All Simulations50 simulations

Change an order ID to read another user's data. Enumerate sequential IDs, exploit mass assignment, then apply ownership checks.

Trick the server into fetching internal URLs — Redis session tokens, AWS IAM credentials, admin panels. Apply allowlists to fix it.

A transparent iframe tricks you into confirming a bank transfer. Configure X-Frame-Options and CSP frame-ancestors to stop it.

Fire 5 parallel transfer requests at a $100 account — watch the balance go negative. Fix with SELECT FOR UPDATE.

Steal auth codes via open redirect_uri. Bypass CSRF protection with a missing state parameter. Apply both fixes.

Supply a malicious XML document that references external entities — read /etc/passwd and make the server fetch internal URLs.

Inject shell metacharacters into a server-side ping utility. Chain commands with ; and | to read sensitive files and exfiltrate data.

A dangling CNAME points to an unclaimed cloud resource. Claim it and serve content under the victim's trusted subdomain.

Bypass authentication and extract database rows from a vulnerable login form using classic SQLi techniques.

Inject malicious scripts into a fake comment board. See reflected vs stored XSS — and what a CSP blocks.

Watch an evil site silently trigger actions on your "bank" using your session cookies — without you knowing.

Simulate an attacker hammering a login endpoint. Configure rate limiting and lockout policies to stop it.

Escape the web root using ../../../ sequences and read files you were never supposed to access.

Run a dictionary attack against MD5, SHA-1, and bcrypt hashes. See why MD5 falls in seconds — and why bcrypt stops attacks cold.

Exploit alg:none bypass, brute-force a weak HMAC secret, and tamper with expired claims to forge admin tokens.

Flip bytes in an AES-CBC IV and query a padding oracle to decrypt ciphertext one byte at a time — without ever knowing the key.

Find typosquatted packages, detect dependency confusion, and spot malicious post-install scripts targeting your dependencies.

Craft a phishing email, detect suspicious indicators, and configure SPF, DKIM, and DMARC defenses.

Find hardcoded secrets in code, spot leaked .env files in git diffs, and learn to secure credentials properly.

Respond to a ransomware attack — isolate, assess damage, and make critical recovery decisions under pressure.

Chain SSRF → AWS metadata → IAM credential theft into a full cloud compromise. Learn how attackers combine vulnerabilities.

Inject fake DNS records, redirect traffic to a spoofed login page, and harvest credentials. Then defend with DNSSEC.

Break out of a Docker container — exploit privileged mode, mount the host filesystem, and exfiltrate /etc/shadow.

Swap RS256 to HS256 using the public key as HMAC secret. Forge admin tokens with algorithm confusion.

Craft malicious serialized objects that execute code on the server when deserialized.

Exploit an open GraphQL endpoint — run introspection queries, discover hidden fields, and extract sensitive data.

Set up a rogue access point, intercept unencrypted traffic, and capture credentials via a captive portal.

Pollute JavaScript's prototype chain via __proto__ injection. Bypass auth checks and escalate privileges.

Exploit misconfigured CORS headers to steal data cross-origin. Then configure proper CORS defenses.

Exploit response time differences to guess passwords character by character. Then fix with constant-time comparison.

Inject LDAP queries to bypass authentication and extract directory data.

Exploit MongoDB queries with $gt, $ne, and $where operators to bypass login.

Craft a Billion Laughs attack with nested XML entities that consume exponential memory.

Inject CRLF characters to add malicious headers and set cookies.

Exploit unvalidated redirects to send users to phishing sites after login.

Add role:admin to a profile update request and escalate your privileges.

Bypass file type checks to upload a web shell and achieve remote code execution.

Set a victim's session ID before they log in, then hijack their authenticated session.

Exploit CL/TE desync between a proxy and backend to smuggle hidden requests.

Inject {{7*7}} into a template engine and escalate to remote code execution.

Exploit missing origin validation to hijack WebSocket connections cross-origin.

Use leaked credentials from one breach to take over accounts on another service.

List and download files from a publicly accessible S3 bucket.

Steal a service account token and query the Kubernetes API from inside a pod.

Inject fake log entries with newline characters to manipulate audit trails.

Craft input that causes exponential regex backtracking and hangs the server.

Change an API resource ID to access other users' data — no ownership check.

Exploit the JKU header to point JWT verification to your own key server.

Bypass rate limiting with X-Forwarded-For, User-Agent rotation, and header tricks.

Inject instructions into an AI chatbot to reveal its system prompt and bypass filters.