Skip to main content

Security Labs course catalog

You can use this interactive catalog to browse the current Security Labs courses. For the latest updates on these courses, see Training updates.

Learners can only access lessons that are assigned to them and the assigned lessons must be associated with an active campaign. To grant learners access to all major core lessons, an administrator can assign the All core labs focus without entering an end date.

Lessons are tagged with related Common Weakness Enumerations (CWEs) based on the MITRE framework. The CWEs listed indicate the related Pillar, Class, Base, and Variant CWEs for each lesson. If a CWE also has an assigned Likelihood of Exploit metric value, this value appears next to the CWE for the associated lesson with information about the vulnerability severity and prevalence.


Security Labs – Getting Started

Welcome to Security Labs! This topic helps you become familiar with the lab environment, so you can successfully find and remediate vulnerabilities while taking lessons.

Lesson Zero

Explore the Security Labs environment and learn how to use lesson step features.

.NET
10 pts
Java
10 pts
Node.js
10 pts
Go
10 pts
Python Django
10 pts
Python Flask
10 pts

OWASP 1: Broken Access Control

Access control failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.

To Protect and To Serve Secure Cookies

Tamper with an insecure cookie for privilege escalation.

CWE-1275CWE-1345CWE-284CWE-Medium
Python Django
20 pts
.NET
20 pts
Python Flask
20 pts
Rails
10 pts
Go
20 pts
Node.js
10 pts
PHP
10 pts
Scala
10 pts

Fix the Sessions

Tamper with user sessions to authenticate as a different user.

CWE-1275CWE-1345CWE-284
Java
10 pts

Bad Cookie (Challenge)

Decrypt cookies and hijack another user account.

CWE-1345CWE-1354CWE-565CWE-565 CWE-642CWE-784CWE-High
Node.js
10 pts
.NET
10 pts
Python Flask
10 pts
Go
10 pts
Rails
10 pts
Scala
10 pts

Loose Lips Sink Servers

Leaking sensitive information can lead to account and server compromises.

CWE-1345CWE-199CWE-200CWE-201CWE-202CWE-598
Node.js
10 pts
.NET
10 pts

Secrets in the Log

While testing a new application, developers might write sensitive information to a log file, or log analyzer, which should not be included in a production system. It is critical that developers ensure no sensitive information is included in data that a malicious actor might be able to access, in either development or production systems.

CWE-201
Java
10 pts

Redirect Rodeo

Protect users by implementing secure redirect practices.

CWE-1345CWE-19CWE-601CWE-610
.NET
10 pts
Node.js
10 pts
Java
10 pts

Forging User Requests

Cause a user to take unexpected, pre-authenticated actions.

CWE-1019CWE-1345CWE-345CWE-352
.NET
10 pts
Python Django
10 pts
Python Flask
10 pts
Java
10 pts
Rails
10 pts
Go
10 pts

OWASP 2: Cryptographic Failures

Failures related to cryptography (or lack thereof) often lead to exposure of sensitive data.

Bugs in Debug

Verbose error messages lead to exposed sensitive data.

CWE-1295CWE-1346CWE-259CWE-262CWE-328CWE-High
.NET
10 pts
Python Flask
10 pts
Go
10 pts
Java
10 pts
Node.js
10 pts
PHP
10 pts
Python Django
10 pts
Rails
10 pts
Scala
10 pts

Helpful Stack Trace (Challenge)

Provoke an error that reveals sensitive info, leading to privilege escalation.

CWE-1295CWE-1346CWE-259CWE-262CWE-328CWE-High
.NET
10 pts
Python Flask
10 pts
Python Django
10 pts
Rails
10 pts

Secret Logging (Challenge)

Force an application to throw an error and leak sensitive data in a stack trace.

CWE-1295CWE-1346CWE-259CWE-262CWE-328CWE-High
Python Flask
10 pts

Insufficient Entropy

Insufficient Entropy is a security vulnerability in which an application fails to generate cryptographic keys or tokens with adequate randomness.

CWE-331
Java
10 pts
Node.js
10 pts
.NET
10 pts
Python Django
10 pts

OWASP 3: Injection

Exploiting and preventing SQL injection attacks that access sensitive data. Reflected and persistent cross-site scripting attacks. Content Security Policy.

Own the Database

Practice injection on a web app that uses a SQL database to retrieve data.

CWE-1347CWE-89CWE-943CWE-High
.NET
10 pts
Python Flask
10 pts
Go
10 pts
Java
10 pts
Node.js
10 pts
Python Django
10 pts
PHP
10 pts
Rails
10 pts
Scala
10 pts

Parameterize all the things

Defend against injection using an app that returns data from a SQL-based database.

