upload/file-upload-web-shell-upload-via-race-condition)                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | File Upload Vulnerabilities · Race Conditions             | [Abrir](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-race-condition)                  |
| [Remote code execution via polyglot web shell upload](/portswigger/labs/file-upload/file-upload-remote-code-execution-via-polyglot-web-shell-upload)   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | File Upload Vulnerabilities · Remote Code Execution (RCE) | [Abrir](https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-polyglot-web-shell-upload)  |
| [Web shell upload via extension blacklist bypass](/portswigger/labs/file-upload/file-upload-web-shell-upload-via-extension-blacklist-bypass)           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | File Upload Vulnerabilities                               | [Abrir](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-extension-blacklist-bypass)      |
| [Web shell upload via obfuscated file extension](/portswigger/labs/file-upload/file-upload-web-shell-upload-via-obfuscated-file-extension)             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | File Upload Vulnerabilities                               | [Abrir](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-obfuscated-file-extension)       |
| [Web shell upload via path traversal](/portswigger/labs/file-upload/file-upload-web-shell-upload-via-path-traversal)                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | File Upload Vulnerabilities · Directory / Path Traversal  | [Abrir](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-path-traversal)                  |

## GraphQL (5)

| Lab                                                                                                          | Dificultad                                                 | Skills                                                                                  | Oficial                                                                                         |
| ------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | --------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
| [Accessing private GraphQL posts](/portswigger/labs/graphql/graphql-reading-private-posts)                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | GraphQL Vulnerabilities                                                                 | [Abrir](https://portswigger.net/web-security/graphql/lab-graphql-reading-private-posts)         |
| [Accidental exposure of private GraphQL fields](/portswigger/labs/graphql/graphql-accidental-field-exposure) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | GraphQL Vulnerabilities                                                                 | [Abrir](https://portswigger.net/web-security/graphql/lab-graphql-accidental-field-exposure)     |
| [Bypassing GraphQL brute force protections](/portswigger/labs/graphql/graphql-brute-force-protection-bypass) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Brute Force / Rate-Limit Bypass · GraphQL Vulnerabilities · Remote Code Execution (RCE) | [Abrir](https://portswigger.net/web-security/graphql/lab-graphql-brute-force-protection-bypass) |
| [Finding a hidden GraphQL endpoint](/portswigger/labs/graphql/graphql-find-the-endpoint)                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | GraphQL Vulnerabilities                                                                 | [Abrir](https://portswigger.net/web-security/graphql/lab-graphql-find-the-endpoint)             |
| [Performing CSRF exploits over GraphQL](/portswigger/labs/graphql/graphql-csrf-via-graphql-api)              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | GraphQL Vulnerabilities · CSRF (Cross-Site Request Forgery)                             | [Abrir](https://portswigger.net/web-security/graphql/lab-graphql-csrf-via-graphql-api)          |

## HTTP Host Header Attacks (5)

| Lab                                                                                                                                                           | Dificultad                                                 | Skills                                                               | Oficial                                                                                                                                 |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| [Host header authentication bypass](/portswigger/labs/host-header/exploiting-host-header-authentication-bypass)                                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · HTTP Host Header Attacks            | [Abrir](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass)                              |
| [Host validation bypass via connection state attack](/portswigger/labs/host-header/exploiting-host-header-host-validation-bypass-via-connection-state-attack) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Host Header Attacks                                             | [Abrir](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-host-validation-bypass-via-connection-state-attack) |
| [Routing-based SSRF](/portswigger/labs/host-header/exploiting-host-header-routing-based-ssrf)                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Host Header Attacks · Server-Side Request Forgery               | [Abrir](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-routing-based-ssrf)                                 |
| [SSRF via flawed request parsing](/portswigger/labs/host-header/exploiting-host-header-ssrf-via-flawed-request-parsing)                                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Host Header Attacks · Server-Side Request Forgery               | [Abrir](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-ssrf-via-flawed-request-parsing)                    |
| [Web cache poisoning via ambiguous requests](/portswigger/labs/host-header/exploiting-host-header-web-cache-poisoning-via-ambiguous-requests)                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) · HTTP Host Header Attacks | [Abrir](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-web-cache-poisoning-via-ambiguous-requests)         |

## Information Disclosure (5)

| Lab                                                                                                                                          | Dificultad                                                 | Skills                                               | Oficial                                                                                                                 |
| -------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| [Authentication bypass via information disclosure](/portswigger/labs/information-disclosure/exploiting-infoleak-authentication-bypass)       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Information Leakage · Authentication Vulnerabilities | [Abrir](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-authentication-bypass)      |
| [Information disclosure in error messages](/portswigger/labs/information-disclosure/exploiting-infoleak-in-error-messages)                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Information Leakage                                  | [Abrir](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-in-error-messages)          |
| [Information disclosure on debug page](/portswigger/labs/information-disclosure/exploiting-infoleak-on-debug-page)                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Information Leakage                                  | [Abrir](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-on-debug-page)              |
| [Source code disclosure via backup files](/portswigger/labs/information-disclosure/exploiting-infoleak-via-backup-files)                     | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Information Leakage · Remote Code Execution (RCE)    | [Abrir](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-via-backup-files)           |
| [Information disclosure in version control history](/portswigger/labs/information-disclosure/exploiting-infoleak-in-version-control-history) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Information Leakage                                  | [Abrir](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-in-version-control-history) |

