Share
## https://sploitus.com/exploit?id=6EB6476B-341C-526B-8B5F-5A6BD8C98646
# π‘οΈ WebSec Labs
A hands-on, level-based collection of intentionally vulnerable web labs covering the
**OWASP Top 10** and beyond. Every lab ships in three layers:
| Layer | Folder | What it is |
|-------|--------|------------|
| π΄ **Vulnerable** | `vulnerable/` | The feature implemented with the *wrong* pattern |
| π’ **Fixed** | `fixed/` | The same feature, done securely, with notes on what changed |
| π₯ **Exploit** | `exploit/` | A working PoC + an automated test that proves the bug |
Each lab has a **writeup** explaining the vulnerability, how to exploit it, the
**root cause**, and how to fix it properly.
> β οΈ **Warning β intentionally vulnerable code.** These apps contain real
> vulnerabilities for educational purposes. Run them **only** locally / inside Docker.
> Never deploy them to a public server.
---
## π Quick start
```bash
# Run the hub dashboard (lists every lab + status)
cd hub && npm install && npm start
# β http://localhost:3000
# Run a single lab (vulnerable + fixed side by side)
cd labs/01-sqli && docker compose up
```
---
## πΊοΈ Vulnerability map
### Level 1 β Basics
- [ ] `01-sqli` β SQL Injection Β· `A03:2021 Injection`
- [ ] `02-xss-reflected` β Reflected XSS Β· `A03:2021 Injection`
- [ ] `03-idor` β Insecure Direct Object Reference Β· `A01:2021 Broken Access Control`
- [ ] `04-open-redirect` β Open Redirect
### Level 2 β Auth & Access
- [ ] `05-broken-access-control` Β· `A01:2021`
- [ ] `06-jwt-attacks` β alg=none / weak secret
- [ ] `07-csrf` β Cross-Site Request Forgery
- [ ] `08-auth-failures` Β· `A07:2021`
### Level 3 β Injection+
- [ ] `09-xss-stored` β Stored XSS
- [ ] `10-command-injection`
- [ ] `11-ssti` β Server-Side Template Injection
- [ ] `12-path-traversal`
- [ ] `13-file-upload`
### Level 4 β Config & Crypto
- [ ] `14-security-misconfig` Β· `A05:2021`
- [ ] `15-cors-misconfig`
- [ ] `16-crypto-failures` Β· `A02:2021`
- [ ] `17-mass-assignment`
- [ ] `18-prototype-pollution`
### Level 5 β Advanced
- [ ] `19-ssrf` Β· `A10:2021`
- [ ] `20-xxe`
- [ ] `21-insecure-deserialization` Β· `A08:2021`
- [ ] `22-race-conditions`
- [ ] `23-redos`
- [ ] `24-request-smuggling`
> Checkboxes are ticked as each lab is completed.
---
## 𧱠Tech stack
Node.js + Express Β· SQLite (per-lab) Β· EJS / raw HTML Β· Docker Compose Β·
mkdocs (writeups) Β· GitHub Actions (exploit tests run in CI).
## π Writeups
Browse the documentation site: `cd docs && mkdocs serve` β http://localhost:8000
## π License
MIT β for educational use. See [`LICENSE`](LICENSE).