.NET
10 pts
Python Flask
10 pts
Go
10 pts
Java
10 pts
Node.js
10 pts
PHP
10 pts
Python Django
10 pts
Rails
10 pts
Scala
10 pts

Timing is everything (Challenge)

Indirectly reveal sensitive data using SQL 'sleep' commands.

Python Django
10 pts
Python Flask
10 pts

Bobby Tables (Challenge)

Use SQLi to return sensitive data, then properly parameterize queries to avoid injection attacks.

.NET
10 pts
Python Flask
10 pts
Go
10 pts
Java
10 pts
Node.js
10 pts
PHP
10 pts
Python Django
10 pts
Rails
10 pts
Scala
10 pts

Can you see your reflection?

Practice exploiting simple cross-site scripting vulnerabilities to deliver JavaScript payloads.

CWE-1347CWE-74CWE-79CWE-80CWE-87CWE-High
.NET
10 pts
Python Flask
10 pts
Go
10 pts
Java
10 pts
Node.js
10 pts
Python Django
10 pts
Rails
10 pts
Scala
10 pts
PHP
10 pts

Down with Uploads

Insufficient validation of user uploads can lead to stored XSS or directory traversal attacks.

CWE-1347CWE-1348CWE-434CWE-74CWE-79CWE-80CWE-Medium
.NET
20 pts
Java
20 pts
Python Flask
20 pts
Node.js
20 pts
Python Django
20 pts
Scala
10 pts
PHP
10 pts

Alert (Challenge)

Exploit a non-persistent XSS vulnerability in a poorly protected app.

CWE-1347CWE-74CWE-79CWE-80CWE-87CWE-High
Python Flask
10 pts
Java
10 pts
Node.js
10 pts
Python Django
10 pts
Scala
10 pts

Persistence (Challenge)

Exploit directory traversal and persistent XSS vulnerabilities in a poorly protected app.

CWE-1345CWE-1347CWE-22CWE-23CWE-24CWE-73CWE-74CWE-High
Python Flask
20 pts
Java
10 pts
Node.js
20 pts
Python Django
20 pts
Rails
10 pts

Reflected XSS and input formatting

Cross-site scripting vulnerabilities with HTML input validation

CWE-1347CWE-74CWE-79CWE-80CWE-87CWE-High
Rails
10 pts

Stored XSS versus CSP

Defense in depth using CSP against XSS attacks.

CWE-1347CWE-1348CWE-434CWE-74CWE-79CWE-80CWE-Medium
.NET
20 pts
Node.js
20 pts
Scala
20 pts

Check your sources

Content Security Policy to prevent XSS and other code injection.

Java
20 pts
Python Django
20 pts

Angular HTML and URL sanitization

Cause XSS through improper sanitization and poor variable handoff with Angular.

Rails
10 pts

Angular ERB sanitization

Cause XSS through improper sanitization and poor variable handoff with Angular.

Rails
10 pts

OWASP 4: Insecure Design

Failing to initially think about and address security vulnerabilities at the design phase can lead to vulnerabilities and defects.

Making Secure Decisions

Insecure design decisions can lead to vulnerabilities at every level of an application.

CWE-1348CWE-657CWE-710
Node.js
10 pts
Java
10 pts
.NET
10 pts
Python Flask
10 pts
Python Django
10 pts
Go
10 pts

Valid Deficit

CWE-1173 occurs when an application does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.

CWE-1173CWE-1174CWE-1215CWE-1348CWE-20
Node.js
10 pts
.NET
10 pts
Java
10 pts

OWASP 5: Security Misconfiguration

Generating and storing secret keys securely.

Jot down this key

Modify JWTs by exploiting knowledge of an insecure secret key.

CWE-1349CWE-287CWE-312CWE-321CWE-798CWE-High
.NET
10 pts
Java
10 pts
Node.js
20 pts

Bulky Updates

Access hidden attributes to take unauthorized actions.

CWE-1349CWE-1354CWE-913CWE-915
Rails
10 pts

Can you keep a secret?

Generate a working session token for another user by exploiting knowledge of an insecure secret key.

CWE-1349CWE-287CWE-312CWE-321CWE-798
Python Flask
10 pts
Go
20 pts
Node.js
10 pts
PHP
10 pts
Python Django
20 pts
Scala
10 pts

Secret Admin (Challenge)

Escalate JWT user privileges by exploiting knowledge of an insecure secret key.

CWE-1349CWE-287CWE-312CWE-321CWE-798
.NET
10 pts
Python Flask
10 pts
Java
10 pts
Rails
10 pts
Scala
10 pts

eXternal Entity (injection)

Unsafe entity parsing reveals the contents of server files.

