Skip to content

BurpSuite Labs

SQL injection

Solution SQL injection level link Solved
sqli-1 SQL injection Apprentice SQL injection vulnerability in WHERE clause allowing retrieval of hidden data Solved
sqli-2 SQL injection Apprentice SQL injection vulnerability allowing login bypass Solved
sqli-3 SQL injection Practitioner SQL injection UNION attack, determining the number of columns returned by the query Solved
sqli-4 SQL injection Practitioner SQL injection UNION attack, finding a column containing text Solved
sqli-5 SQL injection Practitioner SQL injection UNION attack, retrieving data from other tables Solved
sqli-6 SQL injection Practitioner SQL injection UNION attack, retrieving multiple values in a single column Solved
SQL injection Practitioner SQL injection attack, querying the database type and version on Oracle Not solved
SQL injection Practitioner SQL injection attack, querying the database type and version on MySQL and Microsoft Not solved
SQL injection Practitioner SQL injection attack, listing the database contents on non-Oracle databases Not solved
SQL injection Practitioner SQL injection attack, listing the database contents on Oracle Not solved
SQL injection Practitioner Blind SQL injection with conditional responses Not solved
SQL injection Practitioner Blind SQL injection with conditional errors Not solved
SQL injection Practitioner Blind SQL injection with time delays Not solved
SQL injection Practitioner Blind SQL injection with time delays and information retrieval Not solved
SQL injection Practitioner Blind SQL injection with out-of-band interaction Not solved
SQL injection Practitioner Blind SQL injection with out-of-band data exfiltration Not solved
SQL injection Practitioner SQL injection with filter bypass via XML encoding Not solved

Cross-site scripting

Solution level link Solved Solution
xss-1 Cross-site scripting Apprentice Reflected XSS into HTML context with nothing encoded Solved
xss-2 Cross-site scripting Apprentice Stored XSS into HTML context with nothing encoded Solved
xss-3 Cross-site scripting Apprentice DOM XSS in document.write sink using source location.search Solved
xss-4 Cross-site scripting Apprentice DOM XSS in innerHTML sink using source location.search Solved
xss-5 Cross-site scripting Apprentice DOM XSS in jQuery anchor href attribute sink using location.search source Solved
xss-6 Cross-site scripting Apprentice DOM XSS in jQuery selector sink using a hashchange event Solved
Cross-site scripting Apprentice Reflected XSS into attribute with angle brackets HTML-encoded Not solved
Cross-site scripting Apprentice Stored XSS into anchor href attribute with double quotes HTML-encoded Not solved
Cross-site scripting Apprentice Reflected XSS into a JavaScript string with angle brackets HTML encoded Not solved
Cross-site scripting (burpsuite-xss.md) Practitioner DOM XSS in document.write sink using source location.search inside a select element Not solved
Cross-site scripting Practitioner DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded Not solved
Cross-site scripting Practitioner Reflected DOM XSS Not solved
Cross-site scripting Practitioner Stored DOM XSS Not solved
Cross-site scripting Practitioner Exploiting cross-site scripting to steal cookies Not solved
Cross-site scripting Practitioner Exploiting cross-site scripting to capture passwords Not solved
Cross-site scripting Practitioner Exploiting XSS to perform CSRF Not solved
Cross-site scripting Practitioner Reflected XSS into HTML context with most tags and attributes blocked Not solved
Cross-site scripting Practitioner Reflected XSS into HTML context with all tags blocked except custom ones Not solved
Cross-site scripting Practitioner Reflected XSS with some SVG markup allowed Not solved
Cross-site scripting Practitioner Reflected XSS in canonical link tag Not solved
Cross-site scripting Practitioner Reflected XSS into a JavaScript string with single quote and backslash escaped Not solved
Cross-site scripting Practitioner Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped Not solved
Cross-site scripting Practitioner Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped Not solved
Cross-site scripting Practitioner Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped Not solved
Cross-site scripting Expert Reflected XSS with event handlers and href attributes blocked Not solved
Cross-site scripting Expert Reflected XSS in a JavaScript URL with some characters blocked Not solved
Cross-site scripting Expert Reflected XSS with AngularJS sandbox escape without strings Not solved
Cross-site scripting Expert Reflected XSS with AngularJS sandbox escape and CSP Not solved
Cross-site scripting Expert Reflected XSS protected by very strict CSP, with dangling markup attack Not solved
Cross-site scripting Expert Reflected XSS protected by CSP, with CSP bypass Not solved

