Labs
Labs
Browse public labs, filter by language and difficulty, and sort by recency.
Solana Vault Escrow (Broken Access Control)
An Anchor escrow vault program allows unauthorized emergency withdrawals because signer status is checked without authority equality validation.
340 pts40 min
#rust#solana#anchor#access-control
Support Tickets API (IDOR in Rust)
A Rust support-ticket API reads records by ID without owner scoping, creating an IDOR access-control flaw.
190 pts20 min
#rust#actix-web#idor#broken-access-control
Vendor Escrow (tx.origin Auth Bypass)
A vendor escrow contract authorizes payouts with `tx.origin`, allowing malicious relay contracts to trigger owner-only actions.
280 pts30 min
#solidity#ethereum#escrow#authorization
Creator TipJar (Solidity Reentrancy)
A Hardhat tip-jar dApp lets creators withdraw funds, but state is updated after external calls, enabling reentrancy drain.
320 pts35 min
#solidity#ethereum#dapp#reentrancy
Analytics Logs (Path Traversal)
A Go analytics service exposes log download endpoints that concatenate user-controlled paths, enabling traversal outside the logs directory.
180 pts20 min
#go#http#path-traversal#files
Auth Service (PHP) - SQL Injection & Weak Hash
A PHP authentication service mixes legacy MD5 password storage with string-built SQL, enabling login bypass through injection.
220 pts30 min
#php#pdo#sql#auth
Inventory Lookup (SQL Injection)
A Spring Boot inventory lookup endpoint builds SQL from user input, allowing attacker-controlled query logic.
300 pts35 min
#java#spring#jdbc#sql
Orders Receipt Renderer (SSRF)
A Flask receipt renderer fetches user-provided URLs directly, enabling SSRF into internal and metadata endpoints.
240 pts25 min
#python#flask#ssrf#http
Payments User Search (NoSQL Injection)
A payments support API accepts raw JSON filter objects from users and passes them directly into query evaluation, enabling NoSQL injection.
220 pts25 min
#node#express#nosql#injection