Security Labs course catalog
You can use this interactive catalog to browse the current Security Labs courses. For the latest updates on these courses, see Training updates.
Learners can only access lessons that are assigned to them and the assigned lessons must be associated with an active campaign. To grant learners access to all major core lessons, an administrator can assign the All core labs focus without entering an end date.
Lessons are tagged with related Common Weakness Enumerations (CWEs) based on the MITRE framework. The CWEs listed indicate the related Pillar, Class, Base, and Variant CWEs for each lesson. If a CWE also has an assigned Likelihood of Exploit metric value, this value appears next to the CWE for the associated lesson with information about the vulnerability severity and prevalence.
Security Labs – Getting Started
Welcome to Security Labs! This topic helps you become familiar with the lab environment, so you can successfully find and remediate vulnerabilities while taking lessons.
Lesson Zero
Explore the Security Labs environment and learn how to use lesson step features.
OWASP 1: Broken Access Control
Access control failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.
To Protect and To Serve Secure Cookies
Tamper with an insecure cookie for privilege escalation.
Fix the Sessions
Tamper with user sessions to authenticate as a different user.
Bad Cookie (Challenge)
Decrypt cookies and hijack another user account.
Loose Lips Sink Servers
Leaking sensitive information can lead to account and server compromises.
Secrets in the Log
While testing a new application, developers might write sensitive information to a log file, or log analyzer, which should not be included in a production system. It is critical that developers ensure no sensitive information is included in data that a malicious actor might be able to access, in either development or production systems.
Redirect Rodeo
Protect users by implementing secure redirect practices.
Forging User Requests
Cause a user to take unexpected, pre-authenticated actions.
OWASP 2: Cryptographic Failures
Failures related to cryptography (or lack thereof) often lead to exposure of sensitive data.
Bugs in Debug
Verbose error messages lead to exposed sensitive data.
Helpful Stack Trace (Challenge)
Provoke an error that reveals sensitive info, leading to privilege escalation.
Secret Logging (Challenge)
Force an application to throw an error and leak sensitive data in a stack trace.
Insufficient Entropy
Insufficient Entropy is a security vulnerability in which an application fails to generate cryptographic keys or tokens with adequate randomness.
OWASP 3: Injection
Exploiting and preventing SQL injection attacks that access sensitive data. Reflected and persistent cross-site scripting attacks. Content Security Policy.
Own the Database
Practice injection on a web app that uses a SQL database to retrieve data.
Parameterize all the things
Defend against injection using an app that returns data from a SQL-based database.
Timing is everything (Challenge)
Indirectly reveal sensitive data using SQL 'sleep' commands.
Bobby Tables (Challenge)
Use SQLi to return sensitive data, then properly parameterize queries to avoid injection attacks.
Can you see your reflection?
Practice exploiting simple cross-site scripting vulnerabilities to deliver JavaScript payloads.
Down with Uploads
Insufficient validation of user uploads can lead to stored XSS or directory traversal attacks.
Alert (Challenge)
Exploit a non-persistent XSS vulnerability in a poorly protected app.
Persistence (Challenge)
Exploit directory traversal and persistent XSS vulnerabilities in a poorly protected app.
Reflected XSS and input formatting
Cross-site scripting vulnerabilities with HTML input validation
Stored XSS versus CSP
Defense in depth using CSP against XSS attacks.
Check your sources
Content Security Policy to prevent XSS and other code injection.
Angular HTML and URL sanitization
Cause XSS through improper sanitization and poor variable handoff with Angular.
Angular ERB sanitization
Cause XSS through improper sanitization and poor variable handoff with Angular.
OWASP 4: Insecure Design
Failing to initially think about and address security vulnerabilities at the design phase can lead to vulnerabilities and defects.
Making Secure Decisions
Insecure design decisions can lead to vulnerabilities at every level of an application.
Valid Deficit
CWE-1173 occurs when an application does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.