## JWT (JSON Web Tokens) (8)

| Lab                                                                                                                                                                                      | Dificultad                                                 | Skills                                                                              | Oficial                                                                                                                                         |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ----------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
| [JWT authentication bypass via algorithm confusion](/portswigger/labs/jwt/algorithm-confusion-jwt-authentication-bypass-via-algorithm-confusion)                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · JSON Web Tokens (JWT)                              | [Abrir](https://portswigger.net/web-security/jwt/algorithm-confusion/lab-jwt-authentication-bypass-via-algorithm-confusion)                     |
| [JWT authentication bypass via algorithm confusion with no exposed key](/portswigger/labs/jwt/algorithm-confusion-jwt-authentication-bypass-via-algorithm-confusion-with-no-exposed-key) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · JSON Web Tokens (JWT)                              | [Abrir](https://portswigger.net/web-security/jwt/algorithm-confusion/lab-jwt-authentication-bypass-via-algorithm-confusion-with-no-exposed-key) |
| [JWT authentication bypass via flawed signature verification](/portswigger/labs/jwt/jwt-authentication-bypass-via-flawed-signature-verification)                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · JSON Web Tokens (JWT)                              | [Abrir](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-flawed-signature-verification)                               |
| [JWT authentication bypass via unverified signature](/portswigger/labs/jwt/jwt-authentication-bypass-via-unverified-signature)                                                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · JSON Web Tokens (JWT)                              | [Abrir](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature)                                        |
| [JWT authentication bypass via jku header injection](/portswigger/labs/jwt/jwt-authentication-bypass-via-jku-header-injection)                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · JSON Web Tokens (JWT)                              | [Abrir](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection)                                        |
| [JWT authentication bypass via jwk header injection](/portswigger/labs/jwt/jwt-authentication-bypass-via-jwk-header-injection)                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · JSON Web Tokens (JWT)                              | [Abrir](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jwk-header-injection)                                        |
| [JWT authentication bypass via kid header path traversal](/portswigger/labs/jwt/jwt-authentication-bypass-via-kid-header-path-traversal)                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · JSON Web Tokens (JWT) · Directory / Path Traversal | [Abrir](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal)                                   |
| [JWT authentication bypass via weak signing key](/portswigger/labs/jwt/jwt-authentication-bypass-via-weak-signing-key)                                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · JSON Web Tokens (JWT)                              | [Abrir](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-weak-signing-key)                                            |

## LLM Attacks (8)

| Lab                                                                                                                                                                                                     | Dificultad                                                 | Skills                         | Oficial                                                                                                                                                            |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| [Exploiting AI agents to exfiltrate sensitive information](/portswigger/labs/llm-attacks/ai-powered-scanner-vulnerabilities-sensitive-information-exfiltration)                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | LLM Attacks (Prompt Injection) | [Abrir](https://portswigger.net/web-security/llm-attacks/ai-powered-scanner-vulnerabilities/lab-sensitive-information-exfiltration)                                |
| [Exploiting AI agents to perform destructive actions](/portswigger/labs/llm-attacks/ai-powered-scanner-vulnerabilities-indirect-prompt-injection-via-ai-powered-scan)                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | LLM Attacks (Prompt Injection) | [Abrir](https://portswigger.net/web-security/llm-attacks/ai-powered-scanner-vulnerabilities/lab-indirect-prompt-injection-via-ai-powered-scan)                     |
| [Exploiting insecure output handling in LLMs](/portswigger/labs/llm-attacks/exploiting-insecure-output-handling-in-llms)                                                                                | <span className="dbadge dbadge-easy">APPRENTICE</span>     | LLM Attacks (Prompt Injection) | [Abrir](https://portswigger.net/web-security/llm-attacks/lab-exploiting-insecure-output-handling-in-llms)                                                          |
| [Exploiting LLM APIs with excessive agency](/portswigger/labs/llm-attacks/exploiting-llm-apis-with-excessive-agency)                                                                                    | <span className="dbadge dbadge-easy">APPRENTICE</span>     | LLM Attacks (Prompt Injection) | [Abrir](https://portswigger.net/web-security/llm-attacks/lab-exploiting-llm-apis-with-excessive-agency)                                                            |
| [Bypassing AI scanner defenses to exfiltrate sensitive information](/portswigger/labs/llm-attacks/ai-powered-scanner-vulnerabilities-bypassing-ai-scanner-defenses-to-exfiltrate-sensitive-information) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | LLM Attacks (Prompt Injection) | [Abrir](https://portswigger.net/web-security/llm-attacks/ai-powered-scanner-vulnerabilities/lab-bypassing-ai-scanner-defenses-to-exfiltrate-sensitive-information) |
| [Exploiting AI agents to trigger secondary vulnerabilities](/portswigger/labs/llm-attacks/ai-powered-scanner-vulnerabilities-exploiting-target-website-vulnerabilities-to-bypass-restrictions)          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | LLM Attacks (Prompt Injection) | [Abrir](https://portswigger.net/web-security/llm-attacks/ai-powered-scanner-vulnerabilities/lab-exploiting-target-website-vulnerabilities-to-bypass-restrictions)  |
| [Exploiting vulnerabilities in LLM APIs](/portswigger/labs/llm-attacks/exploiting-vulnerabilities-in-llm-apis)                                                                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | LLM Attacks (Prompt Injection) | [Abrir](https://portswigger.net/web-security/llm-attacks/lab-exploiting-vulnerabilities-in-llm-apis)                                                               |
| [Indirect prompt injection](/portswigger/labs/llm-attacks/indirect-prompt-injection)                                                                                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | LLM Attacks (Prompt Injection) | [Abrir](https://portswigger.net/web-security/llm-attacks/lab-indirect-prompt-injection)                                                                            |

## Business Logic Vulnerabilities (12)

| Lab                                                                                                                                                                                           | Dificultad                                                 | Skills                                                          | Oficial                                                                                                                                                |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| [Bypassing access controls using email address parsing discrepancies](/portswigger/labs/logic-flaws/examples-logic-flaws-bypassing-access-controls-using-email-address-parsing-discrepancies) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Business Logic Vulnerabilities · Access Control / IDOR          | [Abrir](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-bypassing-access-controls-using-email-address-parsing-discrepancies) |
| [Excessive trust in client-side controls](/portswigger/labs/logic-flaws/examples-logic-flaws-excessive-trust-in-client-side-controls)                                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Business Logic Vulnerabilities                                  | [Abrir](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls)                             |
| [Flawed enforcement of business rules](/portswigger/labs/logic-flaws/examples-logic-flaws-flawed-enforcement-of-business-rules)                                                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Business Logic Vulnerabilities · Remote Code Execution (RCE)    | [Abrir](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-flawed-enforcement-of-business-rules)                                |
| [High-level logic vulnerability](/portswigger/labs/logic-flaws/examples-logic-flaws-high-level)                                                                                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Business Logic Vulnerabilities                                  | [Abrir](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-high-level)                                                          |
| [Inconsistent security controls](/portswigger/labs/logic-flaws/examples-logic-flaws-inconsistent-security-controls)                                                                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Business Logic Vulnerabilities                                  | [Abrir](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-inconsistent-security-controls)                                      |
| [Authentication bypass via encryption oracle](/portswigger/labs/logic-flaws/examples-logic-flaws-authentication-bypass-via-encryption-oracle)                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · Business Logic Vulnerabilities | [Abrir](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-authentication-bypass-via-encryption-oracle)                         |
| [Authentication bypass via flawed state machine](/portswigger/labs/logic-flaws/examples-logic-flaws-authentication-bypass-via-flawed-state-machine)                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Authentication Vulnerabilities · Business Logic Vulnerabilities | [Abrir](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-authentication-bypass-via-flawed-state-machine)                      |
| [Inconsistent handling of exceptional input](/portswigger/labs/logic-flaws/examples-logic-flaws-inconsistent-handling-of-exceptional-input)                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Business Logic Vulnerabilities                                  | [Abrir](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-inconsistent-handling-of-exceptional-input)                          |
| [Infinite money logic flaw](/portswigger/labs/logic-flaws/examples-logic-flaws-infinite-money)                                                                                                | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Business Logic Vulnerabilities                                  | [Abrir](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-infinite-money)                                                      |
| [Insufficient workflow validation](/portswigger/labs/logic-flaws/examples-logic-flaws-insufficient-workflow-validation)                                                                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Business Logic Vulnerabilities                                  | [Abrir](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-insufficient-workflow-validation)                                    |
| [Low-level logic flaw](/portswigger/labs/logic-flaws/examples-logic-flaws-low-level)                                                                                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Business Logic Vulnerabilities                                  | [Abrir](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-low-level)                                                           |
| [Weak isolation on dual-use endpoint](/portswigger/labs/logic-flaws/examples-logic-flaws-weak-isolation-on-dual-use-endpoint)                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Business Logic Vulnerabilities                                  | [Abrir](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-weak-isolation-on-dual-use-endpoint)                                 |

