BurpSuite Labs

SQL injection

Solution	SQL injection	level	link	Solved
sqli-1	SQL injection	Apprentice	SQL injection vulnerability in WHERE clause allowing retrieval of hidden data	Solved
sqli-2	SQL injection	Apprentice	SQL injection vulnerability allowing login bypass	Solved
sqli-3	SQL injection	Practitioner	SQL injection UNION attack, determining the number of columns returned by the query	Solved
sqli-4	SQL injection	Practitioner	SQL injection UNION attack, finding a column containing text	Solved
sqli-5	SQL injection	Practitioner	SQL injection UNION attack, retrieving data from other tables	Solved
sqli-6	SQL injection	Practitioner	SQL injection UNION attack, retrieving multiple values in a single column	Solved
	SQL injection	Practitioner	SQL injection attack, querying the database type and version on Oracle	Not solved
	SQL injection	Practitioner	SQL injection attack, querying the database type and version on MySQL and Microsoft	Not solved
	SQL injection	Practitioner	SQL injection attack, listing the database contents on non-Oracle databases	Not solved
	SQL injection	Practitioner	SQL injection attack, listing the database contents on Oracle	Not solved
	SQL injection	Practitioner	Blind SQL injection with conditional responses	Not solved
	SQL injection	Practitioner	Blind SQL injection with conditional errors	Not solved
	SQL injection	Practitioner	Blind SQL injection with time delays	Not solved
	SQL injection	Practitioner	Blind SQL injection with time delays and information retrieval	Not solved
	SQL injection	Practitioner	Blind SQL injection with out-of-band interaction	Not solved
	SQL injection	Practitioner	Blind SQL injection with out-of-band data exfiltration	Not solved
	SQL injection	Practitioner	SQL injection with filter bypass via XML encoding	Not solved

Cross-site scripting

Solution	level	link	Solved	Solution
xss-1	Cross-site scripting	Apprentice	Reflected XSS into HTML context with nothing encoded	Solved
xss-2	Cross-site scripting	Apprentice	Stored XSS into HTML context with nothing encoded	Solved
xss-3	Cross-site scripting	Apprentice	DOM XSS in `document.write` sink using source `location.search`	Solved
xss-4	Cross-site scripting	Apprentice	DOM XSS in `innerHTML` sink using source `location.search`	Solved
xss-5	Cross-site scripting	Apprentice	DOM XSS in jQuery anchor `href` attribute sink using `location.search` source	Solved
xss-6	Cross-site scripting	Apprentice	DOM XSS in jQuery selector sink using a hashchange event	Solved
	Cross-site scripting	Apprentice	Reflected XSS into attribute with angle brackets HTML-encoded	Not solved
	Cross-site scripting	Apprentice	Stored XSS into anchor `href` attribute with double quotes HTML-encoded	Not solved
	Cross-site scripting	Apprentice	Reflected XSS into a JavaScript string with angle brackets HTML encoded	Not solved
	Cross-site scripting	(burpsuite-xss.md)	Practitioner	DOM XSS in `document.write` sink using source `location.search` inside a select element	Not solved
	Cross-site scripting	Practitioner	DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded	Not solved
	Cross-site scripting	Practitioner	Reflected DOM XSS	Not solved
	Cross-site scripting	Practitioner	Stored DOM XSS	Not solved
	Cross-site scripting	Practitioner	Exploiting cross-site scripting to steal cookies	Not solved
	Cross-site scripting	Practitioner	Exploiting cross-site scripting to capture passwords	Not solved
	Cross-site scripting	Practitioner	Exploiting XSS to perform CSRF	Not solved
	Cross-site scripting	Practitioner	Reflected XSS into HTML context with most tags and attributes blocked	Not solved
	Cross-site scripting	Practitioner	Reflected XSS into HTML context with all tags blocked except custom ones	Not solved
	Cross-site scripting	Practitioner	Reflected XSS with some SVG markup allowed	Not solved
	Cross-site scripting	Practitioner	Reflected XSS in canonical link tag	Not solved
	Cross-site scripting	Practitioner	Reflected XSS into a JavaScript string with single quote and backslash escaped	Not solved
	Cross-site scripting	Practitioner	Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped	Not solved
	Cross-site scripting	Practitioner	Stored XSS into `onclick` event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped	Not solved
	Cross-site scripting	Practitioner	Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped	Not solved
	Cross-site scripting	Expert	Reflected XSS with event handlers and `href` attributes blocked	Not solved
	Cross-site scripting	Expert	Reflected XSS in a JavaScript URL with some characters blocked	Not solved
	Cross-site scripting	Expert	Reflected XSS with AngularJS sandbox escape without strings	Not solved
	Cross-site scripting	Expert	Reflected XSS with AngularJS sandbox escape and CSP	Not solved
	Cross-site scripting	Expert	Reflected XSS protected by very strict CSP, with dangling markup attack	Not solved
	Cross-site scripting	Expert	Reflected XSS protected by CSP, with CSP bypass	Not solved

