Security Labs course catalog
You can use this interactive catalog to browse the current Security Labs courses. For the latest updates on these courses, see Training updates.
Learners can only access lessons that are assigned to them and the assigned lessons must be associated with an active campaign. To grant learners access to all major core lessons, an administrator can assign the All core labs focus without entering an end date.
Lessons are tagged with related Common Weakness Enumerations (CWEs) based on the MITRE framework. The CWEs listed indicate the related Pillar, Class, Base, and Variant CWEs for each lesson. If a CWE also has an assigned Likelihood of Exploit metric value, this value appears next to the CWE for the associated lesson with information about the vulnerability severity and prevalence.
Security Labs – Getting Started
Welcome to Security Labs! This topic helps you become familiar with the lab environment, so you can successfully find and remediate vulnerabilities while taking lessons.
Lesson Zero
OWASP 1: Broken Access Control
Access control failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.
To Protect and To Serve Secure Cookies
Tamper with an insecure cookie for privilege escalation.
Fix the Sessions
Tamper with user sessions to authenticate as a different user.
Bad Cookie (Challenge)
Decrypt cookies and hijack another user account.
Loose Lips Sink Servers
Leaking sensitive information can lead to account and server compromises.
Secrets in the Log
While testing a new application, developers might write sensitive information to a log file, or log analyzer, which should not be included in a production system. It is critical that developers ensure no sensitive information is included in data that a malicious actor might be able to access, in either development or production systems.
Redirect Rodeo
Protect users by implementing secure redirect practices.
Forging User Requests New
Cause a user to take unexpected, pre-authenticated actions.
OWASP 2: Cryptographic Failures
Failures related to cryptography (or lack thereof) often lead to exposure of sensitive data.
Bugs in Debug
Verbose error messages lead to exposed sensitive data.
Helpful Stack Trace (Challenge)
Provoke an error that reveals sensitive info, leading to privilege escalation.
Secret Logging (Challenge)
Force an application to throw an error and leak sensitive data in a stack trace.
OWASP 3: Injection
Exploiting and preventing SQL injection attacks that access sensitive data. Reflected and persistent cross-site scripting attacks. Content Security Policy.
Own the Database
Practice injection on a web app that uses a SQL database to retrieve data.
Parameterize all the things
Defend against injection using an app that returns data from a SQL-based database.
Timing is everything (Challenge)
Indirectly reveal sensitive data using SQL 'sleep' commands.
Bobby Tables (Challenge)
Use SQLi to return sensitive data, then properly parameterize queries to avoid injection attacks.
Can you see your reflection?
Practice exploiting simple cross-site scripting vulnerabilities to deliver JavaScript payloads.
Down with Uploads
Insufficient validation of user uploads can lead to stored XSS or directory traversal attacks.
Alert (Challenge)
Exploit a non-persistent XSS vulnerability in a poorly protected app.
Persistence (Challenge)
Exploit directory traversal and persistent XSS vulnerabilities in a poorly protected app.
Reflected XSS and input formatting
Cross-site scripting vulnerabilities with HTML input validation
Stored XSS versus CSP
Defense in depth using CSP against XSS attacks.
Check your sources
Content Security Policy to prevent XSS and other code injection.
Angular HTML and URL sanitization
Cause XSS through improper sanitization and poor variable handoff with Angular.
Angular ERB sanitization
Cause XSS through improper sanitization and poor variable handoff with Angular.
OWASP 4: Insecure Design
Failing to initially think about and address security vulnerabilities at the design phase can lead to vulnerabilities and defects.
Making Secure Decisions
Insecure design decisions can lead to vulnerabilities at every level of an application.
Valid Deficit
CWE-1173 occurs when an application does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.
OWASP 5: Security Misconfiguration
Generating and storing secret keys securely.
Jot down this key
Modify JWTs by exploiting knowledge of an insecure secret key.
Bulky Updates
Access hidden attributes to take unauthorized actions.
Can you keep a secret?
Generate a working session token for another user by exploiting knowledge of an insecure secret key.
Secret Admin (Challenge)
Escalate JWT user privileges by exploiting knowledge of an insecure secret key.
eXternal Entity (injection)
Unsafe entity parsing reveals the contents of server files.
XML is always a... (Challenge)
Get access to sensitive data by injecting custom XML.
External Resolution (Challenge)
Retrieve a system file by injecting custom XML, then defend against XXE.