## NoSQL Injection (4)

| Lab                                                                                                                                       | Dificultad                                                 | Skills        | Oficial                                                                                                  |
| ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------- | -------------------------------------------------------------------------------------------------------- |
| [Detecting NoSQL injection](/portswigger/labs/nosql-injection/nosql-injection-detection)                                                  | <span className="dbadge dbadge-easy">APPRENTICE</span>     | SQL Injection | [Abrir](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-detection)              |
| [Exploiting NoSQL operator injection to bypass authentication](/portswigger/labs/nosql-injection/nosql-injection-bypass-authentication)   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | SQL Injection | [Abrir](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-bypass-authentication)  |
| [Exploiting NoSQL injection to extract data](/portswigger/labs/nosql-injection/nosql-injection-extract-data)                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-extract-data)           |
| [Exploiting NoSQL operator injection to extract unknown fields](/portswigger/labs/nosql-injection/nosql-injection-extract-unknown-fields) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-extract-unknown-fields) |

## OAuth Authentication (6)

| Lab                                                                                                                                  | Dificultad                                                 | Skills                                                                | Oficial                                                                                                          |
| ------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | --------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- |
| [Authentication bypass via OAuth implicit flow](/portswigger/labs/oauth/oauth-authentication-bypass-via-oauth-implicit-flow)         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Authentication Vulnerabilities · OAuth Authentication Vulnerabilities | [Abrir](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow)      |
| [Stealing OAuth access tokens via a proxy page](/portswigger/labs/oauth/oauth-stealing-oauth-access-tokens-via-a-proxy-page)         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | OAuth Authentication Vulnerabilities                                  | [Abrir](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page)      |
| [Forced OAuth profile linking](/portswigger/labs/oauth/oauth-forced-oauth-profile-linking)                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OAuth Authentication Vulnerabilities · Remote Code Execution (RCE)    | [Abrir](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking)                       |
| [OAuth account hijacking via redirect\_uri](/portswigger/labs/oauth/oauth-account-hijacking-via-redirect-uri)                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OAuth Authentication Vulnerabilities                                  | [Abrir](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri)                 |
| [SSRF via OpenID dynamic client registration](/portswigger/labs/oauth/openid-oauth-ssrf-via-openid-dynamic-client-registration)      | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OAuth Authentication Vulnerabilities · Server-Side Request Forgery    | [Abrir](https://portswigger.net/web-security/oauth/openid/lab-oauth-ssrf-via-openid-dynamic-client-registration) |
| [Stealing OAuth access tokens via an open redirect](/portswigger/labs/oauth/oauth-stealing-oauth-access-tokens-via-an-open-redirect) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OAuth Authentication Vulnerabilities                                  | [Abrir](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect)  |

## OS Command Injection (5)

| Lab                                                                                                                                         | Dificultad                                                 | Skills               | Oficial                                                                                                    |
| ------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------------------- | ---------------------------------------------------------------------------------------------------------- |
| [OS command injection, simple case](/portswigger/labs/os-command-injection/simple)                                                          | <span className="dbadge dbadge-easy">APPRENTICE</span>     | OS Command Injection | [Abrir](https://portswigger.net/web-security/os-command-injection/lab-simple)                              |
| [Blind OS command injection with out-of-band data exfiltration](/portswigger/labs/os-command-injection/blind-out-of-band-data-exfiltration) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OS Command Injection | [Abrir](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration) |
| [Blind OS command injection with out-of-band interaction](/portswigger/labs/os-command-injection/blind-out-of-band)                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OS Command Injection | [Abrir](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band)                   |
| [Blind OS command injection with output redirection](/portswigger/labs/os-command-injection/blind-output-redirection)                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OS Command Injection | [Abrir](https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection)            |
| [Blind OS command injection with time delays](/portswigger/labs/os-command-injection/blind-time-delays)                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | OS Command Injection | [Abrir](https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays)                   |