Cross-Site Request Forgery

Cross-site Request Forgery	level	link	Solved
Cross-site Request Forgery	Apprentice	CSRF vulnerability with no defenses	Not solved
Cross-site Request Forgery	Practitioner	CSRF where token validation depends on request method	Not solved
Cross-site Request Forgery	Practitioner	CSRF where token validation depends on token being present	Not solved
Cross-site Request Forgery	Practitioner	CSRF where token is not tied to user session	Not solved
Cross-site Request Forgery	Practitioner	CSRF where token is tied to non-session cookie	Not solved
Cross-site Request Forgery	Practitioner	CSRF where token is duplicated in cookie	Not solved
Cross-site Request Forgery	Practitioner	SameSite Lax bypass via method override	Not solved
Cross-site Request Forgery	Practitioner	SameSite Strict bypass via client-side redirect	Not solved
Cross-site Request Forgery	Practitioner	SameSite Strict bypass via sibling domain	Not solved
Cross-site Request Forgery	Practitioner	SameSite Lax bypass via cookie refresh	Not solved
Cross-site Request Forgery	Practitioner	CSRF where Referer validation depends on header being present	Not solved
Cross-site Request Forgery	Practitioner	CSRF with broken Referer validation	Not solved

Clickjacking

Clikjacking	level	link	Solved
Clikjacking	Apprentice	Basic clickjacking with CSRF token protection	Not solved
Clikjacking	Apprentice	Clickjacking with form input data prefilled from a URL parameter	Not solved
Clikjacking	Apprentice	Clickjacking with a frame buster script	Not solved
Clikjacking	Practitioner	Exploiting clickjacking vulnerability to trigger DOM-based XSS	Not solved
Clikjacking	Practitioner	Multistep clickjacking	Not solved

DOM-based vulnerabilities

DOM-based vulnerabilities	level	link	Solved
DOM-based vulnerabilities	Practitioner	DOM XSS using web messages	Not solved
DOM-based vulnerabilities	Practitioner	DOM XSS using web messages and a JavaScript URL	Not solved
DOM-based vulnerabilities	Practitioner	DOM XSS using web messages and `JSON.parse`	Not solved
DOM-based vulnerabilities	Practitioner	DOM-based open redirection	Not solved
DOM-based vulnerabilities	Practitioner	DOM-based cookie manipulation	Not solved
DOM-based vulnerabilities	Expert	Exploiting DOM clobbering to enable XSS	Not solved
DOM-based vulnerabilities	Expert	Clobbering DOM attributes to bypass HTML filters	Not solved

Cross-origin resource sharing	level	link	Solved
Cross-origin resource sharing	Apprentice	CORS vulnerability with basic origin reflection	Not solved
Cross-origin resource sharing	Apprentice	CORS vulnerability with trusted null origin	Not solved
Cross-origin resource sharing	Practitioner	CORS vulnerability with trusted insecure protocols	Not solved
Cross-origin resource sharing	Expert	CORS vulnerability with internal network pivot attack	Not solved