Cross-Site Request Forgery

Cross-site Request Forgery level link Solved
Cross-site Request Forgery Apprentice CSRF vulnerability with no defenses Not solved
Cross-site Request Forgery Practitioner CSRF where token validation depends on request method Not solved
Cross-site Request Forgery Practitioner CSRF where token validation depends on token being present Not solved
Cross-site Request Forgery Practitioner CSRF where token is not tied to user session Not solved
Cross-site Request Forgery Practitioner CSRF where token is tied to non-session cookie Not solved
Cross-site Request Forgery Practitioner CSRF where token is duplicated in cookie Not solved
Cross-site Request Forgery Practitioner SameSite Lax bypass via method override Not solved
Cross-site Request Forgery Practitioner SameSite Strict bypass via client-side redirect Not solved
Cross-site Request Forgery Practitioner SameSite Strict bypass via sibling domain Not solved
Cross-site Request Forgery Practitioner SameSite Lax bypass via cookie refresh Not solved
Cross-site Request Forgery Practitioner CSRF where Referer validation depends on header being present Not solved
Cross-site Request Forgery Practitioner CSRF with broken Referer validation Not solved

Clickjacking

Clikjacking level link Solved
Clikjacking Apprentice Basic clickjacking with CSRF token protection Not solved
Clikjacking Apprentice Clickjacking with form input data prefilled from a URL parameter Not solved
Clikjacking Apprentice Clickjacking with a frame buster script Not solved
Clikjacking Practitioner Exploiting clickjacking vulnerability to trigger DOM-based XSS Not solved
Clikjacking Practitioner Multistep clickjacking Not solved

DOM-based vulnerabilities

DOM-based vulnerabilities level link Solved
DOM-based vulnerabilities Practitioner DOM XSS using web messages Not solved
DOM-based vulnerabilities Practitioner DOM XSS using web messages and a JavaScript URL Not solved
DOM-based vulnerabilities Practitioner DOM XSS using web messages and JSON.parse Not solved
DOM-based vulnerabilities Practitioner DOM-based open redirection Not solved
DOM-based vulnerabilities Practitioner DOM-based cookie manipulation Not solved
DOM-based vulnerabilities Expert Exploiting DOM clobbering to enable XSS Not solved
DOM-based vulnerabilities Expert Clobbering DOM attributes to bypass HTML filters Not solved

Cross-origin resource sharing

Cross-origin resource sharing level link Solved
Cross-origin resource sharing Apprentice CORS vulnerability with basic origin reflection Not solved
Cross-origin resource sharing Apprentice CORS vulnerability with trusted null origin Not solved
Cross-origin resource sharing Practitioner CORS vulnerability with trusted insecure protocols Not solved
Cross-origin resource sharing Expert CORS vulnerability with internal network pivot attack Not solved

XML external entity

XML external entity level link Solved
xxe-1 Apprentice Exploiting XXE using external entities to retrieve files Solved
xxe-2 Apprentice Exploiting XXE to perform SSRF attacks Solved
xxe-3 Practitioner Blind XXE with out-of-band interaction Solved
xxe-4 Practitioner Blind XXE with out-of-band interaction via XML parameter entities Solved
xxe-5 Practitioner Exploiting blind XXE to exfiltrate data using a malicious external DTD Solved
xxe-6 Practitioner Exploiting blind XXE to retrieve data via error messages Solved
xxe-7 Practitioner Exploiting XInclude to retrieve files Solved
xxe-8 Practitioner Exploiting XXE via image file upload Solved
xxe-9 Expert Exploiting XXE to retrieve data by repurposing a local DTD Solved

Server-side request forgery

Server-side request forgery level link Solved
ssrf-1 Server-side request forgery Apprentice Basic SSRF against the local server Solved
ssrf-2 Server-side request forgery Apprentice Basic SSRF against another back-end system Solved
ssrf-3 Server-side request forgery Practitioner SSRF with blacklist-based input filter Solved
ssrf-4 Server-side request forgery Practitioner SSRF with filter bypass via open redirection vulnerability Not solved
Server-side request forgery Practitioner Blind SSRF with out-of-band detection Not solved
Server-side request forgery Expert SSRF with whitelist-based input filter Not solved
Server-side request forgery Expert Blind SSRF with Shellshock exploitation Not solved

