Path

Web App Hacking

Try XSS, SQLi, CSRF, and auth bypasses in safe, browser-based sandboxes. Includes payload cheat-sheets and step-by-step practice.

Start with Labs Open Cheat-sheets

Overview

What you’ll learn

How XSS works (reflected, stored, DOM) and modern defenses (CSP, encoding)
SQL injection discovery & exploitation patterns, plus parameterized query fixes
CSRF fundamentals, anti-CSRF tokens, and same-site cookie strategy
Auth/session pitfalls (weak tokens, cookie scope, insecure redirects)

How it works

Each module has a quick explainer, a safe mini-app to poke at, and a short checklist to harden real systems. Nothing you try here attacks any external site.

Tip: use the Password Meter and Phish Detector while you learn.

Hands-on Labs

XSS Playground Easy

Discover reflection points and craft payloads safely.

Launch Cheat-sheet

SQLi Basics Medium

Probe parameters, infer schemas, and practice safe fixes.

Launch Cheat-sheet

CSRF & SameSite Medium

Forge requests and compare mitigations in action.

Launch Cheat-sheet

Auth Bypass Clinic Hard

Weak tokens, cookie scope mistakes, and open redirect chains.

Launch Cheat-sheet

Track your progress

Solve labs and submit scores from the Arena. The leaderboard will reflect your best runs.

Open Arena

Payload Cheat-sheets

XSS

<img src=x onerror=alert(1)>
<svg onload=alert(1)>
Context-safe encodings & DOM sinks checklist

SQLi

' OR 1=1 -- (boolean-based)
' UNION SELECT 1,2,3 (union discovery)
Mitigation: parameterized queries, least privilege

CSRF

Anti-CSRF tokens & double submit
SameSite=Lax/Strict strategy
Idempotent methods & CORS reminders

Auth & Sessions

__Host- / __Secure- cookie prefixes
Cookie scope rules (Domain/Path)
Redirect allow-list & state checks

Create Free Account Read Key Insights