I don't appreciate it ky.
Each challenge simulates a real vulnerability in a way that feels like a real app. You’ll see the feature, understand the code, spot the flaw, exploit it (safely), then flip to Secure Mode and see the fix.
All Challenges
Pick one. Each page is section-based, interactive, and visually distinct.
👤 Broken Access Control
Access another user's private account data.
Try: Modify the user identifier in the request.
Explore →🛂 Trusting Client Headers
Gain access to admin-only features.
Try: Add or modify a privileged request header.
Explore →🔒 Client-Side Authorization
Unlock premium features without proper authorization.
Try: Toggle a client-controlled flag.
Explore →🧩 Encoding Is Not Encryption
Recover a sensitive value hidden with encoding.
Try: Decode the exposed value.
Explore →⏱️ Missing Rate Limiting
Attempt repeated logins without restriction.
Try: Increase the number of attempts.
Explore →🤖 Default Credentials
Log in using commonly known credentials.
Try: Try typical default values.
Explore →➡️ Open Redirect
Redirect users to an external destination.
Try: Change the redirect target parameter.
Explore →🧨 Reflected XSS (Simulated)
Inject markup into a server response.
Try: Supply HTML-like input.
Explore →📁 Path Traversal
Access files outside the intended directory.
Try: Manipulate the file path.
Explore →🌐 CORS Misconfiguration
Read sensitive API data from another origin.
Try: Send a request from an untrusted origin.
Explore →