Find what shouldn't
be there

Each lab runs a real web application with a real OWASP vulnerability built in. No labels in the UI, no hints on the page. Open DevTools and find it yourself.

OWASP API3:2023

Excessive Data Exposure

A course platform leaks full student profiles through its listing API. Open DevTools, inspect the network response. Find what shouldn't be there.

Open lab →

OWASP A01:2021

Broken Access Control

Authorization checks exist in the UI but not on the server. Find the endpoint that ignores them entirely.

Open lab →

OWASP A01:2021

Broken Access Control (HTML)

The same flaw in raw HTML. No framework, no abstraction — the vulnerability sits in plain sight.

Open lab →

OWASP A01:2021

Privilege Escalation

An AI platform stores user roles in localStorage. Log in as a regular user, then escalate to admin without knowing the admin credentials.

Open lab →

Find what shouldn'tbe there

Excessive Data Exposure

Broken Access Control

Broken Access Control (HTML)

Privilege Escalation

Find what shouldn't
be there