Modern Web Vulnerability Labs
Modern web app vulnerabilities beyond the classic XSS/SQLi pair. These labs cover CSRF (cross-site request forgery), prototype pollution, and other web-class attacks that require understanding both browser security model and JavaScript runtime quirks.
Prototype pollution affected lodash, jQuery extend(), and dozens of npm packages across multiple disclosure waves. CSRF persists because developers continue to build state-changing endpoints without anti-CSRF tokens. These labs teach the patterns through hands-on exploitation.
CORS Misconfiguration — Origin Reflection
BankAPI's CORS handler reflects the Origin header into Access-Control-Allow-Origin AND sends Access-Control-Allow-Credentials: true. That's the worst possible CORS combination — an attacker site can read authenticated API responses. Steal the user's account data.
CRLF Injection — HTTP Response Splitting
RedirectorApp builds a Location header from the user-supplied URL parameter. The value is concatenated into the header without sanitization. Inject CRLF (\r\n) sequences to insert a malicious header that sets a session cookie.
CSRF — Money Transfer (No Anti-CSRF Token)
QuickBank's transfer form has no CSRF protection. An attacker site can auto-submit a transfer using the victim's logged-in session. Trigger an unauthorised transfer via the attacker page.
GraphQL — Introspection Reveals Hidden Fields
GraphqlAPI exposes a single /graphql endpoint with introspection enabled. Use introspection to discover an undocumented query field that returns admin secrets, then call it.
Prototype Pollution — User Settings
ProfileApp lets you save settings as JSON. The merge function copies properties from your input straight into the user object — without checking for special property names. Become an admin without changing your role.
GraphQL — Batched Query Authentication Bypass
GraphqlAPI rate-limits the login mutation to 5 requests per minute. But the rate limit applies per-request, not per-operation. Send batched queries (multiple mutations in one POST) to brute-force passwords past the limit.
Web Cache Poisoning — Unkeyed Header
CacheServ caches responses by URL. The application reflects the X-Forwarded-Host header into HTML. The cache key includes the URL but NOT that header. Poison the cache so other users get your malicious content.