Labs
Labs
Browse public labs, filter by language and difficulty, and sort by recency.
Solana Vault Escrow (Broken Access Control)
A Solana Anchor escrow vault instruction allows unauthorized emergency withdrawals due to a missing authority match check.
340 pts40 min
#rust#solana#anchor#access-control
Support Tickets API (IDOR in Rust)
A Rust support-ticket backend exposes direct object access by ID without ownership checks, enabling IDOR.
190 pts20 min
#rust#actix-web#idor#broken-access-control
Vendor Escrow (tx.origin Auth Bypass)
A vendor-invoice escrow contract uses tx.origin for authorization, enabling phishing-based unauthorized payout execution.
280 pts30 min
#solidity#ethereum#escrow#authorization
Creator TipJar (Solidity Reentrancy)
A small onchain tip-jar dApp lets creators withdraw tips, but a payout flow is vulnerable to reentrancy.
320 pts35 min
#solidity#ethereum#dapp#reentrancy
Analytics Logs (Path Traversal)
A logs endpoint reads files by name from a logs directory without path sanitization, allowing traversal.
180 pts20 min
#go#http#path-traversal#files
Auth Service (PHP) - SQL Injection & Weak Hash
A PHP auth endpoint concatenates user input into SQL and uses md5 for passwords.
220 pts30 min
#php#pdo#sql#auth
Inventory Lookup (SQL Injection)
A Spring inventory service constructs a SQL query with string concatenation, allowing SQL injection.
300 pts35 min
#java#spring#jdbc#sql
Orders Receipt Renderer (SSRF)
A receipt rendering endpoint fetches a user-provided URL, enabling server-side request forgery.
240 pts25 min
#python#flask#ssrf#http
Payments User Search (NoSQL Injection)
A payments microservice exposes a user search endpoint that trusts a JSON filter from the query string, enabling NoSQL injection.
220 pts25 min
#node#express#nosql#injection