OWASP 5: Security Misconfiguration
Generating and storing secret keys securely.
Jot down this key
Modify JWTs by exploiting knowledge of an insecure secret key.
Bulky Updates
Access hidden attributes to take unauthorized actions.
Can you keep a secret?
Generate a working session token for another user by exploiting knowledge of an insecure secret key.
Secret Admin (Challenge)
Escalate JWT user privileges by exploiting knowledge of an insecure secret key.
eXternal Entity (injection)
Unsafe entity parsing reveals the contents of server files.
XML is always a... (Challenge)
Get access to sensitive data by injecting custom XML.
External Resolution (Challenge)
Retrieve a system file by injecting custom XML, then defend against XXE.
OWASP 6: Vulnerable and Outdated Components
Keep tabs on outdated dependencies with known security weaknesses.
Suspicious Packages
Find and exploit vulnerabilities in outdated packages.
Outdated Dependencies (Challenge)
Find and upgrade an outdated, vulnerable dependency.
OWASP 7: Identification and Authentication Failures
Enforcing user password requirements and properly encrypting passwords.
Really, really bad passwords
Enforce server-side password requirements and hash passwords securely.
Hash it, store it, salt - upgrade it
Encrypting user passwords securely.
Authentication Bypass
"Force browse" to an unprotected page to discover confidential information.
Terrible Password (Challenge)
SQLi and poor password hashing lead to exposed user accounts.
OWASP 8: Software and Data Integrity Failures
It is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. A8:2017-Insecure Deserialization is now a part of this larger category.
Sleeping With the Enemy
Investigate the integrity of a useful third-party library.
In a Pickle
Data serialization leads to dangerous user-provided payloads.
Deserialization (Challenge)
Use pickling to reveal the code of the underlying application.
Mongo: like SQL, but messier
View non-public posts by supplying a document query as user input.
Tell Mongo "no-go" for untrusted code
Defend against NoSQL IDOR on a NodeJS app that uses MongoDB to store and retrieve data.
User-Provided Users
Exposed, unhashed user IDs are modifiable by users.
Prototype Protection Agency
Lax or missing input validation can lead to data corruption.
OWASP 9: Security Logging and Monitoring Failures
Rate-limit sensitive actions and block attacks as they happen.
Slow Down
Brute force a user's password on a non-rate-limited login page.
Brute Force (Challenge)
Brute force a user's password on a non-rate-limited login page.
Hold the Line
Learn how attackers use CRLF injection to flood log files with false events and how to remediate a CRLF vulnerability.
OWASP 10: Server-Side Request Forgery
SSRF flaws can occur when a web application fetches a remote resource without validating the user-supplied URL.
Get there from here
Retrieve data from an internal server, that should not be publicly accessible.
Beyond OWASP Top 10: Other Web App Risks
This module contains the CWEs, vulnerabilities, and flaws that don't quite fit into the OWASP Top 10 categories.
Do You Remember?
Memory management might seem like a problem from the distant past, but it can still cause issues if not implemented properly.
Know Your Limits
Resource limits can be exceeded when either hard limitations, or software settings have been reached. CWE-404 describes Improper Resource Shutdown or Release weaknesses that should be avoided.
OWASP API 1: Broken Object Level Authorization
APIs can expose endpoints that handle object identifiers. Checks should be considered in every function that accesses a data source using input from the user.
One ID to Access All Objects
Typical API endpoints can give access to a resource by ID. If not handled correctly, the ID can be used to access other resources.
Stronger IDs
Weak identifiers can be guessed, leaked, or stolen. To increase security and avoid creating easy-to-guess identifiers, you should assign random and unpredictable identifiers to your objects.
OWASP API 2: Broken Authentication
Authentication and password reset mechanisms should be securely protected, as they are critical assets vulnerable to attacks.
Really, really bad passwords
Enforce server-side password requirements and hash passwords securely.