HTTP request smuggling

HTTP request smuggling level link Solved
HTTP request smuggling Practitioner HTTP request smuggling, basic CL.TE vulnerability Not solved
HTTP request smuggling Practitioner HTTP request smuggling, basic TE.CL vulnerability Not solved
HTTP request smuggling Practitioner HTTP request smuggling, obfuscating the TE header Not solved
HTTP request smuggling Practitioner HTTP request smuggling, confirming a CL.TE vulnerability via differential responses Not solved
HTTP request smuggling Practitioner HTTP request smuggling, confirming a TE.CL vulnerability via differential responses Not solved
HTTP request smuggling Practitioner Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability Not solved
HTTP request smuggling Practitioner Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability Not solved
HTTP request smuggling Practitioner Exploiting HTTP request smuggling to reveal front-end request rewriting Not solved
HTTP request smuggling Practitioner Exploiting HTTP request smuggling to capture other users' requests Not solved
HTTP request smuggling Practitioner Exploiting HTTP request smuggling to deliver reflected XSS Not solved
HTTP request smuggling Practitioner Response queue poisoning via H2.TE request smuggling Not solved
HTTP request smuggling Practitioner H2.CL request smuggling Not solved
HTTP request smuggling Practitioner HTTP/2 request smuggling via CRLF injection Not solved
HTTP request smuggling Practitioner HTTP/2 request splitting via CRLF injection Not solved
HTTP request smuggling Practitioner CL.0 request smuggling Not solved
HTTP request smuggling Expert Exploiting HTTP request smuggling to perform web cache poisoning Not solved
HTTP request smuggling Expert Exploiting HTTP request smuggling to perform web cache deception Not solved
HTTP request smuggling Expert Bypassing access controls via HTTP/2 request tunnelling Not solved
HTTP request smuggling Expert Web cache poisoning via HTTP/2 request tunnelling Not solved
HTTP request smuggling Expert Client-side desync Not solved
HTTP request smuggling Expert Browser cache poisoning via client-side desync Not solved
HTTP request smuggling Expert Server-side pause-based request smuggling Not solved

OS command injection

OS command injection level link Solved
OS command injection Apprentice OS command injection, simple case Not solved
OS command injection Practitioner Blind OS command injection with time delays Not solved
OS command injection Practitioner Blind OS command injection with output redirection Not solved
OS command injection Practitioner Blind OS command injection with out-of-band interaction Not solved
OS command injection Practitioner Blind OS command injection with out-of-band data exfiltration Not solved

Server-side template injection

Solution Server-side template injection level link Solved
ssti-1 Server-side template injection Practitioner Basic server-side template injection Solved
ssti-2 Server-side template injection Practitioner Basic server-side template injection (code context) Solved
ssti-3 Server-side template injection Practitioner Server-side template injection using documentation Solved
ssti-4 Server-side template injection Practitioner Server-side template injection in an unknown language with a documented exploit Solved
ssti-5 Server-side template injection Practitioner Server-side template injection with information disclosure via user-supplied objects Solved
ssti-6 Server-side template injection Expert Server-side template injection in a sandboxed environment Solved
Server-side template injection Expert Server-side template injection with a custom exploit Not solved

Directory traversal

Directory traversal level link Solved
Directory traversal Apprentice File path traversal, simple case Not solved
Directory traversal Practitioner File path traversal, traversal sequences blocked with absolute path bypass Not solved
Directory traversal Practitioner File path traversal, traversal sequences stripped non-recursively Not solved
Directory traversal Practitioner File path traversal, traversal sequences stripped with superfluous URL-decode Not solved
Directory traversal Practitioner File path traversal, validation of start of path Not solved
Directory traversal Practitioner File path traversal, validation of file extension with null byte bypass Not solved