XML external entity

XML external entity	level	link	Solved
xxe-1	Apprentice	Exploiting XXE using external entities to retrieve files	Solved
xxe-2	Apprentice	Exploiting XXE to perform SSRF attacks	Solved
xxe-3	Practitioner	Blind XXE with out-of-band interaction	Solved
xxe-4	Practitioner	Blind XXE with out-of-band interaction via XML parameter entities	Solved
xxe-5	Practitioner	Exploiting blind XXE to exfiltrate data using a malicious external DTD	Solved
xxe-6	Practitioner	Exploiting blind XXE to retrieve data via error messages	Solved
xxe-7	Practitioner	Exploiting XInclude to retrieve files	Solved
xxe-8	Practitioner	Exploiting XXE via image file upload	Solved
xxe-9	Expert	Exploiting XXE to retrieve data by repurposing a local DTD	Solved

Server-side request forgery

	Server-side request forgery	level	link	Solved
ssrf-1	Server-side request forgery	Apprentice	Basic SSRF against the local server	Solved
ssrf-2	Server-side request forgery	Apprentice	Basic SSRF against another back-end system	Solved
ssrf-3	Server-side request forgery	Practitioner	SSRF with blacklist-based input filter	Solved
ssrf-4	Server-side request forgery	Practitioner	SSRF with filter bypass via open redirection vulnerability	Not solved
	Server-side request forgery	Practitioner	Blind SSRF with out-of-band detection	Not solved
	Server-side request forgery	Expert	SSRF with whitelist-based input filter	Not solved
	Server-side request forgery	Expert	Blind SSRF with Shellshock exploitation	Not solved

HTTP request smuggling

HTTP request smuggling	level	link	Solved
HTTP request smuggling	Practitioner	HTTP request smuggling, basic CL.TE vulnerability	Not solved
HTTP request smuggling	Practitioner	HTTP request smuggling, basic TE.CL vulnerability	Not solved
HTTP request smuggling	Practitioner	HTTP request smuggling, obfuscating the TE header	Not solved
HTTP request smuggling	Practitioner	HTTP request smuggling, confirming a CL.TE vulnerability via differential responses	Not solved
HTTP request smuggling	Practitioner	HTTP request smuggling, confirming a TE.CL vulnerability via differential responses	Not solved
HTTP request smuggling	Practitioner	Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability	Not solved
HTTP request smuggling	Practitioner	Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability	Not solved
HTTP request smuggling	Practitioner	Exploiting HTTP request smuggling to reveal front-end request rewriting	Not solved
HTTP request smuggling	Practitioner	Exploiting HTTP request smuggling to capture other users' requests	Not solved
HTTP request smuggling	Practitioner	Exploiting HTTP request smuggling to deliver reflected XSS	Not solved
HTTP request smuggling	Practitioner	Response queue poisoning via H2.TE request smuggling	Not solved
HTTP request smuggling	Practitioner	H2.CL request smuggling	Not solved
HTTP request smuggling	Practitioner	HTTP/2 request smuggling via CRLF injection	Not solved
HTTP request smuggling	Practitioner	HTTP/2 request splitting via CRLF injection	Not solved
HTTP request smuggling	Practitioner	CL.0 request smuggling	Not solved
HTTP request smuggling	Expert	Exploiting HTTP request smuggling to perform web cache poisoning	Not solved
HTTP request smuggling	Expert	Exploiting HTTP request smuggling to perform web cache deception	Not solved
HTTP request smuggling	Expert	Bypassing access controls via HTTP/2 request tunnelling	Not solved
HTTP request smuggling	Expert	Web cache poisoning via HTTP/2 request tunnelling	Not solved
HTTP request smuggling	Expert	Client-side desync	Not solved
HTTP request smuggling	Expert	Browser cache poisoning via client-side desync	Not solved
HTTP request smuggling	Expert	Server-side pause-based request smuggling	Not solved