Terrible Password (Challenge)
Crack a SHA512 password using a rainbow table attack.
Slow Down
Bruteforce a user's password on a non-rate-limited login API.
Brute Force (Challenge)
Crack a more complicated password with brute-force.
OWASP API 3: Broken Object Property Level Authorization
Ensure proper authorization checks are in place to validate that users can access only the specific object properties they are permitted to.
Bugs in Debug
Verbose error messages lead to exposed sensitive data.
Revealing Schemas
Based on a real life history, learn in this lesson how an API can be exploited by using just the response payloads.
Bad Design Compromises Security
At first glance one would think that design has nothing to do with security. This is not so, in this lesson you will see an example of how a bad design impacts security.
OWASP API 4: Unrestricted Resource Consumption
API resource consumption, including external services like email, SMS, and biometrics validation, should be carefully managed to prevent abuse and excessive costs.
Denial of Service
Don't let attackers drain your computational resources, be prepared with this lesson in which you will learn about Denial of Service and how to avoid it.
OWASP API 5: Broken Function Level Authorization
Identify broken function-level authorization issues, thoroughly analyze the authorization mechanism, considering user roles, hierarchy, and access controls.
Neglected endpoints
Having an inventory of all API endpoints is crucial for management, good design and security. Attackers will find a way to discover neglected endpoints if you do not protect them all. Discover in this lesson how an innocent error with no security integration tests involved could compromise your API data.
OWASP API 6: Unrestricted Access to Sensitive Business Flows
Unrestricted access to certain business flows can pose significant risks, such as exploitation or abuse. This can lead to issues like scalping, spamming, or service denial.
The Great Referral Quest
Unrestricted access allows malicious users to exploit referral programs, leading to fraudulent account creations and unauthorized rewards
OWASP API 7: Server-Side Request Forgery [SSRF]
Retrieve data from an internal server, that should not be publicly accessible.
Retrieval Without Validation
The API endpoint included with this lesson allows a user to access content from the Veracode website. When used as expected, the user can specify which subdomain of veracode.com they wish to view.
OWASP API 8: Security Misconfiguration
APIs are vulnerable if security hardening, proper configurations, up-to-date patches, and essential features like TLS, CORS, and error handling are missing or misconfigured.
Jot down this key
Modify JWTs by exploiting knowledge of an insecure secret key.
Secret Admin (Challenge)
Escalate JWT user privileges by exploiting knowledge of an insecure secret key.
eXternal Entity (injection)
Unsafe entity parsing reveals the contents of server files.
XML is always a (Challenge)
Get access to sensitive data by injecting custom XML.
OWASP API 9: Improper Inventory Management
Organizations must ensure visibility and control over their APIs and data sharing with third parties to mitigate risks.
Unprotected Deployments
Hack an API in production by exploiting poor security of the same API in a testing deployment.
OWASP API 10: Unsafe Consumption of APIs
Use of APIs without proper security measures, potentially exposing systems to vulnerabilities and data breaches.
Gift Cards at Risk
The API endpoint included with this lesson allows a user to buy gift cards of different brands. The links to redeem these gift cards are generated by a third-party API that has been compromised.
More OWASP Vulnerabilities for APIs
An overview of lessons learned from past OWASP Top 10 vulnerabilities, addressing gaps in the new list and emphasizing key security insights to strengthen API protection and reduce risks.
Own the database
Practice SQL injection on an application that uses SQL to retrieve data.
Parameterize all the things
Defend against SQL injection using an app that returns data from a SQL database.
Bobby Tables (Challenge)
Use SQL injection to return sensitive data, then properly parameterize queries to avoid injection attacks.
The Importance of Logging and Monitoring
Recognize the importance of logging to discover attacks in your API.
Logging in the API Infrastructure
Recognize the importance of logging to discover attacks in your API.