OWASP 6: Vulnerable and Outdated Components
Keep tabs on outdated dependencies with known security weaknesses.
Suspicious Packages
Find and exploit vulnerabilities in outdated packages.
Outdated Dependencies (Challenge)
Find and upgrade an outdated, vulnerable dependency.
OWASP 7: Identification and Authentication Failures
Enforcing user password requirements and properly encrypting passwords.
Really, really bad passwords
Enforce server-side password requirements and hash passwords securely.
Hash it, store it, salt - upgrade it
Encrypting user passwords securely.
Authentication Bypass
"Force browse" to an unprotected page to discover confidential information.
Terrible Password (Challenge)
SQLi and poor password hashing lead to exposed user accounts.
OWASP 8: Software and Data Integrity Failures
It is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. A8:2017-Insecure Deserialization is now a part of this larger category.
Sleeping With the Enemy
Investigate the integrity of a useful third-party library.
In a Pickle
Data serialization leads to dangerous user-provided payloads.
Deserialization (Challenge)
Use pickling to reveal the code of the underlying application.
Mongo: like SQL, but messier
View non-public posts by supplying a document query as user input.
Tell Mongo "no-go" for untrusted code
Defend against NoSQL IDOR on a NodeJS app that uses MongoDB to store and retrieve data.
User-Provided Users
Exposed, unhashed user IDs are modifiable by users.
Prototype Protection Agency
Lax or missing input validation can lead to data corruption.
OWASP 9: Security Logging and Monitoring Failures
Rate-limit sensitive actions and block attacks as they happen.
Slow Down
Brute force a user's password on a non-rate-limited login page.
Brute Force (Challenge)
Brute force a user's password on a non-rate-limited login page.
Hold the Line
Learn how attackers use CRLF injection to flood log files with false events and how to remediate a CRLF vulnerability.
OWASP 10: Server-Side Request Forgery
SSRF flaws can occur when a web application fetches a remote resource without validating the user-supplied URL.
Get there from here
Beyond OWASP Top 10: Other Web App Risks
This module contains the CWEs, vulnerabilities, and flaws that don't quite fit into the OWASP Top 10 categories.
Do You Remember?
Memory management might seem like a problem from the distant past, but it can still cause issues if not implemented properly.
Know Your Limits
Resource limits can be exceeded when either hard limitations, or software settings have been reached. CWE-404 describes Improper Resource Shutdown or Release weaknesses that should be avoided.
OWASP API 1: Broken Object Level Authorization
APIs can expose endpoints that handle object identifiers. Checks should be considered in every function that accesses a data source using input from the user.
One ID to Access All Objects New
Stronger IDs New
OWASP API 2: Broken User Authentication
Incorrectly implemented authentication mechanisms can allow attackers to compromise authentication tokens or to exploit implementation flaws to assume another user's identity.
Really, really bad passwords New
Terrible Password (Challenge) New
OWASP API 3: Excessive Data Exposure
While creating generic implementations, developers may expose object properties, relying on clients to filter data before displaying it to the user.
Bugs in Debug New
Revealing Schemas New
OWASP API 4: Lack of Resources & Rate Limiting
When APIs do not impose any restrictions on the size or number of resources that can be requested, it can affect performance, lead to DoS, and leave the system vulnerable to authentication flaws such as brute force.
Slow Down New
Brute Force (Challenge) New
Denial of Service New
OWASP API 5: Broken Function Level Authorization
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, can lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
Neglected endpoints New
OWASP API 6: Mass Assignment
Binding client-provided data to data models, without proper (allowlist) filtering usually leads to Mass Assignment. Guessing or discovering object properties can allow attackers to modify object properties they should not.
Bad Design Compromises Security New
OWASP API 7: Security Misconfiguration
Security misconfiguration causes include unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive, or verbose error messages containing sensitive information.
Jot down this key New
Secret Admin (Challenge) New
eXternal Entity (injection) New
XML is always a (Challenge) New
OWASP API 8: Injection
Injection flaws, such as SQL, NoSQL, Command Injection, and so forth can occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Own the database New
Parameterize all the things New
Bobby Tables (Challenge) New
OWASP API 9: Improper Assets Management
APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.
Unprotected Deployments New
It is important for developers to add the same level of security to their development, test, QA, and other environments, as they do for production.