OS command injection

OS command injection	level	link	Solved
OS command injection	Apprentice	OS command injection, simple case	Not solved
OS command injection	Practitioner	Blind OS command injection with time delays	Not solved
OS command injection	Practitioner	Blind OS command injection with output redirection	Not solved
OS command injection	Practitioner	Blind OS command injection with out-of-band interaction	Not solved
OS command injection	Practitioner	Blind OS command injection with out-of-band data exfiltration	Not solved

Server-side template injection

Solution	Server-side template injection	level	link	Solved
ssti-1	Server-side template injection	Practitioner	Basic server-side template injection	Solved
ssti-2	Server-side template injection	Practitioner	Basic server-side template injection (code context)	Solved
ssti-3	Server-side template injection	Practitioner	Server-side template injection using documentation	Solved
ssti-4	Server-side template injection	Practitioner	Server-side template injection in an unknown language with a documented exploit	Solved
ssti-5	Server-side template injection	Practitioner	Server-side template injection with information disclosure via user-supplied objects	Solved
ssti-6	Server-side template injection	Expert	Server-side template injection in a sandboxed environment	Solved
	Server-side template injection	Expert	Server-side template injection with a custom exploit	Not solved

Directory traversal

Directory traversal	level	link	Solved
Directory traversal	Apprentice	File path traversal, simple case	Not solved
Directory traversal	Practitioner	File path traversal, traversal sequences blocked with absolute path bypass	Not solved
Directory traversal	Practitioner	File path traversal, traversal sequences stripped non-recursively	Not solved
Directory traversal	Practitioner	File path traversal, traversal sequences stripped with superfluous URL-decode	Not solved
Directory traversal	Practitioner	File path traversal, validation of start of path	Not solved
Directory traversal	Practitioner	File path traversal, validation of file extension with null byte bypass	Not solved

Access control vulnerabilities

Solution	Access control vulnerabilities	level	link	Solved
access-1	Access control vulnerabilities	Apprentice	Unprotected admin functionality	Solved
access-2	Access control vulnerabilities	Apprentice	Unprotected admin functionality with unpredictable URL	Solved
access-3	Access control vulnerabilities	Apprentice	User role controlled by request parameter	Solved
access-4	Access control vulnerabilities	Apprentice	User role can be modified in user profile	Solved
access-5	Access control vulnerabilities	Apprentice	User ID controlled by request parameter	Solved
access-6	Access control vulnerabilities	Apprentice	User ID controlled by request parameter, with unpredictable user IDs	Solved
access-7	Access control vulnerabilities	Apprentice	User ID controlled by request parameter with data leakage in redirect	Solved
access-8	Access control vulnerabilities	Apprentice	User ID controlled by request parameter with password disclosure	Solved
access-9	Access control vulnerabilities	Apprentice	Insecure direct object references	Solved
access-10	Access control vulnerabilities	Practitioner	URL-based access control can be circumvented	Solved
access-11	Access control vulnerabilities	Practitioner	Method-based access control can be circumvented	Solved
access-12	Access control vulnerabilities	Practitioner	Multi-step process with no access control on one step	Solved
access-13	Access control vulnerabilities	Practitioner	Referer-based access control	Solved

Authentication

Authentication	level	link	Solved
Authentication	Apprentice	Username enumeration via different responses	Not solved
Authentication	Apprentice	2FA simple bypass	Not solved
Authentication	Apprentice	Password reset broken logic	Not solved
Authentication	Practitioner	Username enumeration via subtly different responses	Not solved
Authentication	Practitioner	Username enumeration via response timing	Not solved
Authentication	Practitioner	Broken brute-force protection, IP block	Not solved
Authentication	Practitioner	Username enumeration via account lock	Not solved
Authentication	Practitioner	2FA broken logic	Not solved
Authentication	Practitioner	Brute-forcing a stay-logged-in cookie	Not solved
Authentication	Practitioner	Offline password cracking	Not solved
Authentication	Practitioner	Password reset poisoning via middleware	Not solved
Authentication	Practitioner	Password brute-force via password change	Not solved
Authentication	Expert	Broken brute-force protection, multiple credentials per request	Not solved
Authentication	Expert	2FA bypass using a brute-force attack	Not solved