## Prototype Pollution (9)

| Lab                                                                                                                                                                                                                | Dificultad                                                 | Skills                                            | Oficial                                                                                                                                                          |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | ------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Exfiltrating sensitive data via server-side prototype pollution](/portswigger/labs/prototype-pollution/server-side-exfiltrating-sensitive-data-via-server-side-prototype-pollution)                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Prototype Pollution                               | [Abrir](https://portswigger.net/web-security/prototype-pollution/server-side/lab-exfiltrating-sensitive-data-via-server-side-prototype-pollution)                |
| [Bypassing flawed input filters for server-side prototype pollution](/portswigger/labs/prototype-pollution/server-side-bypassing-flawed-input-filters-for-server-side-prototype-pollution)                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution                               | [Abrir](https://portswigger.net/web-security/prototype-pollution/server-side/lab-bypassing-flawed-input-filters-for-server-side-prototype-pollution)             |
| [Client-side prototype pollution in third-party libraries](/portswigger/labs/prototype-pollution/client-side-prototype-pollution-client-side-prototype-pollution-in-third-party-libraries)                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution                               | [Abrir](https://portswigger.net/web-security/prototype-pollution/client-side/lab-prototype-pollution-client-side-prototype-pollution-in-third-party-libraries)   |
| [Client-side prototype pollution via flawed sanitization](/portswigger/labs/prototype-pollution/client-side-prototype-pollution-client-side-prototype-pollution-via-flawed-sanitization)                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution                               | [Abrir](https://portswigger.net/web-security/prototype-pollution/client-side/lab-prototype-pollution-client-side-prototype-pollution-via-flawed-sanitization)    |
| [Detecting server-side prototype pollution without polluted property reflection](/portswigger/labs/prototype-pollution/server-side-detecting-server-side-prototype-pollution-without-polluted-property-reflection) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution                               | [Abrir](https://portswigger.net/web-security/prototype-pollution/server-side/lab-detecting-server-side-prototype-pollution-without-polluted-property-reflection) |
| [DOM XSS via an alternative prototype pollution vector](/portswigger/labs/prototype-pollution/client-side-prototype-pollution-dom-xss-via-an-alternative-prototype-pollution-vector)                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution · Cross-Site Scripting (XSS)  | [Abrir](https://portswigger.net/web-security/prototype-pollution/client-side/lab-prototype-pollution-dom-xss-via-an-alternative-prototype-pollution-vector)      |
| [DOM XSS via client-side prototype pollution](/portswigger/labs/prototype-pollution/client-side-prototype-pollution-dom-xss-via-client-side-prototype-pollution)                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution · Cross-Site Scripting (XSS)  | [Abrir](https://portswigger.net/web-security/prototype-pollution/client-side/lab-prototype-pollution-dom-xss-via-client-side-prototype-pollution)                |
| [Privilege escalation via server-side prototype pollution](/portswigger/labs/prototype-pollution/server-side-privilege-escalation-via-server-side-prototype-pollution)                                             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution                               | [Abrir](https://portswigger.net/web-security/prototype-pollution/server-side/lab-privilege-escalation-via-server-side-prototype-pollution)                       |
| [Remote code execution via server-side prototype pollution](/portswigger/labs/prototype-pollution/server-side-remote-code-execution-via-server-side-prototype-pollution)                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Remote Code Execution (RCE) · Prototype Pollution | [Abrir](https://portswigger.net/web-security/prototype-pollution/server-side/lab-remote-code-execution-via-server-side-prototype-pollution)                      |

## Race Conditions (6)

| Lab                                                                                                                                      | Dificultad                                                 | Skills          | Oficial                                                                                                                     |
| ---------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | --------------- | --------------------------------------------------------------------------------------------------------------------------- |
| [Limit overrun race conditions](/portswigger/labs/race-conditions/race-conditions-limit-overrun)                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Race Conditions | [Abrir](https://portswigger.net/web-security/race-conditions/lab-race-conditions-limit-overrun)                             |
| [Partial construction race conditions](/portswigger/labs/race-conditions/race-conditions-partial-construction)                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Race Conditions | [Abrir](https://portswigger.net/web-security/race-conditions/lab-race-conditions-partial-construction)                      |
| [Bypassing rate limits via race conditions](/portswigger/labs/race-conditions/race-conditions-bypassing-rate-limits)                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Race Conditions | [Abrir](https://portswigger.net/web-security/race-conditions/lab-race-conditions-bypassing-rate-limits)                     |
| [Exploiting time-sensitive vulnerabilities](/portswigger/labs/race-conditions/race-conditions-exploiting-time-sensitive-vulnerabilities) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Race Conditions | [Abrir](https://portswigger.net/web-security/race-conditions/lab-race-conditions-exploiting-time-sensitive-vulnerabilities) |
| [Multi-endpoint race conditions](/portswigger/labs/race-conditions/race-conditions-multi-endpoint)                                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Race Conditions | [Abrir](https://portswigger.net/web-security/race-conditions/lab-race-conditions-multi-endpoint)                            |
| [Single-endpoint race conditions](/portswigger/labs/race-conditions/race-conditions-single-endpoint)                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Race Conditions | [Abrir](https://portswigger.net/web-security/race-conditions/lab-race-conditions-single-endpoint)                           |

## HTTP Request Smuggling (16)

| Lab                                                                                                                                                                            | Dificultad                                                 | Skills                                                             | Oficial                                                                                                                                |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | ------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------- |
| [0.CL request smuggling](/portswigger/labs/request-smuggling/advanced-request-smuggling-0cl-request-smuggling)                                                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | HTTP Request Smuggling                                             | [Abrir](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-0cl-request-smuggling)                   |
| [Exploiting HTTP request smuggling to perform web cache deception](/portswigger/labs/request-smuggling/exploiting-perform-web-cache-deception)                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | HTTP Request Smuggling · Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/request-smuggling/exploiting/lab-perform-web-cache-deception)                             |
| [Exploiting HTTP request smuggling to perform web cache poisoning](/portswigger/labs/request-smuggling/exploiting-perform-web-cache-poisoning)                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | HTTP Request Smuggling · Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/request-smuggling/exploiting/lab-perform-web-cache-poisoning)                             |
| [Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability](/portswigger/labs/request-smuggling/exploiting-bypass-front-end-controls-cl-te) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Abrir](https://portswigger.net/web-security/request-smuggling/exploiting/lab-bypass-front-end-controls-cl-te)                         |
| [Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability](/portswigger/labs/request-smuggling/exploiting-bypass-front-end-controls-te-cl) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Abrir](https://portswigger.net/web-security/request-smuggling/exploiting/lab-bypass-front-end-controls-te-cl)                         |
| [Exploiting HTTP request smuggling to capture other users' requests](/portswigger/labs/request-smuggling/exploiting-capture-other-users-requests)                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Abrir](https://portswigger.net/web-security/request-smuggling/exploiting/lab-capture-other-users-requests)                            |
| [Exploiting HTTP request smuggling to deliver reflected XSS](/portswigger/labs/request-smuggling/exploiting-deliver-reflected-xss)                                             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling · Cross-Site Scripting (XSS)                | [Abrir](https://portswigger.net/web-security/request-smuggling/exploiting/lab-deliver-reflected-xss)                                   |
| [Exploiting HTTP request smuggling to reveal front-end request rewriting](/portswigger/labs/request-smuggling/exploiting-reveal-front-end-request-rewriting)                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Abrir](https://portswigger.net/web-security/request-smuggling/exploiting/lab-reveal-front-end-request-rewriting)                      |
| [H2.CL request smuggling](/portswigger/labs/request-smuggling/advanced-request-smuggling-h2-cl-request-smuggling)                                                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Abrir](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-cl-request-smuggling)                 |
| [HTTP request smuggling, basic CL.TE vulnerability](/portswigger/labs/request-smuggling/basic-cl-te)                                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Abrir](https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te)                                                        |
| [HTTP request smuggling, basic TE.CL vulnerability](/portswigger/labs/request-smuggling/basic-te-cl)                                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Abrir](https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl)                                                        |
| [HTTP request smuggling, confirming a CL.TE vulnerability via differential responses](/portswigger/labs/request-smuggling/finding-confirming-cl-te-via-differential-responses) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Abrir](https://portswigger.net/web-security/request-smuggling/finding/lab-confirming-cl-te-via-differential-responses)                |
| [HTTP request smuggling, confirming a TE.CL vulnerability via differential responses](/portswigger/labs/request-smuggling/finding-confirming-te-cl-via-differential-responses) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Abrir](https://portswigger.net/web-security/request-smuggling/finding/lab-confirming-te-cl-via-differential-responses)                |
| [HTTP request smuggling, obfuscating the TE header](/portswigger/labs/request-smuggling/obfuscating-te-header)                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Abrir](https://portswigger.net/web-security/request-smuggling/lab-obfuscating-te-header)                                              |
| [HTTP/2 request smuggling via CRLF injection](/portswigger/labs/request-smuggling/advanced-request-smuggling-h2-request-smuggling-via-crlf-injection)                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Abrir](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-smuggling-via-crlf-injection) |
| [HTTP/2 request splitting via CRLF injection](/portswigger/labs/request-smuggling/advanced-request-smuggling-h2-request-splitting-via-crlf-injection)                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling                                             | [Abrir](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection) |

