🧑💻 Practice Labs & CTF Exercises
Test your skills with hands-on labs for each major web vulnerability. Filter by category or difficulty, reveal hints, and view solutions. All labs link to real practice platforms.
Lab Platforms Comparison
Choose the platform that fits your learning style and budget. Each excels in different areas:
| Platform | Pricing | Strengths | Best For |
|---|---|---|---|
| PortSwigger Web Security Academy | Free | Best structured web security curriculum; covers every OWASP category; official Burp labs | Dedicated web pentesting practice; beginners through advanced |
| TryHackMe | Free / £10/mo | Guided learning paths; browser-based VMs; beginner-friendly | Structured learning; those new to security |
| Hack The Box | Free / €14/mo | Realistic machines; competitive aspect; Pro Labs for enterprise scenarios | Intermediate-advanced; exam prep (OSCP, CPTS) |
| PentesterLab | Free / $20/mo | Focused web exercises; badge progression; covers modern vulns quickly | Web-specific skills; JWT, OAuth, deserialization |
| DVWA | Free (self-hosted) | Simple setup; adjustable difficulty; classic training tool | Local practice; basic injection & XSS |
| OWASP Juice Shop | Free (self-hosted) | Modern app (Node/Angular); 100+ challenges; CTF mode | Comprehensive self-hosted lab; OWASP Top 10 coverage |
Information
Recommendation: Start with PortSwigger Academy (free, excellent curriculum) and complement
with Hack The Box or TryHackMe for broader exposure. Use DVWA/Juice Shop for offline practice.
How to Practice Effectively
✅ Do
- • Try without hints first (30-60 min per challenge)
- • Document your approach — build a personal playbook
- • After solving, read the official writeup for new techniques
- • Practice each vuln class until it's second nature
- • Combine tools with manual testing — don't rely on scanners
❌ Don't
- • Jump to solutions immediately
- • Skip fundamentals for flashy exploits
- • Collect flags without understanding the technique
- • Only use automated tools — learn manual testing
- • Practice on real systems without authorization
Interactive Lab Explorer
Browse labs by vulnerability category and difficulty. Click on any lab for details, hints, and links to practice platforms.
Interactive Labs & Exercises
14
Total Labs
5
Easy
7
Medium
2
Hard+
SQL Injection Authentication Bypass
EasySQL Injection15-30 min2 tools
SQL Injection UNION Attack
MediumSQL Injection30-45 min2 tools
Blind SQL Injection with Conditional Responses
HardSQL Injection45-60 min3 tools
Reflected XSS in Search Field
EasyCross-Site Scripting10-20 min1 tools
Stored XSS in Comments
MediumCross-Site Scripting25-40 min3 tools
DOM-based XSS via innerHTML
HardCross-Site Scripting35-50 min2 tools
Basic SSRF against localhost
EasyServer-Side Request Forgery15-25 min1 tools
SSRF to Access Cloud Metadata
MediumServer-Side Request Forgery30-45 min2 tools
Username Enumeration via Response Timing
MediumAuthentication30-45 min2 tools
CSRF with No Defenses
EasyCross-Site Request Forgery15-25 min2 tools
Web Shell via File Upload
EasyFile Upload15-25 min2 tools
File Upload Extension Bypass
MediumFile Upload30-45 min2 tools
Server-Side Template Injection Detection
MediumTemplate Injection30-45 min3 tools
XXE to Read Server Files
MediumXML External Entity20-30 min1 tools