Identifying vulnerabilities on web applications

Below you can find a variety of free challenges recreated based on real bug bounty findings. Practise your knowledge learnt from our website and see if you can complete each challenge. After you think you've found the answer you can then reveal the solution to check if you are right!

If you are struggling with a challenge then hints are available however we recommend giving them a try before using the help.

Cross Origin Resource Sharing Checking if a whitelisted string is found is a bad approach

When you press Begin Challenge you'll be sent to and will see...

Misc / Application Logic Can you obtain the sensitive information somehow?

We recommend using Firefox for your PoC.

If you visit then you'll see Not authenticated!.


Cross Site Scripting (XSS) Can you find any XSS on this "harmless" page?

This is just a static page with some basic javascript, but what's it do, and is anything vulnerable?

Open URL Redirect You may only redirect to *

Developers will often lock down their open redirects to only allow for *

Can you find out how to redirect to any website? Remember, this challenge is designed to only allow for...

Open URL Redirect Only relative redirects are allowed!

Sometimes developers want to redirect the user after a certain action has been completed but they don't want users to redirect to third party websites.

To combat this developers will sometimes check if the first character is...

Cross Site Scripting (XSS) Change the class of our image and pick your favourite!

Our basic HTML web application will allow you to easily change the style via class change. View various styles of images and decide which you think is best!

Once you're done playing, can you find any XSS? The developer's have made sure no...

Cross Site Scripting (XSS) Can you find any XSS? No HTML tags allowed!

This is a simple web application designed to show you some interesting facts on various animals. I've made sure that the search field does NOT allow for HTML tags, but is it secure?

How many XSS vulnerabilities can you find?

Challenge Details

Misc / Application Logic Can you access our private tool, XSS Destroyer?

As the title says, are you able to access our private tool, XSS destroyer? It's currently in BETA mode and we aren't accepting new users but if you have access to it, let us know what you think!

Test your recon There's a leak somewhere!

There's an info leak somewhere on* can you find it? You'll know when you do!

Open URL Redirect Can you steal the SSO token?

We've built a super secure login portal to access our diet plan and we'd love your help to make sure we've set it up correctly.

You can login to ManageMyDiet with the following credentials:


We've added...

Cross Site Scripting (XSS) "I've won a bounty" generator

We know people love to say they've some bounties so simply input your username & bounty amount and then generate your image!

Can you discover how the application works and if there's anything interesting happening? Perhaps there is XSS...

Insecure Direct Object Reference Check out these HackerPhotos! Nothings wrong here.

We've created a basic web application called "HackerPhotos" to hightlight some awesome hacker-tagged photography. It is just in BETA and we'd love for you to give it a try and make sure we've not made any mistakes!

You can login...

Misc / Application Logic What's behind this admin panel?

You are faced with a login panel, but what do you do? Close the tab and find something else? Of course not, you try find what's behind the login page!

Investigate the login page and see if you can find a way to grab the admins session...

Cross Site Scripting (XSS) This strict URL filter should prevent XSS, right?

This one is pretty simple. One parameter is vulnerable, ?url=. Can you get XSS to execute?

Cross Site Request Forgery (CSRF) There's cross site request forgery (CSRF) protection, but how good is it?

Can you successfully force the admin password to be updated via CSRF? This means you must be on YOUR site and be able to force the data to be updated successfully.

The CSRF token generated is unique to your session so you must be able to...