## Server-Side Template Injection (SSTI) (7)

| Lab                                                                                                                                                                                                                                      | Dificultad                                                 | Skills                                                      | Oficial                                                                                                                                                                          |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Server-side template injection in a sandboxed environment](/portswigger/labs/server-side-template-injection/exploiting-server-side-template-injection-in-a-sandboxed-environment)                                                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | SSTI (Server-Side Template Injection)                       | [Abrir](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-a-sandboxed-environment)                            |
| [Server-side template injection with a custom exploit](/portswigger/labs/server-side-template-injection/exploiting-server-side-template-injection-with-a-custom-exploit)                                                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | SSTI (Server-Side Template Injection)                       | [Abrir](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-with-a-custom-exploit)                                 |
| [Basic server-side template injection](/portswigger/labs/server-side-template-injection/exploiting-server-side-template-injection-basic)                                                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SSTI (Server-Side Template Injection)                       | [Abrir](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic)                                                 |
| [Basic server-side template injection (code context)](/portswigger/labs/server-side-template-injection/exploiting-server-side-template-injection-basic-code-context)                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SSTI (Server-Side Template Injection)                       | [Abrir](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic-code-context)                                    |
| [Server-side template injection in an unknown language with a documented exploit](/portswigger/labs/server-side-template-injection/exploiting-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit)           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SSTI (Server-Side Template Injection)                       | [Abrir](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit)      |
| [Server-side template injection using documentation](/portswigger/labs/server-side-template-injection/exploiting-server-side-template-injection-using-documentation)                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SSTI (Server-Side Template Injection)                       | [Abrir](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-using-documentation)                                   |
| [Server-side template injection with information disclosure via user-supplied objects](/portswigger/labs/server-side-template-injection/exploiting-server-side-template-injection-with-information-disclosure-via-user-supplied-objects) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SSTI (Server-Side Template Injection) · Information Leakage | [Abrir](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-with-information-disclosure-via-user-supplied-objects) |

## SQL Injection (18)

| Lab                                                                                                                                                                                     | Dificultad                                                 | Skills        | Oficial                                                                                                                          |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------- | -------------------------------------------------------------------------------------------------------------------------------- |
| [SQL injection vulnerability allowing login bypass](/portswigger/labs/sql-injection/login-bypass)                                                                                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/lab-login-bypass)                                                     |
| [SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](/portswigger/labs/sql-injection/retrieve-hidden-data)                                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data)                                             |
| [Blind SQL injection with conditional errors](/portswigger/labs/sql-injection/blind-conditional-errors)                                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors)                                         |
| [Blind SQL injection with conditional responses](/portswigger/labs/sql-injection/blind-conditional-responses)                                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses)                                      |
| [Blind SQL injection with out-of-band data exfiltration](/portswigger/labs/sql-injection/blind-out-of-band-data-exfiltration)                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band-data-exfiltration)                              |
| [Blind SQL injection with out-of-band interaction](/portswigger/labs/sql-injection/blind-out-of-band)                                                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band)                                                |
| [Blind SQL injection with time delays](/portswigger/labs/sql-injection/blind-time-delays)                                                                                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/blind/lab-time-delays)                                                |
| [Blind SQL injection with time delays and information retrieval](/portswigger/labs/sql-injection/blind-time-delays-info-retrieval)                                                      | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval)                                 |
| [SQL injection attack, listing the database contents on non-Oracle databases](/portswigger/labs/sql-injection/examining-the-database-listing-database-contents-non-oracle)              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle)      |
| [SQL injection attack, listing the database contents on Oracle](/portswigger/labs/sql-injection/examining-the-database-listing-database-contents-oracle)                                | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle)          |
| [SQL injection attack, querying the database type and version on MySQL and Microsoft](/portswigger/labs/sql-injection/examining-the-database-querying-database-version-mysql-microsoft) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft) |
| [SQL injection attack, querying the database type and version on Oracle](/portswigger/labs/sql-injection/examining-the-database-querying-database-version-oracle)                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-oracle)          |
| [SQL injection UNION attack, determining the number of columns returned by the query](/portswigger/labs/sql-injection/union-attacks-determine-number-of-columns)                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns)                        |
| [SQL injection UNION attack, finding a column containing text](/portswigger/labs/sql-injection/union-attacks-find-column-containing-text)                                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text)                        |
| [SQL injection UNION attack, retrieving data from other tables](/portswigger/labs/sql-injection/union-attacks-retrieve-data-from-other-tables)                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables)                    |
| [SQL injection UNION attack, retrieving multiple values in a single column](/portswigger/labs/sql-injection/union-attacks-retrieve-multiple-values-in-single-column)                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-multiple-values-in-single-column)          |
| [SQL injection with filter bypass via XML encoding](/portswigger/labs/sql-injection/sql-injection-with-filter-bypass-via-xml-encoding)                                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding)                |
| [Visible error-based SQL injection](/portswigger/labs/sql-injection/blind-sql-injection-visible-error-based)                                                                            | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection | [Abrir](https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based)                          |