Containers Security in Docker #1 - Users
It is recommended to take the lessons in order. Welcome to Whale Security Tales. This is a series of lessons on container security. It is focused on Docker, but the content is applicable to various technologies where containers are involved, such as Podman or Kubernetes. In this module, you will learn about users and groups in containers and their relationship to host users and groups. This is one of the most common sources of container attacks.
Whale security tales - #1 Cloning users
In this lesson, you will explore the relationship between users in the host and users in the containers, and how this relationship affects container security.
Whale security tales - #2 Cloning groups
In this lesson, you will see why it is so important to set up not only a non-root user, but also a non-root group in your containers.
Whale security tales - #3 User namespaces
How do you control the relationship between users and groups in the host and those in the container? The answer is in this lesson.
Whale security tales - #4 Privilege escalation
You will know Orca, the enemy that wants to escalate privileges in your container.
Containers Security in Docker #2 - Virtualization
It is recommended to take the lessons in order. The most critical part of container security has to do with Linux namespaces. This technology is what makes containerization easy and flexible. Understanding this topic will give you a solid foundation for the rest of the course.
Whale security tales - #5 UTS namespaces
You will continue your journey through Linux namespaces with the simplest, but often forgotten, namespace.
Whale security tales - #6 Mount namespaces
This namespace is not simple, but this topic will help you to understand more complicated attacks in containers.
Whale security tales - #7 Attack on Beluga
Orca is ready to attack your container with a simple but very common attack. But do not worry, you will get useful security advice for your containers.
Whale security tales - #8 PID namespaces
The --pid flag is used a lot in containers, but you'll see in this lesson that it's not as secure as you might think.
Whale security tales - #9 Unmasking Docker
What is behind Docker, Kubernetes, and other container-related technologies? Find out in this lesson.
Whale security tales - #10 Runtime attack
This attack will probably convince you and remove any doubts you may have had.
Containers Security in Docker #3 - Capabilities
It is recommended to take the lessons in order. In this topic, a series of labs will be dedicated to explain the capabilities and security profiles of Linux and its close relationship with containers.
Whale security tales - #11 Linux Capabilities New
Kernel capabilities are very closely related to containers and very closely related to security. You will have in this lesson the basis of this important topic.
Whale security tales - #12 Capabilities in Containers New
Learn how Docker manages capabilities and how to limit them in containers.
Whale security tales - #13 Security Profiles New
In this lesson, you will learn about Seccomp and AppArmor security profiles and how they affect the security of your containers.
Whale security tales - #14 Game Overlay New
You will be immersed in a real-world attack using a vulnerability from the past. Other topics from previous container lessons will be involved in this attack.
Whale security tales - #15 Kernel Attack New
In this lesson, you will learn two of the most sophisticated attacks on the Linux kernel, all done from a container.
Secure C++ Programming: Best Practices
Prevent the compilation of programs using unsafe functions with banned function headers.
Forbidden Functions
A banned function header prevents the compilation of programs using unsafe functions.
Time and Time Again
A side-channel timing attack reveals sensitive information.
Secure C++ Programming: Bitwise Shifts
Low-level operations with undefined results.
Shifty RSA
An RSA implementation allows for invalid bit shifts.
Secure C++ Programming: Compilers
Sensitive data leaked through insecure compiler optimizations.
Optimal Memory
A program that checks user input against a password file leaves sensitive data in memory.
Secure C++ Programming: Files
Overwriting system files through race conditions.
Race condition
An encryption program allows system files to be overwritten through a race condition.
Secure C++ Programming: Heap Overflows
Unsafe character arrays, null terminators, and use of GDB to examine heap memory.
Take Note!
A note-taking program copies strings to the heap unsafely.
Secure C++ Programming: Integer Overflows
Overflowing short integers and wraparound of unsigned integers.
Short Scores
A program to add golf scores is susceptible to overflowing.
Unsigned Messages
A message parsing utility uses unsafe range checks.
Coercive Login
Use integer coercion to log in as an admin user.
