practitioner-level-labs.md

Links to individual labs

• Blind SQL injection with out-of-band data exfiltration
• Forced OAuth profile linking
• Brute-forcing a stay-logged-in cookie
• Exploiting HTTP request smuggling to capture other users' requests
• SSRF with blacklist-based input filter
• SQL injection with filter bypass via XML encoding
• Web shell upload via extension blacklist bypass
• OAuth account hijacking via redirect_uri
• SSRF via flawed request parsing
• SQL injection attack, querying the database type and version on MySQL and Microsoft
• Exploiting cross-site scripting to capture passwords
• CSRF where token validation depends on request method
• Blind XXE with out-of-band interaction via XML parameter entities
• Multistep clickjacking
• SSRF with filter bypass via open redirection vulnerability
• CORS vulnerability with trusted insecure protocols
• Exploiting HTTP request smuggling to deliver reflected XSS
• Server-side template injection in an unknown language with a documented exploit
• Using application functionality to exploit insecure deserialization
• File path traversal, traversal sequences stripped non-recursively
• Broken brute-force protection, IP block
• Multi-step process with no access control on one step
• Insufficient workflow validation
• Manipulating the WebSocket handshake to exploit vulnerabilities
• DOM XSS using web messages and a JavaScript URL
• Web cache poisoning with multiple headers
• Information disclosure in version control history
• Blind OS command injection with output redirection
• Discovering vulnerabilities quickly with targeted scanning
• Information disclosure in version control history

Some labs I'm including for good measure

• Accessing private GraphQL posts
• Accidental exposure of private GraphQL fields
• Finding a hidden GraphQL endpoint
• H2.CL request smuggling
• HTTP/2 request smuggling via CRLF injection
• JWT authentication bypass via weak signing key