Access control vulnerabilities

Solution Access control vulnerabilities level link Solved
access-1 Access control vulnerabilities Apprentice Unprotected admin functionality Solved
access-2 Access control vulnerabilities Apprentice Unprotected admin functionality with unpredictable URL Solved
access-3 Access control vulnerabilities Apprentice User role controlled by request parameter Solved
access-4 Access control vulnerabilities Apprentice User role can be modified in user profile Solved
access-5 Access control vulnerabilities Apprentice User ID controlled by request parameter Solved
access-6 Access control vulnerabilities Apprentice User ID controlled by request parameter, with unpredictable user IDs Solved
access-7 Access control vulnerabilities Apprentice User ID controlled by request parameter with data leakage in redirect Solved
access-8 Access control vulnerabilities Apprentice User ID controlled by request parameter with password disclosure Solved
access-9 Access control vulnerabilities Apprentice Insecure direct object references Solved
access-10 Access control vulnerabilities Practitioner URL-based access control can be circumvented Solved
access-11 Access control vulnerabilities Practitioner Method-based access control can be circumvented Solved
access-12 Access control vulnerabilities Practitioner Multi-step process with no access control on one step Solved
access-13 Access control vulnerabilities Practitioner Referer-based access control Solved

Authentication

Authentication level link Solved
Authentication Apprentice Username enumeration via different responses Not solved
Authentication Apprentice 2FA simple bypass Not solved
Authentication Apprentice Password reset broken logic Not solved
Authentication Practitioner Username enumeration via subtly different responses Not solved
Authentication Practitioner Username enumeration via response timing Not solved
Authentication Practitioner Broken brute-force protection, IP block Not solved
Authentication Practitioner Username enumeration via account lock Not solved
Authentication Practitioner 2FA broken logic Not solved
Authentication Practitioner Brute-forcing a stay-logged-in cookie Not solved
Authentication Practitioner Offline password cracking Not solved
Authentication Practitioner Password reset poisoning via middleware Not solved
Authentication Practitioner Password brute-force via password change Not solved
Authentication Expert Broken brute-force protection, multiple credentials per request Not solved
Authentication Expert 2FA bypass using a brute-force attack Not solved

WebSockets

WebSockets level link Solved
WebSockets Apprentice Manipulating WebSocket messages to exploit vulnerabilities Not solved
WebSockets Practitioner Manipulating the WebSocket handshake to exploit vulnerabilities Not solved
WebSockets Practitioner Cross-site WebSocket hijacking Not solved

Web cache poisoning

Web cache poisoning level link Solved
Web cache poisoning Practitioner Web cache poisoning with an unkeyed header Not solved
Web cache poisoning Practitioner Web cache poisoning with an unkeyed cookie Not solved
Web cache poisoning Practitioner Web cache poisoning with multiple headers Not solved
Web cache poisoning Practitioner Targeted web cache poisoning using an unknown header Not solved
Web cache poisoning Practitioner Web cache poisoning via an unkeyed query string Not solved
Web cache poisoning Practitioner Web cache poisoning via an unkeyed query parameter Not solved
Web cache poisoning Practitioner Parameter cloaking Not solved
Web cache poisoning Practitioner Web cache poisoning via a fat GET request Not solved
Web cache poisoning Practitioner URL normalization Not solved
Web cache poisoning Expert Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria Not solved
Web cache poisoning Expert Combining web cache poisoning vulnerabilities Not solved
Web cache poisoning Expert Cache key injection Not solved
Web cache poisoning Expert Internal cache poisoning Not solved

Insecure deserialization

Insecure deserialization level link Solved
Insecure deserialization Apprentice Modifying serialized objects Not solved
Insecure deserialization Practitioner Modifying serialized data types Not solved
Insecure deserialization Practitioner Using application functionality to exploit insecure deserialization Not solved
Insecure deserialization Practitioner Arbitrary object injection in PHP Not solved
Insecure deserialization Practitioner Exploiting Java deserialization with Apache Commons Not solved
Insecure deserialization Practitioner Exploiting PHP deserialization with a pre-built gadget chain Not solved
Insecure deserialization Practitioner Exploiting Ruby deserialization using a documented gadget chain Not solved
Insecure deserialization Expert Developing a custom gadget chain for Java deserialization Not solved
Insecure deserialization Expert Developing a custom gadget chain for PHP deserialization Not solved
Insecure deserialization Expert Using PHAR deserialization to deploy a custom gadget chain Not solved

Information disclosure

Information disclosure level link Solved
Information disclosure Apprentice Information disclosure in error messages Not solved
Information disclosure Apprentice Information disclosure on debug page Not solved
Information disclosure Apprentice Source code disclosure via backup files Not solved
Information disclosure Apprentice Authentication bypass via information disclosure Not solved
Information disclosure Practitioner Information disclosure in version control history Not solved