CWE-1347CWE-1349CWE-610CWE-611
.NET
10 pts
Python Flask
10 pts
Go
10 pts
Java
10 pts
Node.js
10 pts
PHP
10 pts
Python Django
10 pts
Rails
10 pts
Scala
10 pts

XML is always a... (Challenge)

Get access to sensitive data by injecting custom XML.

CWE-1347CWE-1349CWE-610CWE-611
.NET
10 pts
Python Flask
10 pts
Go
10 pts
Python Django
10 pts
Rails
10 pts
Scala
10 pts

External Resolution (Challenge)

Retrieve a system file by injecting custom XML, then defend against XXE.

CWE-1347CWE-1349CWE-610CWE-611
Python Flask
10 pts

OWASP 6: Vulnerable and Outdated Components

Keep tabs on outdated dependencies with known security weaknesses.

Suspicious Packages

Find and exploit vulnerabilities in outdated packages.

CWE-1104CWE-1320CWE-1352CWE-1357
.NET
10 pts
Python Flask
10 pts
Go
10 pts
Java
10 pts
Node.js
10 pts
Python Django
10 pts
Rails
10 pts
PHP
10 pts
Scala
10 pts

Outdated Dependencies (Challenge)

Find and upgrade an outdated, vulnerable dependency.

CWE-1104CWE-1320CWE-1352CWE-1357
.NET
10 pts
Python Flask
10 pts
Java
10 pts
Rails
10 pts
Scala
10 pts

OWASP 7: Identification and Authentication Failures

Enforcing user password requirements and properly encrypting passwords.

Really, really bad passwords

Enforce server-side password requirements and hash passwords securely.

CWE-1353CWE-287CWE-521CWE-High
.NET
10 pts
Python Flask
10 pts
Java
10 pts
Python Django
10 pts
Rails
10 pts
Scala
10 pts

Hash it, store it, salt - upgrade it

Encrypting user passwords securely.

CWE-1346CWE-1353CWE-327CWE-759CWE-760CWE-916CWE-High
Python Flask
10 pts
Go
10 pts
Java
10 pts
Node.js
10 pts
PHP
10 pts
Python Django
10 pts
Rails
10 pts
Scala
10 pts
.NET
10 pts

Authentication Bypass

"Force browse" to an unprotected page to discover confidential information.

CWE-1345CWE-1353CWE-285CWE-425CWE-862CWE-High
Go
10 pts
Node.js
10 pts

Terrible Password (Challenge)

SQLi and poor password hashing lead to exposed user accounts.

CWE-1346CWE-1353CWE-327CWE-759CWE-760CWE-916CWE-High
.NET
10 pts
Python Flask
10 pts
Java
10 pts
Node.js
10 pts
Rails
10 pts
Scala
10 pts

OWASP 8: Software and Data Integrity Failures

It is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. A8:2017-Insecure Deserialization is now a part of this larger category.

Sleeping With the Enemy

Investigate the integrity of a useful third-party library.

CWE-1214CWE-1354CWE-829CWE-830
.NET
10 pts
Node.js
10 pts

In a Pickle

Data serialization leads to dangerous user-provided payloads.

CWE-1354CWE-399CWE-502CWE-913CWE-Medium
.NET
10 pts
Python Flask
10 pts
Go
10 pts
Java
10 pts
Python Django
10 pts
PHP
10 pts
Scala
10 pts

Deserialization (Challenge)

Use pickling to reveal the code of the underlying application.

CWE-1354CWE-399CWE-502CWE-913CWE-Medium
Python Flask
10 pts
Java
10 pts

Mongo: like SQL, but messier

View non-public posts by supplying a document query as user input.

Node.js
10 pts

Tell Mongo "no-go" for untrusted code

Defend against NoSQL IDOR on a NodeJS app that uses MongoDB to store and retrieve data.

CWE-566CWE-639
Node.js
10 pts

User-Provided Users

Exposed, unhashed user IDs are modifiable by users.

CWE-566CWE-639
Rails
10 pts

Prototype Protection Agency

Lax or missing input validation can lead to data corruption.

CWE-1321CWE-1354CWE-502CWE-915
Node.js
10 pts

OWASP 9: Security Logging and Monitoring Failures

Rate-limit sensitive actions and block attacks as they happen.

Slow Down

Brute force a user's password on a non-rate-limited login page.

CWE-1348CWE-1355CWE-307CWE-770CWE-799
.NET
10 pts
Python Flask
10 pts
Go
10 pts
Java
10 pts
Node.js
10 pts
Python Django
10 pts
Rails
10 pts
PHP
10 pts
Scala
10 pts

Brute Force (Challenge)

Brute force a user's password on a non-rate-limited login page.