Secure C++ Programming: Iterators and Sequence Containers
Leaked data through unsafe iteration and unsafe access of container indices.
Go The Distance (but not too far)
A program to parse input from a file iterates unsafely, resulting in leaked data.
Pinball Wizard
A program to display high scores trusts user input, leading to multiple vulnerabilities.
Secure C++ Programming: Memory Management
Accessing freed memory when unsafe parsing keeps deallocated pointers accessible.
Use After Free
An HTML rendering engine parses input unsafely, keeping a deallocated pointer accessible.
Secure C++ Programming: Overreads
Buffer overruns common to parsing utilities, and the dangers of relying on side effects.
Passed Date
A date parsing and formatting utility allows for buffer over-reads.
Trivial Side Effects
A trivia program reveals sensitive data by poorly tracking player scores.
Secure C++ Programming: Stack Overflows
Unsafe string copying and incomplete string comparisons.
Triple Word Score
A Scrabble score calculator copies user input unsafely.
Secure C++ Programming: Threads
Poor use of mutex locks leads to exceptions.
Lock down the threads
Poor use of mutex locks leads to exceptions.
General Application Security: Common React Pitfalls
Vulnerabilities frequently encountered in ReactJS application development.
React string sanitization
Cause XSS through improper sanitization and poor variable handoff with React.
Sneaky links
Learn about a feature of HTML that can leave your React app open to XSS.
Dangerously set HTML links
React's dangerouslySetInnerHtml and markdown rendering craft a malicious href.
General Application Security: Cross-Site Scripting (XSS)
Content Security Policy
CSP to prevent XSS and other code injection.
Persistent Cross-Site Scripting
Stored XSS and directory traversal via "image" uploads.
Reflected Cross-Site Scripting
Inject inline JavaScript into a Go template through JSON input.
General Application Security: User Data Privacy
An app to track users' jogging habits can benefit from improved data handling practices.
PII Storage
De-identify and limit or do not collect sensitive user data
Access and Erasure
Let users see their stored data, delete their data, and have the 'right to be forgotten'
Rectification
Let users supply corrections to their data
Data Portability
Let users export their data in a machine-readable format
Informed Consent
Let users actively choose to give consent for clear, specific data collection, as well as opting out
General Application Security: CWE-319 Cleartext Transmission of Sensitive Data
Sensitive traffic is sent over unencrypted HTTP.
See-through traffic
Sniff a user's credentials via insecure HTTP requests.
General Application Security: CWE-352 Cross-Site Request Forgery
Forge valid requests from authenticated users.
Forging user requests
Cause a user to take unexpected, pre-authenticated actions.
General Application Security: CWE-601 Open Redirects
Unchecked URL redirection to untrusted sites.
The Art of Redirection
URL redirects cause users to automatically visit untrusted sites.
No Going Back (Challenge)
Work around a URL redirect safety check, then provide an allowlist.
General Application Security: CWE-1021 Improper Restriction of Frames
A lack of response header allows the application to load in an external frame.
You've been framed
A clickjacking attack tricks users into taking intended actions.
Mobile Security
Writing more secure mobile applications.
Custom URL Handling
Explore custom URL schemes, used to allow other applications to request that your app take some action.
Secrets Storage
Explore how shared secrets can be vulnerable to attack.
Forced Browsing & API Security
Explore how a forced browsing attack can occur when a malicious actor locates unlinked contents.
Mobile Logging
Explore the role of application logging.
PCI: Broken Authentication & Session Management
Secret key management
Modify JWTs by exploiting knowledge of an insecure secret key.
Secure session cookies
Tamper with an insecure cookie to hijack another user's account.
Cookie hijack (Challenge)
Decrypt cookies and hijack another user account.
PCI: Improper Access Control
Pickling and deserialization
Access restricted content via insecure serialized input.
NoSQL with Mongo
View non-public posts by supplying a document query as user input.
