BurpSuite Labs
SQL injection
Cross-site scripting
Cross-Site Request Forgery
Cross-site Request Forgery | level | link | Solved | |
---|---|---|---|---|
Cross-site Request Forgery | Apprentice | CSRF vulnerability with no defenses | Not solved | |
Cross-site Request Forgery | Practitioner | CSRF where token validation depends on request method | Not solved | |
Cross-site Request Forgery | Practitioner | CSRF where token validation depends on token being present | Not solved | |
Cross-site Request Forgery | Practitioner | CSRF where token is not tied to user session | Not solved | |
Cross-site Request Forgery | Practitioner | CSRF where token is tied to non-session cookie | Not solved | |
Cross-site Request Forgery | Practitioner | CSRF where token is duplicated in cookie | Not solved | |
Cross-site Request Forgery | Practitioner | SameSite Lax bypass via method override | Not solved | |
Cross-site Request Forgery | Practitioner | SameSite Strict bypass via client-side redirect | Not solved | |
Cross-site Request Forgery | Practitioner | SameSite Strict bypass via sibling domain | Not solved | |
Cross-site Request Forgery | Practitioner | SameSite Lax bypass via cookie refresh | Not solved | |
Cross-site Request Forgery | Practitioner | CSRF where Referer validation depends on header being present | Not solved | |
Cross-site Request Forgery | Practitioner | CSRF with broken Referer validation | Not solved |
Clickjacking
Clikjacking | level | link | Solved |
---|---|---|---|
Clikjacking | Apprentice | Basic clickjacking with CSRF token protection | Not solved |
Clikjacking | Apprentice | Clickjacking with form input data prefilled from a URL parameter | Not solved |
Clikjacking | Apprentice | Clickjacking with a frame buster script | Not solved |
Clikjacking | Practitioner | Exploiting clickjacking vulnerability to trigger DOM-based XSS | Not solved |
Clikjacking | Practitioner | Multistep clickjacking | Not solved |
DOM-based vulnerabilities
DOM-based vulnerabilities | level | link | Solved |
---|---|---|---|
DOM-based vulnerabilities | Practitioner | DOM XSS using web messages | Not solved |
DOM-based vulnerabilities | Practitioner | DOM XSS using web messages and a JavaScript URL | Not solved |
DOM-based vulnerabilities | Practitioner | DOM XSS using web messages and JSON.parse |
Not solved |
DOM-based vulnerabilities | Practitioner | DOM-based open redirection | Not solved |
DOM-based vulnerabilities | Practitioner | DOM-based cookie manipulation | Not solved |
DOM-based vulnerabilities | Expert | Exploiting DOM clobbering to enable XSS | Not solved |
DOM-based vulnerabilities | Expert | Clobbering DOM attributes to bypass HTML filters | Not solved |
Cross-origin resource sharing
Cross-origin resource sharing | level | link | Solved |
---|---|---|---|
Cross-origin resource sharing | Apprentice | CORS vulnerability with basic origin reflection | Not solved |
Cross-origin resource sharing | Apprentice | CORS vulnerability with trusted null origin | Not solved |
Cross-origin resource sharing | Practitioner | CORS vulnerability with trusted insecure protocols | Not solved |
Cross-origin resource sharing | Expert | CORS vulnerability with internal network pivot attack | Not solved |
XML external entity
XML external entity | level | link | Solved |
---|---|---|---|
xxe-1 | Apprentice | Exploiting XXE using external entities to retrieve files | Solved |
xxe-2 | Apprentice | Exploiting XXE to perform SSRF attacks | Solved |
xxe-3 | Practitioner | Blind XXE with out-of-band interaction | Solved |
xxe-4 | Practitioner | Blind XXE with out-of-band interaction via XML parameter entities | Solved |
xxe-5 | Practitioner | Exploiting blind XXE to exfiltrate data using a malicious external DTD | Solved |
xxe-6 | Practitioner | Exploiting blind XXE to retrieve data via error messages | Solved |
xxe-7 | Practitioner | Exploiting XInclude to retrieve files | Solved |
xxe-8 | Practitioner | Exploiting XXE via image file upload | Solved |
xxe-9 | Expert | Exploiting XXE to retrieve data by repurposing a local DTD | Solved |
Server-side request forgery
Server-side request forgery | level | link | Solved | |
---|---|---|---|---|
ssrf-1 | Server-side request forgery | Apprentice | Basic SSRF against the local server | Solved |
ssrf-2 | Server-side request forgery | Apprentice | Basic SSRF against another back-end system | Solved |
ssrf-3 | Server-side request forgery | Practitioner | SSRF with blacklist-based input filter | Solved |
ssrf-4 | Server-side request forgery | Practitioner | SSRF with filter bypass via open redirection vulnerability | Not solved |