CWE-1348CWE-1355CWE-307CWE-770CWE-799
.NET
10 pts
Python Flask
10 pts
Java
10 pts
Rails
10 pts

Hold the Line

Learn how attackers use CRLF injection to flood log files with false events and how to remediate a CRLF vulnerability.

CWE-116CWE-117CWE-1355CWE-93
Node.js
10 pts
.NET
10 pts
Java
10 pts

OWASP 10: Server-Side Request Forgery

SSRF flaws can occur when a web application fetches a remote resource without validating the user-supplied URL.

Get there from here

Retrieve data from an internal server, that should not be publicly accessible.

CWE-1356CWE-441CWE-610CWE-918
Java
10 pts
Node.js
10 pts
.NET
10 pts
Python Flask
10 pts
Python Django
10 pts
Go
10 pts

Beyond OWASP Top 10: Other Web App Risks

This module contains the CWEs, vulnerabilities, and flaws that don't quite fit into the OWASP Top 10 categories.

Do You Remember?

Memory management might seem like a problem from the distant past, but it can still cause issues if not implemented properly.

CWE-399CWE-404CWE-772
.NET
10 pts

Know Your Limits

Resource limits can be exceeded when either hard limitations, or software settings have been reached. CWE-404 describes Improper Resource Shutdown or Release weaknesses that should be avoided.

CWE-399CWE-404CWE-770CWE-772
Java
10 pts

OWASP API 1: Broken Object Level Authorization

APIs can expose endpoints that handle object identifiers. Checks should be considered in every function that accesses a data source using input from the user.

One ID to Access All Objects

Typical API endpoints can give access to a resource by ID. If not handled correctly, the ID can be used to access other resources.

CWE-285CWE-639
Java
10 pts
.NET
10 pts
Node.js
10 pts

Stronger IDs

Weak identifiers can be guessed, leaked, or stolen. To increase security and avoid creating easy-to-guess identifiers, you should assign random and unpredictable identifiers to your objects.

CWE-285CWE-639
.NET
10 pts
Java
10 pts
Node.js
10 pts

OWASP API 2: Broken Authentication

Authentication and password reset mechanisms should be securely protected, as they are critical assets vulnerable to attacks.

Really, really bad passwords

Enforce server-side password requirements and hash passwords securely.

CWE-204CWE-307
.NET
10 pts
Java
10 pts
Node.js
10 pts

Terrible Password (Challenge)

Crack a SHA512 password using a rainbow table attack.

CWE-204CWE-307
.NET
10 pts
Java
10 pts
Node.js
10 pts

Slow Down

Bruteforce a user's password on a non-rate-limited login API.

CWE-307
.NET
10 pts
Java
10 pts
Node.js
10 pts

Brute Force (Challenge)

Crack a more complicated password with brute-force.

CWE-307
.NET
10 pts
Java
10 pts
Node.js
10 pts

OWASP API 3: Broken Object Property Level Authorization

Ensure proper authorization checks are in place to validate that users can access only the specific object properties they are permitted to.

Bugs in Debug

Verbose error messages lead to exposed sensitive data.

CWE-213CWE-915
.NET
10 pts
Java
10 pts
Node.js
10 pts

Revealing Schemas

Based on a real life history, learn in this lesson how an API can be exploited by using just the response payloads.

CWE-213CWE-915
.NET
10 pts
Java
10 pts
Node.js
10 pts

Bad Design Compromises Security

At first glance one would think that design has nothing to do with security. This is not so, in this lesson you will see an example of how a bad design impacts security.

CWE-213CWE-915
.NET
10 pts
Java
10 pts
Node.js
10 pts

OWASP API 4: Unrestricted Resource Consumption

API resource consumption, including external services like email, SMS, and biometrics validation, should be carefully managed to prevent abuse and excessive costs.

Denial of Service

Don't let attackers drain your computational resources, be prepared with this lesson in which you will learn about Denial of Service and how to avoid it.

CWE-400CWE-770CWE-799
.NET
10 pts
Java
10 pts
Node.js
10 pts

OWASP API 5: Broken Function Level Authorization

Identify broken function-level authorization issues, thoroughly analyze the authorization mechanism, considering user roles, hierarchy, and access controls.

Neglected endpoints

Having an inventory of all API endpoints is crucial for management, good design and security. Attackers will find a way to discover neglected endpoints if you do not protect them all. Discover in this lesson how an innocent error with no security integration tests involved could compromise your API data.