WebSockets

WebSockets	level	link	Solved
WebSockets	Apprentice	Manipulating WebSocket messages to exploit vulnerabilities	Not solved
WebSockets	Practitioner	Manipulating the WebSocket handshake to exploit vulnerabilities	Not solved
WebSockets	Practitioner	Cross-site WebSocket hijacking	Not solved

Web cache poisoning

Web cache poisoning	level	link	Solved
Web cache poisoning	Practitioner	Web cache poisoning with an unkeyed header	Not solved
Web cache poisoning	Practitioner	Web cache poisoning with an unkeyed cookie	Not solved
Web cache poisoning	Practitioner	Web cache poisoning with multiple headers	Not solved
Web cache poisoning	Practitioner	Targeted web cache poisoning using an unknown header	Not solved
Web cache poisoning	Practitioner	Web cache poisoning via an unkeyed query string	Not solved
Web cache poisoning	Practitioner	Web cache poisoning via an unkeyed query parameter	Not solved
Web cache poisoning	Practitioner	Parameter cloaking	Not solved
Web cache poisoning	Practitioner	Web cache poisoning via a fat GET request	Not solved
Web cache poisoning	Practitioner	URL normalization	Not solved
Web cache poisoning	Expert	Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria	Not solved
Web cache poisoning	Expert	Combining web cache poisoning vulnerabilities	Not solved
Web cache poisoning	Expert	Cache key injection	Not solved
Web cache poisoning	Expert	Internal cache poisoning	Not solved

Insecure deserialization

Insecure deserialization	level	link	Solved
Insecure deserialization	Apprentice	Modifying serialized objects	Not solved
Insecure deserialization	Practitioner	Modifying serialized data types	Not solved
Insecure deserialization	Practitioner	Using application functionality to exploit insecure deserialization	Not solved
Insecure deserialization	Practitioner	Arbitrary object injection in PHP	Not solved
Insecure deserialization	Practitioner	Exploiting Java deserialization with Apache Commons	Not solved
Insecure deserialization	Practitioner	Exploiting PHP deserialization with a pre-built gadget chain	Not solved
Insecure deserialization	Practitioner	Exploiting Ruby deserialization using a documented gadget chain	Not solved
Insecure deserialization	Expert	Developing a custom gadget chain for Java deserialization	Not solved
Insecure deserialization	Expert	Developing a custom gadget chain for PHP deserialization	Not solved
Insecure deserialization	Expert	Using PHAR deserialization to deploy a custom gadget chain	Not solved

Information disclosure

Information disclosure	level	link	Solved
Information disclosure	Apprentice	Information disclosure in error messages	Not solved
Information disclosure	Apprentice	Information disclosure on debug page	Not solved
Information disclosure	Apprentice	Source code disclosure via backup files	Not solved
Information disclosure	Apprentice	Authentication bypass via information disclosure	Not solved
Information disclosure	Practitioner	Information disclosure in version control history	Not solved

Business logic vulnerabilities

Business logic vulnerabilities	level	link	Solved
Business logic vulnerabilities	Apprentice	Excessive trust in client-side controls	Not solved
Business logic vulnerabilities	Apprentice	High-level logic vulnerability	Not solved
Business logic vulnerabilities	Apprentice	Inconsistent security controls	Not solved
Business logic vulnerabilities	Apprentice	Flawed enforcement of business rules	Not solved
Business logic vulnerabilities	Practitioner	Low-level logic flaw	Not solved
Business logic vulnerabilities	Practitioner	Inconsistent handling of exceptional input	Not solved
Business logic vulnerabilities	Practitioner	Weak isolation on dual-use endpoint	Not solved
Business logic vulnerabilities	Practitioner	Insufficient workflow validation	Not solved
Business logic vulnerabilities	Practitioner	Authentication bypass via flawed state machine	Not solved
Business logic vulnerabilities	Practitioner	Infinite money logic flaw	Not solved
Business logic vulnerabilities	Practitioner	Authentication bypass via encryption oracle	Not solved