Server-side request forgery | Practitioner | Blind SSRF with out-of-band detection | Not solved | |
Server-side request forgery | Expert | SSRF with whitelist-based input filter | Not solved | |
Server-side request forgery | Expert | Blind SSRF with Shellshock exploitation | Not solved |
HTTP request smuggling
OS command injection
OS command injection | level | link | Solved |
---|---|---|---|
OS command injection | Apprentice | OS command injection, simple case | Not solved |
OS command injection | Practitioner | Blind OS command injection with time delays | Not solved |
OS command injection | Practitioner | Blind OS command injection with output redirection | Not solved |
OS command injection | Practitioner | Blind OS command injection with out-of-band interaction | Not solved |
OS command injection | Practitioner | Blind OS command injection with out-of-band data exfiltration | Not solved |
Server-side template injection
Solution | Server-side template injection | level | link | Solved |
---|---|---|---|---|
ssti-1 | Server-side template injection | Practitioner | Basic server-side template injection | Solved |
ssti-2 | Server-side template injection | Practitioner | Basic server-side template injection (code context) | Solved |
ssti-3 | Server-side template injection | Practitioner | Server-side template injection using documentation | Solved |
ssti-4 | Server-side template injection | Practitioner | Server-side template injection in an unknown language with a documented exploit | Solved |
ssti-5 | Server-side template injection | Practitioner | Server-side template injection with information disclosure via user-supplied objects | Solved |
ssti-6 | Server-side template injection | Expert | Server-side template injection in a sandboxed environment | Solved |
Server-side template injection | Expert | Server-side template injection with a custom exploit | Not solved |
Directory traversal
Directory traversal | level | link | Solved |
---|---|---|---|
Directory traversal | Apprentice | File path traversal, simple case | Not solved |
Directory traversal | Practitioner | File path traversal, traversal sequences blocked with absolute path bypass | Not solved |
Directory traversal | Practitioner | File path traversal, traversal sequences stripped non-recursively | Not solved |
Directory traversal | Practitioner | File path traversal, traversal sequences stripped with superfluous URL-decode | Not solved |
Directory traversal | Practitioner | File path traversal, validation of start of path | Not solved |
Directory traversal | Practitioner | File path traversal, validation of file extension with null byte bypass | Not solved |
Access control vulnerabilities
Solution | Access control vulnerabilities | level | link | Solved |
---|---|---|---|---|
access-1 | Access control vulnerabilities | Apprentice | Unprotected admin functionality | Solved |
access-2 | Access control vulnerabilities | Apprentice | Unprotected admin functionality with unpredictable URL | Solved |
access-3 | Access control vulnerabilities | Apprentice | User role controlled by request parameter | Solved |
access-4 | Access control vulnerabilities | Apprentice | User role can be modified in user profile | Solved |
access-5 | Access control vulnerabilities | Apprentice | User ID controlled by request parameter | Solved |
access-6 | Access control vulnerabilities | Apprentice | User ID controlled by request parameter, with unpredictable user IDs | Solved |
access-7 | Access control vulnerabilities | Apprentice | User ID controlled by request parameter with data leakage in redirect | Solved |
access-8 | Access control vulnerabilities | Apprentice | User ID controlled by request parameter with password disclosure | Solved |
access-9 | Access control vulnerabilities | Apprentice | Insecure direct object references | Solved |
access-10 | Access control vulnerabilities | Practitioner | URL-based access control can be circumvented | Solved |
access-11 | Access control vulnerabilities | Practitioner | Method-based access control can be circumvented | Solved |
access-12 | Access control vulnerabilities | Practitioner | Multi-step process with no access control on one step | Solved |
access-13 | Access control vulnerabilities | Practitioner | Referer-based access control | Solved |
Authentication
Authentication | level | link | Solved |
---|---|---|---|
Authentication | Apprentice | Username enumeration via different responses | Not solved |
Authentication | Apprentice | 2FA simple bypass | Not solved |
Authentication | Apprentice | Password reset broken logic | Not solved |