## SSRF (Server-Side Request Forgery) (7)

| Lab                                                                                                                          | Dificultad                                                 | Skills                                                   | Oficial                                                                                        |
| ---------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
| [Basic SSRF against another back-end system](/portswigger/labs/ssrf/basic-ssrf-against-backend-system)                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Server-Side Request Forgery                              | [Abrir](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system)       |
| [Basic SSRF against the local server](/portswigger/labs/ssrf/basic-ssrf-against-localhost)                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Server-Side Request Forgery                              | [Abrir](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost)            |
| [Blind SSRF with Shellshock exploitation](/portswigger/labs/ssrf/blind-shellshock-exploitation)                              | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Shellshock (CVE-2014-6271) · Server-Side Request Forgery | [Abrir](https://portswigger.net/web-security/ssrf/blind/lab-shellshock-exploitation)           |
| [SSRF with whitelist-based input filter](/portswigger/labs/ssrf/ssrf-with-whitelist-filter)                                  | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Server-Side Request Forgery                              | [Abrir](https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter)              |
| [Blind SSRF with out-of-band detection](/portswigger/labs/ssrf/blind-out-of-band-detection)                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Server-Side Request Forgery                              | [Abrir](https://portswigger.net/web-security/ssrf/blind/lab-out-of-band-detection)             |
| [SSRF with blacklist-based input filter](/portswigger/labs/ssrf/ssrf-with-blacklist-filter)                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Server-Side Request Forgery                              | [Abrir](https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter)              |
| [SSRF with filter bypass via open redirection vulnerability](/portswigger/labs/ssrf/ssrf-filter-bypass-via-open-redirection) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Server-Side Request Forgery                              | [Abrir](https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection) |

## Web Cache Deception (5)

| Lab                                                                                                                                                | Dificultad                                                 | Skills                                    | Oficial                                                                                                          |
| -------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ----------------------------------------- | ---------------------------------------------------------------------------------------------------------------- |
| [Exploiting exact-match cache rules for web cache deception](/portswigger/labs/web-cache-deception/wcd-exploiting-exact-match-cache-rules)         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-deception/lab-wcd-exploiting-exact-match-cache-rules)     |
| [Exploiting path mapping for web cache deception](/portswigger/labs/web-cache-deception/wcd-exploiting-path-mapping)                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-deception/lab-wcd-exploiting-path-mapping)                |
| [Exploiting cache server normalization for web cache deception](/portswigger/labs/web-cache-deception/wcd-exploiting-cache-server-normalization)   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-deception/lab-wcd-exploiting-cache-server-normalization)  |
| [Exploiting origin server normalization for web cache deception](/portswigger/labs/web-cache-deception/wcd-exploiting-origin-server-normalization) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-deception/lab-wcd-exploiting-origin-server-normalization) |
| [Exploiting path delimiters for web cache deception](/portswigger/labs/web-cache-deception/wcd-exploiting-path-delimiters)                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-deception/lab-wcd-exploiting-path-delimiters)             |

## Web Cache Poisoning (13)

| Lab                                                                                                                                                                                                                                                                | Dificultad                                                 | Skills                                    | Oficial                                                                                                                                                                                        |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | ----------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Cache key injection](/portswigger/labs/web-cache-poisoning/exploiting-implementation-flaws-web-cache-poisoning-cache-key-injection)                                                                                                                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-cache-key-injection)                                                  |
| [Combining web cache poisoning vulnerabilities](/portswigger/labs/web-cache-poisoning/exploiting-design-flaws-web-cache-poisoning-combining-vulnerabilities)                                                                                                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-combining-vulnerabilities)                                                    |
| [Internal cache poisoning](/portswigger/labs/web-cache-poisoning/exploiting-implementation-flaws-web-cache-poisoning-internal)                                                                                                                                     | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-internal)                                                             |
| [Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria](/portswigger/labs/web-cache-poisoning/exploiting-design-flaws-web-cache-poisoning-to-exploit-a-dom-vulnerability-via-a-cache-with-strict-cacheability-criteria) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-to-exploit-a-dom-vulnerability-via-a-cache-with-strict-cacheability-criteria) |
| [Parameter cloaking](/portswigger/labs/web-cache-poisoning/exploiting-implementation-flaws-web-cache-poisoning-param-cloaking)                                                                                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking)                                                       |
| [Targeted web cache poisoning using an unknown header](/portswigger/labs/web-cache-poisoning/exploiting-design-flaws-web-cache-poisoning-targeted-using-an-unknown-header)                                                                                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-targeted-using-an-unknown-header)                                             |
| [URL normalization](/portswigger/labs/web-cache-poisoning/exploiting-implementation-flaws-web-cache-poisoning-normalization)                                                                                                                                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-normalization)                                                        |
| [Web cache poisoning via a fat GET request](/portswigger/labs/web-cache-poisoning/exploiting-implementation-flaws-web-cache-poisoning-fat-get)                                                                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get)                                                              |
| [Web cache poisoning via an unkeyed query parameter](/portswigger/labs/web-cache-poisoning/exploiting-implementation-flaws-web-cache-poisoning-unkeyed-param)                                                                                                      | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-unkeyed-param)                                                        |
| [Web cache poisoning via an unkeyed query string](/portswigger/labs/web-cache-poisoning/exploiting-implementation-flaws-web-cache-poisoning-unkeyed-query)                                                                                                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-unkeyed-query)                                                        |
| [Web cache poisoning with an unkeyed cookie](/portswigger/labs/web-cache-poisoning/exploiting-design-flaws-web-cache-poisoning-with-an-unkeyed-cookie)                                                                                                             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-with-an-unkeyed-cookie)                                                       |
| [Web cache poisoning with an unkeyed header](/portswigger/labs/web-cache-poisoning/exploiting-design-flaws-web-cache-poisoning-with-an-unkeyed-header)                                                                                                             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-with-an-unkeyed-header)                                                       |
| [Web cache poisoning with multiple headers](/portswigger/labs/web-cache-poisoning/exploiting-design-flaws-web-cache-poisoning-with-multiple-headers)                                                                                                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Web Cache Attacks (Poisoning / Deception) | [Abrir](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-with-multiple-headers)                                                        |