CWE-285
.NET
10 pts
Java
10 pts
Node.js
10 pts

OWASP API 6: Unrestricted Access to Sensitive Business Flows

Unrestricted access to certain business flows can pose significant risks, such as exploitation or abuse. This can lead to issues like scalping, spamming, or service denial.

The Great Referral Quest

Unrestricted access allows malicious users to exploit referral programs, leading to fraudulent account creations and unauthorized rewards

CWE-799CWE-837CWE-841
Java
10 pts
Node.js
10 pts
.NET
10 pts

OWASP API 7: Server-Side Request Forgery [SSRF]

Retrieve data from an internal server, that should not be publicly accessible.

Retrieval Without Validation

The API endpoint included with this lesson allows a user to access content from the Veracode website. When used as expected, the user can specify which subdomain of veracode.com they wish to view.

CWE-1356CWE-441CWE-610CWE-918
Java
10 pts
Node.js
10 pts
.NET
10 pts

OWASP API 8: Security Misconfiguration

APIs are vulnerable if security hardening, proper configurations, up-to-date patches, and essential features like TLS, CORS, and error handling are missing or misconfigured.

Jot down this key

Modify JWTs by exploiting knowledge of an insecure secret key.

CWE-16CWE-319
.NET
10 pts
Java
10 pts
Node.js
10 pts

Secret Admin (Challenge)

Escalate JWT user privileges by exploiting knowledge of an insecure secret key.

CWE-16CWE-319
.NET
10 pts
Java
10 pts
Node.js
10 pts

eXternal Entity (injection)

Unsafe entity parsing reveals the contents of server files.

CWE-16CWE-319
.NET
10 pts
Java
10 pts
Node.js
10 pts

XML is always a (Challenge)

Get access to sensitive data by injecting custom XML.

CWE-16CWE-319
.NET
10 pts
Java
10 pts
Node.js
10 pts

OWASP API 9: Improper Inventory Management

Organizations must ensure visibility and control over their APIs and data sharing with third parties to mitigate risks.

Unprotected Deployments

Hack an API in production by exploiting poor security of the same API in a testing deployment.

.NET
10 pts
Java
10 pts
Node.js
10 pts

OWASP API 10: Unsafe Consumption of APIs

Use of APIs without proper security measures, potentially exposing systems to vulnerabilities and data breaches.

Gift Cards at Risk

The API endpoint included with this lesson allows a user to buy gift cards of different brands. The links to redeem these gift cards are generated by a third-party API that has been compromised.

CWE-20CWE-200CWE-319
Java
10 pts
Node.js
10 pts
.NET
10 pts

More OWASP Vulnerabilities for APIs

An overview of lessons learned from past OWASP Top 10 vulnerabilities, addressing gaps in the new list and emphasizing key security insights to strengthen API protection and reduce risks.

Own the database

Practice SQL injection on an application that uses SQL to retrieve data.

.NET
10 pts
Java
10 pts
Node.js
10 pts

Parameterize all the things

Defend against SQL injection using an app that returns data from a SQL database.

.NET
10 pts
Java
10 pts
Node.js
10 pts

Bobby Tables (Challenge)

Use SQL injection to return sensitive data, then properly parameterize queries to avoid injection attacks.

.NET
10 pts
Java
10 pts
Node.js
10 pts

The Importance of Logging and Monitoring

Recognize the importance of logging to discover attacks in your API.

.NET
10 pts
Java
10 pts
Node.js
10 pts

Logging in the API Infrastructure

Recognize the importance of logging to discover attacks in your API.

.NET
10 pts
Java
10 pts
Node.js
10 pts

Containers Security in Docker #1 - Users

It is recommended to take the lessons in order. Welcome to Whale Security Tales. This is a series of lessons on container security. It is focused on Docker, but the content is applicable to various technologies where containers are involved, such as Podman or Kubernetes. In this module, you will learn about users and groups in containers and their relationship to host users and groups. This is one of the most common sources of container attacks.

Whale security tales - #1 Cloning users

In this lesson, you will explore the relationship between users in the host and users in the containers, and how this relationship affects container security.

Bash Shell
10 pts

Whale security tales - #2 Cloning groups

In this lesson, you will see why it is so important to set up not only a non-root user, but also a non-root group in your containers.

Bash Shell
10 pts

Whale security tales - #3 User namespaces

How do you control the relationship between users and groups in the host and those in the container? The answer is in this lesson.

Bash Shell
10 pts

Whale security tales - #4 Privilege escalation

You will know Orca, the enemy that wants to escalate privileges in your container.