Open redirects
URL redirects cause users to automatically visit untrusted sites.
PCI: Improper Error Handling
Debug mode in production
Verbose error messages lead to exposed sensitive data.
Stack Trace (Challenge)
Use revealing errors to gain admin permissions.
PCI: Injection Flaws
SQL injection
Use SQL injection to give yourself superuser privileges.
Parameterize queries
Defend against injection attacks by using safe database lookups.
Bobby Tables SQLi (Challenge)
Use SQLi to return sensitive data, then properly parameterize queries to avoid injection attacks.
PCI: Insecure Cryptographic Storage
Storing password hashes
Encrypting data to store sensitive information securely.
Terrible Password (Challenge)
SQLi and poor hashing lead to exposed passwords.
PCI: Other High-Risk Vulnerabilities
Outdated third-party dependencies
Keep tabs on outdated packages with known security weaknesses.
Bash Terminal Usage: Beginner
Navigate around system file and folders using the bash shell.
Introduction to Bash 1
Shell commands to navigate around directories and modify files.
Introduction to Bash 2
Navigate files and folders more efficiently, and search for file contents.
Introduction to Bash 3
Preview the contents of files; create new folders and move files around.
Bash Terminal Usage: Intermediate
Additional bash skills: text editing, scripting, and additional command line tools.
Encrypting, encoding and hashing
Common encoding patterns, cryptographic techniques, and command line tools.
Introduction to bash scripting
Automate tasks by writing and running basic scripts in bash.
Nano for text editing
Use Nano, a basic text editor, for creating and editing files.
DjanGoat
A vulnerable Django application for OWASP Top 10 practice challenges.
Sensitive Data Exposure (Challenge)
A challenge focused on exposing sensitive data through poor security practices.
Cleartext Storage (Challenge)
A challenge focused on storing sensitive data in an unencrypted, readable format.
Missing Function Level Access Control (Challenge)
A challenge focused on exploiting the lack of proper function-level access controls, allowing unauthorized users to access or perform restricted actions.
DOM XSS (Challenge)
A challenge focused on exploiting DOM-based XSS vulnerabilities.
Insecure Direct Object Reference (Challenge)
A challenge focused on exploiting Insecure Direct Object References (IDOR) vulnerabilities.
SQL Injection Interpolation (Challenge)
A challenge focused on exploiting SQL injection vulnerabilities.
SQL Injection Concatenation (Challenge)
A challenge focused on exploiting SQL injection vulnerabilities.
Stored XSS (Challenge)
A challenge centered on exploiting XSS vulnerabilities.
Command Injection (Challenge)
A challenge on exploiting OS command injection vulnerabilities.
Credential Enumeration (Challenge)
A challenge focused on identifying weak or exposed credentials.
Forensics
Work with disk images and investigate the contents of system files.
Creating a disk image
Learn how to acquire a disk image using the forensic tool dc3dd.
Metadata with ExifTool
View and modify the metadata associated with multimedia files.
Working with a disk image
Hard disk image analysis with the sleuthkit (TSK), a standard forensic tool.
Analyzing log files
Uncover evidence of an attack by analyzing a system's logs.
Juice Shop
Very vulnerable MEAN web app full of practice challenges.
Error Handling (Challenge)
Provoke an error that is not very gracefully handled.
Login Bypass (Challenge)
Log in with other users' accounts via SQL injection.
Credentials Dump (Challenge)
Retrieve a list of all user credentials via SQL injection.
XSS Levels (Challenge)
Reflected and persistent XSS attacks of increasing difficulty.
File Uploads (Challenge)
Improper input validation in user file uploads.
Hidden Pages (Challenge)
Find carefully hidden pages.
Confidential Documents (Challenge)
Access unprotected confidential documents.
Open Redirects (Challenge)
Redirect from the Juice Shop to external untrusted sites.
Account Hijack (Challenge)
Access and modify another user's shopping cart.