## WebSockets (2)

| Lab                                                                                                                                               | Dificultad                                                 | Skills                     | Oficial                                                                                                        |
| ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------------------------- | -------------------------------------------------------------------------------------------------------------- |
| [Manipulating WebSocket messages to exploit vulnerabilities](/portswigger/labs/websockets/manipulating-messages-to-exploit-vulnerabilities)       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | WebSockets Vulnerabilities | [Abrir](https://portswigger.net/web-security/websockets/lab-manipulating-messages-to-exploit-vulnerabilities)  |
| [Manipulating the WebSocket handshake to exploit vulnerabilities](/portswigger/labs/websockets/manipulating-handshake-to-exploit-vulnerabilities) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | WebSockets Vulnerabilities | [Abrir](https://portswigger.net/web-security/websockets/lab-manipulating-handshake-to-exploit-vulnerabilities) |

## XXE (XML External Entity) (9)

| Lab                                                                                                                                                        | Dificultad                                                 | Skills                                            | Oficial                                                                                                               |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- |
| [Exploiting XXE to perform SSRF attacks](/portswigger/labs/xxe/exploiting-xxe-to-perform-ssrf)                                                             | <span className="dbadge dbadge-easy">APPRENTICE</span>     | XML External Entity · Server-Side Request Forgery | [Abrir](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf)                                  |
| [Exploiting XXE to retrieve data by repurposing a local DTD](/portswigger/labs/xxe/blind-xxe-trigger-error-message-by-repurposing-local-dtd)               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | XML External Entity                               | [Abrir](https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd)        |
| [Exploiting XXE using external entities to retrieve files](/portswigger/labs/xxe/exploiting-xxe-to-retrieve-files)                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | XML External Entity                               | [Abrir](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files)                                |
| [Blind XXE with out-of-band interaction](/portswigger/labs/xxe/blind-xxe-with-out-of-band-interaction)                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XML External Entity                               | [Abrir](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction)                          |
| [Blind XXE with out-of-band interaction via XML parameter entities](/portswigger/labs/xxe/blind-xxe-with-out-of-band-interaction-using-parameter-entities) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XML External Entity                               | [Abrir](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities) |
| [Exploiting blind XXE to exfiltrate data using a malicious external DTD](/portswigger/labs/xxe/blind-xxe-with-out-of-band-exfiltration)                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XML External Entity                               | [Abrir](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration)                         |
| [Exploiting blind XXE to retrieve data via error messages](/portswigger/labs/xxe/blind-xxe-with-data-retrieval-via-error-messages)                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XML External Entity                               | [Abrir](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages)                |
| [Exploiting XInclude to retrieve files](/portswigger/labs/xxe/xinclude-attack)                                                                             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XML External Entity                               | [Abrir](https://portswigger.net/web-security/xxe/lab-xinclude-attack)                                                 |
| [Exploiting XXE via image file upload](/portswigger/labs/xxe/xxe-via-file-upload)                                                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XML External Entity · File Upload Vulnerabilities | [Abrir](https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload)                                             |