Authentication | Practitioner | Username enumeration via subtly different responses | Not solved |
Authentication | Practitioner | Username enumeration via response timing | Not solved |
Authentication | Practitioner | Broken brute-force protection, IP block | Not solved |
Authentication | Practitioner | Username enumeration via account lock | Not solved |
Authentication | Practitioner | 2FA broken logic | Not solved |
Authentication | Practitioner | Brute-forcing a stay-logged-in cookie | Not solved |
Authentication | Practitioner | Offline password cracking | Not solved |
Authentication | Practitioner | Password reset poisoning via middleware | Not solved |
Authentication | Practitioner | Password brute-force via password change | Not solved |
Authentication | Expert | Broken brute-force protection, multiple credentials per request | Not solved |
Authentication | Expert | 2FA bypass using a brute-force attack | Not solved |
WebSockets
WebSockets | level | link | Solved |
---|---|---|---|
WebSockets | Apprentice | Manipulating WebSocket messages to exploit vulnerabilities | Not solved |
WebSockets | Practitioner | Manipulating the WebSocket handshake to exploit vulnerabilities | Not solved |
WebSockets | Practitioner | Cross-site WebSocket hijacking | Not solved |
Web cache poisoning
Web cache poisoning | level | link | Solved |
---|---|---|---|
Web cache poisoning | Practitioner | Web cache poisoning with an unkeyed header | Not solved |
Web cache poisoning | Practitioner | Web cache poisoning with an unkeyed cookie | Not solved |
Web cache poisoning | Practitioner | Web cache poisoning with multiple headers | Not solved |
Web cache poisoning | Practitioner | Targeted web cache poisoning using an unknown header | Not solved |
Web cache poisoning | Practitioner | Web cache poisoning via an unkeyed query string | Not solved |
Web cache poisoning | Practitioner | Web cache poisoning via an unkeyed query parameter | Not solved |
Web cache poisoning | Practitioner | Parameter cloaking | Not solved |
Web cache poisoning | Practitioner | Web cache poisoning via a fat GET request | Not solved |
Web cache poisoning | Practitioner | URL normalization | Not solved |
Web cache poisoning | Expert | Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria | Not solved |
Web cache poisoning | Expert | Combining web cache poisoning vulnerabilities | Not solved |
Web cache poisoning | Expert | Cache key injection | Not solved |
Web cache poisoning | Expert | Internal cache poisoning | Not solved |
Insecure deserialization
Insecure deserialization | level | link | Solved |
---|---|---|---|
Insecure deserialization | Apprentice | Modifying serialized objects | Not solved |
Insecure deserialization | Practitioner | Modifying serialized data types | Not solved |
Insecure deserialization | Practitioner | Using application functionality to exploit insecure deserialization | Not solved |
Insecure deserialization | Practitioner | Arbitrary object injection in PHP | Not solved |
Insecure deserialization | Practitioner | Exploiting Java deserialization with Apache Commons | Not solved |
Insecure deserialization | Practitioner | Exploiting PHP deserialization with a pre-built gadget chain | Not solved |
Insecure deserialization | Practitioner | Exploiting Ruby deserialization using a documented gadget chain | Not solved |
Insecure deserialization | Expert | Developing a custom gadget chain for Java deserialization | Not solved |
Insecure deserialization | Expert | Developing a custom gadget chain for PHP deserialization | Not solved |
Insecure deserialization | Expert | Using PHAR deserialization to deploy a custom gadget chain | Not solved |
Information disclosure
Information disclosure | level | link | Solved |
---|---|---|---|
Information disclosure | Apprentice | Information disclosure in error messages | Not solved |
Information disclosure | Apprentice | Information disclosure on debug page | Not solved |
Information disclosure | Apprentice | Source code disclosure via backup files | Not solved |
Information disclosure | Apprentice | Authentication bypass via information disclosure | Not solved |
Information disclosure | Practitioner | Information disclosure in version control history | Not solved |
Business logic vulnerabilities
Business logic vulnerabilities | level | link | Solved |
---|---|---|---|
Business logic vulnerabilities | Apprentice | Excessive trust in client-side controls | Not solved |
Business logic vulnerabilities | Apprentice | High-level logic vulnerability | Not solved |