Business logic vulnerabilities

Business logic vulnerabilities level link Solved
Business logic vulnerabilities Apprentice Excessive trust in client-side controls Not solved
Business logic vulnerabilities Apprentice High-level logic vulnerability Not solved
Business logic vulnerabilities Apprentice Inconsistent security controls Not solved
Business logic vulnerabilities Apprentice Flawed enforcement of business rules Not solved
Business logic vulnerabilities Practitioner Low-level logic flaw Not solved
Business logic vulnerabilities Practitioner Inconsistent handling of exceptional input Not solved
Business logic vulnerabilities Practitioner Weak isolation on dual-use endpoint Not solved
Business logic vulnerabilities Practitioner Insufficient workflow validation Not solved
Business logic vulnerabilities Practitioner Authentication bypass via flawed state machine Not solved
Business logic vulnerabilities Practitioner Infinite money logic flaw Not solved
Business logic vulnerabilities Practitioner Authentication bypass via encryption oracle Not solved

HTTP Host header attacks

HTTP Host header attacks level link Solved
HTTP Host header attacks Apprentice Basic password reset poisoning Not solved
HTTP Host header attacks Apprentice Host header authentication bypass Not solved
HTTP Host header attacks Practitioner Web cache poisoning via ambiguous requests Not solved
HTTP Host header attacks Practitioner Routing-based SSRF Not solved
HTTP Host header attacks Practitioner SSRF via flawed request parsing Not solved
HTTP Host header attacks Practitioner Host validation bypass via connection state attack Not solved
HTTP Host header attacks Expert Password reset poisoning via dangling markup Not solved

OAuth authentication

OAuth authentication level link Solved
OAuth authentication Apprentice Authentication bypass via OAuth implicit flow Not solved
OAuth authentication Practitioner Forced OAuth profile linking Not solved
OAuth authentication Practitioner OAuth account hijacking via redirect_uri Not solved
OAuth authentication Practitioner Stealing OAuth access tokens via an open redirect Not solved
OAuth authentication Practitioner SSRF via OpenID dynamic client registration Not solved
OAuth authentication Expert Stealing OAuth access tokens via a proxy page Not solved

File upload vulnerabilities

File upload vulnerabilities level link Solved
File upload vulnerabilities Apprentice Remote code execution via web shell upload Not solved
File upload vulnerabilities Apprentice Web shell upload via Content-Type restriction bypass Not solved
File upload vulnerabilities Practitioner Web shell upload via path traversal Not solved
File upload vulnerabilities Practitioner Web shell upload via extension blacklist bypass Not solved
File upload vulnerabilities Practitioner Web shell upload via obfuscated file extension Not solved
File upload vulnerabilities Practitioner Remote code execution via polyglot web shell upload Not solved
File upload vulnerabilities Expert Web shell upload via race condition Not solved

JWT

JWT level link Solved
JWT-1 Apprentice JWT authentication bypass via unverified signature Solved
JWT-2 Apprentice JWT authentication bypass via flawed signature verification Solved
JWT-3 Practitioner JWT authentication bypass via weak signing key Solved
JWT-4 Practitioner JWT authentication bypass via jwk header injection Solved
JWT-5 Practitioner JWT authentication bypass via jku header injection Solved
Practitioner JWT authentication bypass via kid header path traversal Not solved
Expert JWT authentication bypass via algorithm confusion Not solved
Expert JWT authentication bypass via algorithm confusion with no exposed key Not solved

Essential skills

Essential skills level link Solved
Essential skills Practitioner Discovering vulnerabilities quickly with targeted scanning Not solved

Prototype pollution

Prototype pollution level link Solved
Prototype pollution Practitioner DOM XSS via client-side prototype pollution Not solved
Prototype pollution Practitioner DOM XSS via an alternative prototype pollution vector Not solved
Prototype pollution Practitioner Client-side prototype pollution in third-party libraries Not solved
Prototype pollution Practitioner Client-side prototype pollution via browser APIs Not solved
Prototype pollution Practitioner Client-side prototype pollution via flawed sanitization Not solved
Last update: 2024-05-03
Created: February 8, 2023 18:05:06