Bash Shell
10 pts

Containers Security in Docker #2 - Virtualization

It is recommended to take the lessons in order. The most critical part of container security has to do with Linux namespaces. This technology is what makes containerization easy and flexible. Understanding this topic will give you a solid foundation for the rest of the course.

Whale security tales - #5 UTS namespaces

You will continue your journey through Linux namespaces with the simplest, but often forgotten, namespace.

Bash Shell
10 pts

Whale security tales - #6 Mount namespaces

This namespace is not simple, but this topic will help you to understand more complicated attacks in containers.

Bash Shell
10 pts

Whale security tales - #7 Attack on Beluga

Orca is ready to attack your container with a simple but very common attack. But do not worry, you will get useful security advice for your containers.

Bash Shell
10 pts

Whale security tales - #8 PID namespaces

The --pid flag is used a lot in containers, but you'll see in this lesson that it's not as secure as you might think.

Bash Shell
10 pts

Whale security tales - #9 Unmasking Docker

What is behind Docker, Kubernetes, and other container-related technologies? Find out in this lesson.

Bash Shell
10 pts

Whale security tales - #10 Runtime attack

This attack will probably convince you and remove any doubts you may have had.

Bash Shell
10 pts

Containers Security in Docker #3 - Capabilities

It is recommended to take the lessons in order. In this topic, a series of labs will be dedicated to explain the capabilities and security profiles of Linux and its close relationship with containers.

Whale security tales - #11 Linux Capabilities New

Kernel capabilities are very closely related to containers and very closely related to security. You will have in this lesson the basis of this important topic.

Bash Shell
10 pts
New

Whale security tales - #12 Capabilities in Containers New

Learn how Docker manages capabilities and how to limit them in containers.

Bash Shell
10 pts
New

Whale security tales - #13 Security Profiles New

In this lesson, you will learn about Seccomp and AppArmor security profiles and how they affect the security of your containers.

Bash Shell
10 pts
New

Whale security tales - #14 Game Overlay New

You will be immersed in a real-world attack using a vulnerability from the past. Other topics from previous container lessons will be involved in this attack.

Bash Shell
10 pts
New

Whale security tales - #15 Kernel Attack New

In this lesson, you will learn two of the most sophisticated attacks on the Linux kernel, all done from a container.

Bash Shell
10 pts
New

Secure C++ Programming: Best Practices

Prevent the compilation of programs using unsafe functions with banned function headers.

Forbidden Functions

A banned function header prevents the compilation of programs using unsafe functions.

C++
10 pts

Time and Time Again

A side-channel timing attack reveals sensitive information.

C++
10 pts

Secure C++ Programming: Bitwise Shifts

Low-level operations with undefined results.

Shifty RSA

An RSA implementation allows for invalid bit shifts.

C++
10 pts

Secure C++ Programming: Compilers

Sensitive data leaked through insecure compiler optimizations.

Optimal Memory

A program that checks user input against a password file leaves sensitive data in memory.

C++
30 pts

Secure C++ Programming: Files

Overwriting system files through race conditions.

Race condition

An encryption program allows system files to be overwritten through a race condition.

CWE-367
C++
10 pts

Secure C++ Programming: Heap Overflows

Unsafe character arrays, null terminators, and use of GDB to examine heap memory.

Take Note!

A note-taking program copies strings to the heap unsafely.

CWE-122
C++
30 pts

Secure C++ Programming: Integer Overflows

Overflowing short integers and wraparound of unsigned integers.

Short Scores

A program to add golf scores is susceptible to overflowing.

CWE-190
C++
10 pts

Unsigned Messages

A message parsing utility uses unsafe range checks.

CWE-190
C++
20 pts

Coercive Login

Use integer coercion to log in as an admin user.

CWE-190
C++
10 pts

Secure C++ Programming: Iterators and Sequence Containers

Leaked data through unsafe iteration and unsafe access of container indices.

Go The Distance (but not too far)

A program to parse input from a file iterates unsafely, resulting in leaked data.

C++
10 pts

Pinball Wizard

A program to display high scores trusts user input, leading to multiple vulnerabilities.

C++
20 pts

Secure C++ Programming: Memory Management

Accessing freed memory when unsafe parsing keeps deallocated pointers accessible.

Use After Free

An HTML rendering engine parses input unsafely, keeping a deallocated pointer accessible.

CWE-416
C++
10 pts

Secure C++ Programming: Overreads

Buffer overruns common to parsing utilities, and the dangers of relying on side effects.

Passed Date

A date parsing and formatting utility allows for buffer over-reads.

C++
10 pts

Trivial Side Effects

A trivia program reveals sensitive data by poorly tracking player scores.