OWASP API 10: Insufficient Logging & Monitoring
Insufficient logging and monitoring, along with ineffective integration with incident response, allows attackers to attack systems, maintain persistence, pivot to more systems to tamper with, and extract, or destroy data. The average time to detect a breach is over 200 days.
The Importance of Logging and Monitoring New
Log files are critical to enhance security. They provide a way to monitor how your API is being used, providing a way to avoid an underlying attack.
Logging in the API Infrastructure New
The API infrastructure is offered by the technology stack and includes authorization, authentication, exception handling, routing, and so forth. Logging at the infrastructure level helps to detect attacks that would otherwise be impossible to detect at the API implementation level.
Secure C++ Programming: Best Practices
Prevent the compilation of programs using unsafe functions with banned function headers.
Forbidden Functions
A banned function header prevents the compilation of programs using unsafe functions.
Time and Time Again
A side-channel timing attack reveals sensitive information.
Secure C++ Programming: Bitwise Shifts
Low-level operations with undefined results.
Shifty RSA
An RSA implementation allows for invalid bit shifts.
Secure C++ Programming: Compilers
Sensitive data leaked through insecure compiler optimizations.
Optimal Memory
A program that checks user input against a password file leaves sensitive data in memory.
Secure C++ Programming: Files
Overwriting system files through race conditions.
Race condition
An encryption program allows system files to be overwritten through a race condition.
Secure C++ Programming: Heap Overflows
Unsafe character arrays, null terminators, and use of GDB to examine heap memory.
Take Note!
A note-taking program copies strings to the heap unsafely.
Secure C++ Programming: Integer Overflows
Overflowing short integers and wraparound of unsigned integers.
Short Scores
A program to add golf scores is susceptible to overflowing.
Unsigned Messages
A message parsing utility uses unsafe range checks.
Coercive Login
Use integer coercion to log in as an admin user.
Secure C++ Programming: Iterators and Sequence Containers
Leaked data through unsafe iteration and unsafe access of container indices.
Go The Distance (but not too far)
A program to parse input from a file iterates unsafely, resulting in leaked data.
Pinball Wizard
A program to display high scores trusts user input, leading to multiple vulnerabilities.
Secure C++ Programming: Memory Management
Accessing freed memory when unsafe parsing keeps deallocated pointers accessible.
Use After Free
An HTML rendering engine parses input unsafely, keeping a deallocated pointer accessible.
Secure C++ Programming: Overreads
Buffer overruns common to parsing utilities, and the dangers of relying on side effects.
Passed Date
A date parsing and formatting utility allows for buffer over-reads.
Trivial Side Effects
A trivia program reveals sensitive data by poorly tracking player scores.
Secure C++ Programming: Stack Overflows
Unsafe string copying and incomplete string comparisons.
Triple Word Score
A Scrabble score calculator copies user input unsafely.
Secure C++ Programming: Threads
Poor use of mutex locks leads to exceptions.
Lock down the threads
Poor use of mutex locks leads to exceptions.
General Application Security: Common React Pitfalls
Vulnerabilities frequently encountered in ReactJS application development.
React string sanitization
Cause XSS through improper sanitization and poor variable handoff with React.
Sneaky links
Learn about a feature of HTML that can leave your React app open to XSS.
Dangerously set HTML links
React's dangerouslySetInnerHtml and markdown rendering craft a malicious href.
General Application Security: Cross-Site Scripting (XSS)
Content Security Policy
CSP to prevent XSS and other code injection.
Persistent Cross-Site Scripting
Stored XSS and directory traversal via "image" uploads.
Reflected Cross-Site Scripting
Inject inline JavaScript into a Go template through JSON input.
General Application Security: User Data Privacy
An app to track users' jogging habits can benefit from improved data handling practices.
PII Storage
De-identify and limit or do not collect sensitive user data
Access and Erasure
Let users see their stored data, delete their data, and have the 'right to be forgotten'
Rectification
Let users supply corrections to their data
Data Portability
Let users export their data in a machine-readable format
Informed Consent
Let users actively choose to give consent for clear, specific data collection, as well as opting out
General Application Security: CWE-319 Cleartext Transmission of Sensitive Data
Sensitive traffic is sent over unencrypted HTTP.
See-through traffic
Sniff a user's credentials via insecure HTTP requests.
General Application Security: CWE-352 Cross-Site Request Forgery
Forge valid requests from authenticated users.
Forging user requests
Cause a user to take unexpected, pre-authenticated actions.
General Application Security: CWE-601 Open Redirects
Unchecked URL redirection to untrusted sites.