HTTP Host header attacks

HTTP Host header attacks	level	link	Solved
HTTP Host header attacks	Apprentice	Basic password reset poisoning	Not solved
HTTP Host header attacks	Apprentice	Host header authentication bypass	Not solved
HTTP Host header attacks	Practitioner	Web cache poisoning via ambiguous requests	Not solved
HTTP Host header attacks	Practitioner	Routing-based SSRF	Not solved
HTTP Host header attacks	Practitioner	SSRF via flawed request parsing	Not solved
HTTP Host header attacks	Practitioner	Host validation bypass via connection state attack	Not solved
HTTP Host header attacks	Expert	Password reset poisoning via dangling markup	Not solved

OAuth authentication

OAuth authentication	level	link	Solved
OAuth authentication	Apprentice	Authentication bypass via OAuth implicit flow	Not solved
OAuth authentication	Practitioner	Forced OAuth profile linking	Not solved
OAuth authentication	Practitioner	OAuth account hijacking via redirect_uri	Not solved
OAuth authentication	Practitioner	Stealing OAuth access tokens via an open redirect	Not solved
OAuth authentication	Practitioner	SSRF via OpenID dynamic client registration	Not solved
OAuth authentication	Expert	Stealing OAuth access tokens via a proxy page	Not solved

File upload vulnerabilities

File upload vulnerabilities	level	link	Solved
File upload vulnerabilities	Apprentice	Remote code execution via web shell upload	Not solved
File upload vulnerabilities	Apprentice	Web shell upload via Content-Type restriction bypass	Not solved
File upload vulnerabilities	Practitioner	Web shell upload via path traversal	Not solved
File upload vulnerabilities	Practitioner	Web shell upload via extension blacklist bypass	Not solved
File upload vulnerabilities	Practitioner	Web shell upload via obfuscated file extension	Not solved
File upload vulnerabilities	Practitioner	Remote code execution via polyglot web shell upload	Not solved
File upload vulnerabilities	Expert	Web shell upload via race condition	Not solved

JWT

JWT	level	link	Solved
JWT-1	Apprentice	JWT authentication bypass via unverified signature	Solved
JWT-2	Apprentice	JWT authentication bypass via flawed signature verification	Solved
JWT-3	Practitioner	JWT authentication bypass via weak signing key	Solved
JWT-4	Practitioner	JWT authentication bypass via jwk header injection	Solved
JWT-5	Practitioner	JWT authentication bypass via jku header injection	Solved
	Practitioner	JWT authentication bypass via kid header path traversal	Not solved
	Expert	JWT authentication bypass via algorithm confusion	Not solved
	Expert	JWT authentication bypass via algorithm confusion with no exposed key	Not solved

Essential skills

Essential skills	level	link	Solved
Essential skills	Practitioner	Discovering vulnerabilities quickly with targeted scanning	Not solved

Prototype pollution

Prototype pollution	level	link	Solved
Prototype pollution	Practitioner	DOM XSS via client-side prototype pollution	Not solved
Prototype pollution	Practitioner	DOM XSS via an alternative prototype pollution vector	Not solved
Prototype pollution	Practitioner	Client-side prototype pollution in third-party libraries	Not solved
Prototype pollution	Practitioner	Client-side prototype pollution via browser APIs	Not solved
Prototype pollution	Practitioner	Client-side prototype pollution via flawed sanitization	Not solved

Last update: 2024-05-03
Created: February 8, 2023 18:05:06

BurpSuite Labs

SQL injection

Cross-site scripting

Cross-Site Request Forgery

Clickjacking

DOM-based vulnerabilities

Cross-origin resource sharing

XML external entity

Server-side request forgery

HTTP request smuggling

OS command injection

Server-side template injection

Directory traversal

Access control vulnerabilities

Authentication

WebSockets

Web cache poisoning

Insecure deserialization

Information disclosure

Business logic vulnerabilities

HTTP Host header attacks

OAuth authentication

File upload vulnerabilities

JWT

Essential skills

Prototype pollution