C++
10 pts

Secure C++ Programming: Stack Overflows

Unsafe string copying and incomplete string comparisons.

Triple Word Score

A Scrabble score calculator copies user input unsafely.

CWE-121CWE-170
C++
10 pts

Secure C++ Programming: Threads

Poor use of mutex locks leads to exceptions.

Lock down the threads

Poor use of mutex locks leads to exceptions.

C++
10 pts

General Application Security: Common React Pitfalls

Vulnerabilities frequently encountered in ReactJS application development.

React string sanitization

Cause XSS through improper sanitization and poor variable handoff with React.

Node.js
10 pts

Sneaky links

Learn about a feature of HTML that can leave your React app open to XSS.

Node.js
10 pts

Dangerously set HTML links

React's dangerouslySetInnerHtml and markdown rendering craft a malicious href.

Node.js
10 pts

General Application Security: Cross-Site Scripting (XSS)

Content Security Policy

CSP to prevent XSS and other code injection.

Python Django
20 pts
Node.js
20 pts

Persistent Cross-Site Scripting

Stored XSS and directory traversal via "image" uploads.

Python Django
20 pts
Node.js
20 pts

Reflected Cross-Site Scripting

Inject inline JavaScript into a Go template through JSON input.

Go
10 pts
Python Django
10 pts
Node.js
10 pts

General Application Security: User Data Privacy

An app to track users' jogging habits can benefit from improved data handling practices.

PII Storage

De-identify and limit or do not collect sensitive user data

Node.js
10 pts

Access and Erasure

Let users see their stored data, delete their data, and have the 'right to be forgotten'

Node.js
20 pts

Rectification

Let users supply corrections to their data

Node.js
10 pts

Data Portability

Let users export their data in a machine-readable format

Node.js
10 pts

Informed Consent

Let users actively choose to give consent for clear, specific data collection, as well as opting out

Node.js
10 pts

General Application Security: CWE-319 Cleartext Transmission of Sensitive Data

Sensitive traffic is sent over unencrypted HTTP.

See-through traffic

Sniff a user's credentials via insecure HTTP requests.

Node.js
10 pts
Go
10 pts

General Application Security: CWE-352 Cross-Site Request Forgery

Forge valid requests from authenticated users.

Forging user requests

Cause a user to take unexpected, pre-authenticated actions.

CWE-352
Python Django
10 pts
Rails
10 pts
Go
10 pts

General Application Security: CWE-601 Open Redirects

Unchecked URL redirection to untrusted sites.

The Art of Redirection

URL redirects cause users to automatically visit untrusted sites.

CWE-1345CWE-19CWE-601CWE-610
Node.js
10 pts

No Going Back (Challenge)

Work around a URL redirect safety check, then provide an allowlist.

CWE-1345CWE-19CWE-601CWE-610
Node.js
10 pts

General Application Security: CWE-1021 Improper Restriction of Frames

A lack of response header allows the application to load in an external frame.

You've been framed

A clickjacking attack tricks users into taking intended actions.

Rails
10 pts

Mobile Security

Writing more secure mobile applications.

Custom URL Handling

Explore custom URL schemes, used to allow other applications to request that your app take some action.

Kotlin
10 pts
Swift
10 pts

Secrets Storage

Explore how shared secrets can be vulnerable to attack.

Kotlin
10 pts
Swift
10 pts

Forced Browsing & API Security

Explore how a forced browsing attack can occur when a malicious actor locates unlinked contents.

Kotlin
10 pts
Swift
10 pts

Mobile Logging

Explore the role of application logging.

Kotlin
10 pts
Swift
10 pts

PCI: Broken Authentication & Session Management

Secret key management

Modify JWTs by exploiting knowledge of an insecure secret key.

Python Django
20 pts

Secure session cookies

Tamper with an insecure cookie to hijack another user's account.

Python Django
20 pts
Node.js
10 pts

Cookie hijack (Challenge)

Decrypt cookies and hijack another user account.

Node.js
10 pts

PCI: Improper Access Control

Pickling and deserialization

Access restricted content via insecure serialized input.

Python Django
10 pts

NoSQL with Mongo

View non-public posts by supplying a document query as user input.

Node.js
10 pts

Open redirects

URL redirects cause users to automatically visit untrusted sites.

Node.js
10 pts

PCI: Improper Error Handling

Debug mode in production

Verbose error messages lead to exposed sensitive data.

Python Django
10 pts
Node.js
10 pts

Stack Trace (Challenge)

Use revealing errors to gain admin permissions.

Python Django
10 pts

PCI: Injection Flaws

SQL injection

Use SQL injection to give yourself superuser privileges.