*Última actualización: 2026-05-08*

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"ItemList","name":"PortSwigger Web Security Academy labs","numberOfItems":262,"url":"https://rootea.es/portswigger/all","itemListElement":[{"@type":"ListItem","position":1,"url":"https://rootea.es/portswigger/labs/access-control/insecure-direct-object-references","name":"Insecure direct object references"},{"@type":"ListItem","position":2,"url":"https://rootea.es/portswigger/labs/access-control/method-based-access-control-can-be-circumvented","name":"Method-based access control can be circumvented"},{"@type":"ListItem","position":3,"url":"https://rootea.es/portswigger/labs/access-control/multi-step-process-with-no-access-control-on-one-step","name":"Multi-step process with no access control on one step"},{"@type":"ListItem","position":4,"url":"https://rootea.es/portswigger/labs/access-control/referer-based-access-control","name":"Referer-based access control"},{"@type":"ListItem","position":5,"url":"https://rootea.es/portswigger/labs/access-control/unprotected-admin-functionality","name":"Unprotected admin functionality"},{"@type":"ListItem","position":6,"url":"https://rootea.es/portswigger/labs/access-control/unprotected-admin-functionality-with-unpredictable-url","name":"Unprotected admin functionality with unpredictable URL"},{"@type":"ListItem","position":7,"url":"https://rootea.es/portswigger/labs/access-control/url-based-access-control-can-be-circumvented","name":"URL-based access control can be circumvented"},{"@type":"ListItem","position":8,"url":"https://rootea.es/portswigger/labs/access-control/user-id-controlled-by-request-parameter","name":"User ID controlled by request parameter"},{"@type":"ListItem","position":9,"url":"https://rootea.es/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-data-leakage-in-redirect","name":"User ID controlled by request parameter with data leakage in redirect"},{"@type":"ListItem","position":10,"url":"https://rootea.es/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-password-disclosure","name":"User ID controlled by request parameter with password disclosure"},{"@type":"ListItem","position":11,"url":"https://rootea.es/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-unpredictable-user-ids","name":"User ID controlled by request parameter, with unpredictable user IDs"},{"@type":"ListItem","position":12,"url":"https://rootea.es/portswigger/labs/access-control/user-role-can-be-modified-in-user-profile","name":"User role can be modified in user profile"},{"@type":"ListItem","position":13,"url":"https://rootea.es/portswigger/labs/access-control/user-role-controlled-by-request-parameter","name":"User role controlled by request parameter"},{"@type":"ListItem","position":14,"url":"https://rootea.es/portswigger/labs/api-testing/exploiting-mass-assignment-vulnerability","name":"Exploiting a mass assignment vulnerability"},{"@type":"ListItem","position":15,"url":"https://rootea.es/portswigger/labs/api-testing/exploiting-api-endpoint-using-documentation","name":"Exploiting an API endpoint using documentation"},{"@type":"ListItem","position":16,"url":"https://rootea.es/portswigger/labs/api-testing/server-side-parameter-pollution-exploiting-server-side-parameter-pollution-in-query-string","name":"Exploiting server-side parameter pollution in a query string"},{"@type":"ListItem","position":17,"url":"https://rootea.es/portswigger/labs/api-testing/server-side-parameter-pollution-exploiting-server-side-parameter-pollution-in-rest-url","name":"Exploiting server-side parameter pollution in a REST URL"},{"@type":"ListItem","position":18,"url":"https://rootea.es/portswigger/labs/api-testing/exploiting-unused-api-endpoint","name":"Finding and exploiting an unused API endpoint"},{"@type":"ListItem","position":19,"url":"https://rootea.es/portswigger/labs/authentication/multi-factor-2fa-broken-logic","name":"2FA broken logic"},{"@type":"ListItem","position":20,"url":"https://rootea.es/portswigger/labs/authentication/multi-factor-2fa-bypass-using-a-brute-force-attack","name":"2FA bypass using a brute-force attack"},{"@type":"ListItem","position":21,"url":"https://rootea.es/portswigger/labs/authentication/multi-factor-2fa-simple-bypass","name":"2FA simple bypass"},{"@type":"ListItem","position":22,"url":"https://rootea.es/portswigger/labs/authentication/password-based-broken-bruteforce-protection-ip-block","name":"Broken brute-force protection, IP block"},{"@type":"ListItem","position":23,"url":"https://rootea.es/portswigger/labs/authentication/password-based-broken-brute-force-protection-multiple-credentials-per-request","name":"Broken brute-force protection, multiple credentials per request"},{"@type":"ListItem","position":24,"url":"https://rootea.es/portswigger/labs/authentication/other-mechanisms-brute-forcing-a-stay-logged-in-cookie","name":"Brute-forcing a stay-logged-in cookie"},{"@type":"ListItem","position":25,"url":"https://rootea.es/portswigger/labs/authentication/other-mechanisms-offline-password-cracking","name":"Offline password cracking"},{"@type":"ListItem","position":26,"url":"https://rootea.es/portswigger/labs/authentication/other-mechanisms-password-brute-force-via-password-change","name":"Password brute-force via password change"},{"@type":"ListItem","position":27,"url":"https://rootea.es/portswigger/labs/authentication/other-mechanisms-password-reset-broken-logic","name":"Password reset broken logic"},{"@type":"ListItem","position":28,"url":"https://rootea.es/portswigger/labs/authentication/other-mechanisms-password-reset-poisoning-via-middleware","name":"Password reset poisoning via middleware"},{"@type":"ListItem","position":29,"url":"https://rootea.es/portswigger/labs/authentication/password-based-username-enumeration-via-account-lock","name":"Username enumeration via account lock"},{"@type":"ListItem","position":30,"url":"https://rootea.es/portswigger/labs/authentication/password-based-username-enumeration-via-different-responses","name":"Username enumeration via different responses"},{"@type":"ListItem","position":31,"url":"https://rootea.es/portswigger/labs/authentication/password-based-username-enumeration-via-response-timing","name":"Username enumeration via response timing"},{"@type":"ListItem","position":32,"url":"https://rootea.es/portswigger/labs/authentication/password-based-username-enumeration-via-subtly-different-responses","name":"Username enumeration via subtly different responses"},{"@type":"ListItem","position":33,"url":"https://rootea.es/portswigger/labs/clickjacking/basic-csrf-protected","name":"Basic clickjacking with CSRF token protection"},{"@type":"ListItem","position":34,"url":"https://rootea.es/portswigger/labs/clickjacking/frame-buster-script","name":"Clickjacking with a frame buster script"},{"@type":"ListItem","position":35,"url":"https://rootea.es/portswigger/labs/clickjacking/prefilled-form-input","name":"Clickjacking with form input data prefilled from a URL parameter"},{"@type":"ListItem","position":36,"url":"https://rootea.es/portswigger/labs/clickjacking/exploiting-to-trigger-dom-based-xss","name":"Exploiting clickjacking vulnerability to trigger DOM-based XSS"},{"@type":"ListItem","position":37,"url":"https://rootea.es/portswigger/labs/clickjacking/multistep","name":"Multistep clickjacking"},{"@type":"ListItem","position":38,"url":"https://rootea.es/portswigger/labs/cors/basic-origin-reflection-attack","name":"CORS vulnerability with basic origin reflection"},{"@type":"ListItem","position":39,"url":"https://rootea.es/portswigger/labs/cors/breaking-https-attack","name":"CORS vulnerability with trusted insecure protocols"},{"@type":"ListItem","position":40,"url":"https://rootea.es/portswigger/labs/cors/null-origin-whitelisted-attack","name":"CORS vulnerability with trusted null origin"},{"@type":"ListItem","position":41,"url":"https://rootea.es/portswigger/labs/cross-site-scripting/dom-based-angularjs-expression","name":"DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded"},{"@type":"ListItem","position":42,"url":"https://rootea.es/portswigger/labs/cross-site-scripting/dom-based-document-write-sink","name":"DOM XSS in document.write sink using source location.search"},{"@type":"ListItem","position":43,"url":"https://rootea.es/portswigger/labs/cross-site-scripting/dom-based-document-write-sink-inside-select-element","name":"DOM XSS in document.write sink using source location.search inside a select element"},{"@type":"ListItem","position":44,"url":"https://rootea.es/portswigger/labs/cross-site-scripting/dom-based-innerhtml-sink","name":"DOM XSS in innerHTML sink using source location.search"},{"@type":"ListItem","position":45,"url":"https://rootea.es/portswigger/labs/cross-site-scripting/dom-based-jquery-href-attribute-sink","name":"DOM XSS in jQuery anchor href attribute sink using location.search source"},{"@type":"ListItem","position":46,"url":"https://rootea.es/portswigger/labs/cross-site-scripting/dom-based-jquery-selector-hash-change-event","name":"DOM XSS in jQuery selector sink using a hashchange event"},{"@type":"ListItem","position":47,"url":"https://rootea.es/portswigger/labs/cross-site-scripting/exploiting-capturing-passwords","name":"Exploiting cross-site scripting to capture passwords"},{"@type":"ListItem","position":48,"url":"https://rootea.es/portswigger/labs/cross-site-scripting/exploiting-stealing-cookies","name":"Exploiting cross-site scripting to steal cookies"},{"@type":"ListItem","position":49,"url":"https://rootea.es/portswigger/labs/cross-site-scripting/exploiting-perform-csrf","name":"Exploiting XSS to bypass CSRF defenses"},{"@type":"ListItem","position":50,"url":"https://rootea.es/portswigger/labs/cross-site-scripting/dom-based-dom-xss-reflected","name":"Reflected DOM XSS"}]}`}
</script>