The Art of Redirection
URL redirects cause users to automatically visit untrusted sites.
No Going Back (Challenge)
Work around a URL redirect safety check, then provide an allowlist.
General Application Security: CWE-1021 Improper Restriction of Frames
A lack of response header allows the application to load in an external frame.
You've been framed
A clickjacking attack tricks users into taking intended actions.
Mobile Security
Writing more secure mobile applications.
Custom URL Handling
Explore custom URL schemes, used to allow other applications to request that your app take some action.
Secrets Storage
Explore how shared secrets can be vulnerable to attack.
Forced Browsing & API Security
Explore how a forced browsing attack can occur when a malicious actor locates unlinked contents.
Mobile Logging
Explore the role of application logging.
PCI: Broken Authentication & Session Management
Secret key management
Modify JWTs by exploiting knowledge of an insecure secret key.
Secure session cookies
Tamper with an insecure cookie to hijack another user's account.
Cookie hijack (Challenge)
Decrypt cookies and hijack another user account.
PCI: Improper Access Control
Pickling and deserialization
Access restricted content via insecure serialized input.
NoSQL with Mongo
View non-public posts by supplying a document query as user input.
Open redirects
URL redirects cause users to automatically visit untrusted sites.
PCI: Improper Error Handling
Debug mode in production
Verbose error messages lead to exposed sensitive data.
Stack Trace (Challenge)
Use revealing errors to gain admin permissions.
PCI: Injection Flaws
SQL injection
Use SQL injection to give yourself superuser privileges.
Parameterize queries
Defend against injection attacks by using safe database lookups.
Bobby Tables SQLi (Challenge)
Use SQLi to return sensitive data, then properly parameterize queries to avoid injection attacks.
PCI: Insecure Cryptographic Storage
Storing password hashes
Encrypting data to store sensitive information securely.
Terrible Password (Challenge)
SQLi and poor hashing lead to exposed passwords.
PCI: Other High-Risk Vulnerabilities
Outdated third-party dependencies
Keep tabs on outdated packages with known security weaknesses.
Bash Terminal Usage: Beginner
Navigate around system file and folders using the bash shell.
Introduction to Bash 1
Shell commands to navigate around directories and modify files.
Introduction to Bash 2
Navigate files and folders more efficiently, and search for file contents.
Introduction to Bash 3
Preview the contents of files; create new folders and move files around.
Bash Terminal Usage: Intermediate
Additional bash skills: text editing, scripting, and additional command line tools.
Encrypting, encoding and hashing
Common encoding patterns, cryptographic techniques, and command line tools.
Introduction to bash scripting
Automate tasks by writing and running basic scripts in bash.
Nano for text editing
Use Nano, a basic text editor, for creating and editing files.
DjanGoat
A vulnerable Django application for OWASP Top 10 practice challenges.
Sensitive Data Exposure (Challenge)
Cleartext Storage (Challenge)
Missing Function Level Access Control (Challenge)
DOM XSS (Challenge)
Insecure Direct Object Reference (Challenge)
SQL Injection Interpolation (Challenge)
SQL Injection Concatenation (Challenge)
Stored XSS (Challenge)
Command Injection (Challenge)
Credential Enumeration (Challenge)
Forensics
Work with disk images and investigate the contents of system files.
Creating a disk image
Learn how to acquire a disk image using the forensic tool dc3dd.
Metadata with ExifTool
View and modify the metadata associated with multimedia files.
Working with a disk image
Hard disk image analysis with the sleuthkit (TSK), a standard forensic tool.
Analyzing log files
Uncover evidence of an attack by analyzing a system's logs.
Juice Shop
Very vulnerable MEAN web app full of practice challenges.
Error Handling (Challenge)
Provoke an error that is not very gracefully handled.
Login Bypass (Challenge)
Log in with other users' accounts via SQL injection.
Credentials Dump (Challenge)
Retrieve a list of all user credentials via SQL injection.
XSS Levels (Challenge)
Reflected and persistent XSS attacks of increasing difficulty.
File Uploads (Challenge)
Improper input validation in user file uploads.
Hidden Pages (Challenge)
Find carefully hidden pages.
Confidential Documents (Challenge)
Access unprotected confidential documents.
Open Redirects (Challenge)
Redirect from the Juice Shop to external untrusted sites.
Account Hijack (Challenge)
Access and modify another user's shopping cart.