Python Django
10 pts
Go
10 pts
Node.js
10 pts

Parameterize queries

Defend against injection attacks by using safe database lookups.

Python Django
10 pts
Go
10 pts
Node.js
10 pts

Bobby Tables SQLi (Challenge)

Use SQLi to return sensitive data, then properly parameterize queries to avoid injection attacks.

Python Django
10 pts
Go
10 pts
Node.js
10 pts

PCI: Insecure Cryptographic Storage

Storing password hashes

Encrypting data to store sensitive information securely.

Python Django
10 pts
Node.js
10 pts

Terrible Password (Challenge)

SQLi and poor hashing lead to exposed passwords.

Node.js
10 pts

PCI: Other High-Risk Vulnerabilities

Outdated third-party dependencies

Keep tabs on outdated packages with known security weaknesses.

Python Django
10 pts
Node.js
10 pts

Bash Terminal Usage: Beginner

Navigate around system file and folders using the bash shell.

Introduction to Bash 1

Shell commands to navigate around directories and modify files.

Bash Shell
10 pts

Introduction to Bash 2

Navigate files and folders more efficiently, and search for file contents.

Bash Shell
10 pts

Introduction to Bash 3

Preview the contents of files; create new folders and move files around.

Bash Shell
10 pts

Bash Terminal Usage: Intermediate

Additional bash skills: text editing, scripting, and additional command line tools.

Encrypting, encoding and hashing

Common encoding patterns, cryptographic techniques, and command line tools.

Bash Shell
10 pts

Introduction to bash scripting

Automate tasks by writing and running basic scripts in bash.

Bash Shell
10 pts

Nano for text editing

Use Nano, a basic text editor, for creating and editing files.

Bash Shell
10 pts

DjanGoat

A vulnerable Django application for OWASP Top 10 practice challenges.

Sensitive Data Exposure (Challenge)

A challenge focused on exposing sensitive data through poor security practices.

Python Django
10 pts

Cleartext Storage (Challenge)

A challenge focused on storing sensitive data in an unencrypted, readable format.

Python Django
10 pts

Missing Function Level Access Control (Challenge)

A challenge focused on exploiting the lack of proper function-level access controls, allowing unauthorized users to access or perform restricted actions.

Python Django
10 pts

DOM XSS (Challenge)

A challenge focused on exploiting DOM-based XSS vulnerabilities.

Python Django
10 pts

Insecure Direct Object Reference (Challenge)

A challenge focused on exploiting Insecure Direct Object References (IDOR) vulnerabilities.

Python Django
10 pts

SQL Injection Interpolation (Challenge)

A challenge focused on exploiting SQL injection vulnerabilities.

Python Django
10 pts

SQL Injection Concatenation (Challenge)

A challenge focused on exploiting SQL injection vulnerabilities.

Python Django
10 pts

Stored XSS (Challenge)

A challenge centered on exploiting XSS vulnerabilities.

Python Django
10 pts

Command Injection (Challenge)

A challenge on exploiting OS command injection vulnerabilities.

Python Django
10 pts

Credential Enumeration (Challenge)

A challenge focused on identifying weak or exposed credentials.

Python Django
10 pts

Forensics

Work with disk images and investigate the contents of system files.

Creating a disk image

Learn how to acquire a disk image using the forensic tool dc3dd.

Forensics
10 pts

Metadata with ExifTool

View and modify the metadata associated with multimedia files.

Forensics
10 pts

Working with a disk image

Hard disk image analysis with the sleuthkit (TSK), a standard forensic tool.

Forensics
10 pts

Analyzing log files

Uncover evidence of an attack by analyzing a system's logs.

Forensics
20 pts

Juice Shop

Very vulnerable MEAN web app full of practice challenges.

Error Handling (Challenge)

Provoke an error that is not very gracefully handled.

Node.js
10 pts

Login Bypass (Challenge)

Log in with other users' accounts via SQL injection.

Node.js
20 pts

Credentials Dump (Challenge)

Retrieve a list of all user credentials via SQL injection.

Node.js
10 pts

XSS Levels (Challenge)

Reflected and persistent XSS attacks of increasing difficulty.

Node.js
30 pts

File Uploads (Challenge)

Improper input validation in user file uploads.

Node.js
10 pts

Hidden Pages (Challenge)

Find carefully hidden pages.

Node.js
10 pts

Confidential Documents (Challenge)

Access unprotected confidential documents.

Node.js
30 pts

Open Redirects (Challenge)

Redirect from the Juice Shop to external untrusted sites.

Node.js
20 pts

Account Hijack (Challenge)

Access and modify another user's shopping cart.

Node.js
20 pts