Business logic vulnerabilities | Apprentice | Inconsistent security controls | Not solved |
Business logic vulnerabilities | Apprentice | Flawed enforcement of business rules | Not solved |
Business logic vulnerabilities | Practitioner | Low-level logic flaw | Not solved |
Business logic vulnerabilities | Practitioner | Inconsistent handling of exceptional input | Not solved |
Business logic vulnerabilities | Practitioner | Weak isolation on dual-use endpoint | Not solved |
Business logic vulnerabilities | Practitioner | Insufficient workflow validation | Not solved |
Business logic vulnerabilities | Practitioner | Authentication bypass via flawed state machine | Not solved |
Business logic vulnerabilities | Practitioner | Infinite money logic flaw | Not solved |
Business logic vulnerabilities | Practitioner | Authentication bypass via encryption oracle | Not solved |
HTTP Host header attacks
HTTP Host header attacks | level | link | Solved |
---|---|---|---|
HTTP Host header attacks | Apprentice | Basic password reset poisoning | Not solved |
HTTP Host header attacks | Apprentice | Host header authentication bypass | Not solved |
HTTP Host header attacks | Practitioner | Web cache poisoning via ambiguous requests | Not solved |
HTTP Host header attacks | Practitioner | Routing-based SSRF | Not solved |
HTTP Host header attacks | Practitioner | SSRF via flawed request parsing | Not solved |
HTTP Host header attacks | Practitioner | Host validation bypass via connection state attack | Not solved |
HTTP Host header attacks | Expert | Password reset poisoning via dangling markup | Not solved |
OAuth authentication
OAuth authentication | level | link | Solved |
---|---|---|---|
OAuth authentication | Apprentice | Authentication bypass via OAuth implicit flow | Not solved |
OAuth authentication | Practitioner | Forced OAuth profile linking | Not solved |
OAuth authentication | Practitioner | OAuth account hijacking via redirect_uri | Not solved |
OAuth authentication | Practitioner | Stealing OAuth access tokens via an open redirect | Not solved |
OAuth authentication | Practitioner | SSRF via OpenID dynamic client registration | Not solved |
OAuth authentication | Expert | Stealing OAuth access tokens via a proxy page | Not solved |
File upload vulnerabilities
File upload vulnerabilities | level | link | Solved |
---|---|---|---|
File upload vulnerabilities | Apprentice | Remote code execution via web shell upload | Not solved |
File upload vulnerabilities | Apprentice | Web shell upload via Content-Type restriction bypass | Not solved |
File upload vulnerabilities | Practitioner | Web shell upload via path traversal | Not solved |
File upload vulnerabilities | Practitioner | Web shell upload via extension blacklist bypass | Not solved |
File upload vulnerabilities | Practitioner | Web shell upload via obfuscated file extension | Not solved |
File upload vulnerabilities | Practitioner | Remote code execution via polyglot web shell upload | Not solved |
File upload vulnerabilities | Expert | Web shell upload via race condition | Not solved |
JWT
JWT | level | link | Solved |
---|---|---|---|
JWT-1 | Apprentice | JWT authentication bypass via unverified signature | Solved |
JWT-2 | Apprentice | JWT authentication bypass via flawed signature verification | Solved |
JWT-3 | Practitioner | JWT authentication bypass via weak signing key | Solved |
JWT-4 | Practitioner | JWT authentication bypass via jwk header injection | Solved |
JWT-5 | Practitioner | JWT authentication bypass via jku header injection | Solved |
Practitioner | JWT authentication bypass via kid header path traversal | Not solved | |
Expert | JWT authentication bypass via algorithm confusion | Not solved | |
Expert | JWT authentication bypass via algorithm confusion with no exposed key | Not solved |
Essential skills
Essential skills | level | link | Solved |
---|---|---|---|
Essential skills | Practitioner | Discovering vulnerabilities quickly with targeted scanning | Not solved |
Prototype pollution
Prototype pollution | level | link | Solved |
---|---|---|---|
Prototype pollution | Practitioner | DOM XSS via client-side prototype pollution | Not solved |
Prototype pollution | Practitioner | DOM XSS via an alternative prototype pollution vector | Not solved |
Prototype pollution | Practitioner | Client-side prototype pollution in third-party libraries | Not solved |
Prototype pollution | Practitioner | Client-side prototype pollution via browser APIs | Not solved |
Prototype pollution | Practitioner | Client-side prototype pollution via flawed sanitization | Not solved |