Security Knowledge Framework

Labs

All

64

Sort by: default

Lab name

Difficulty

Status

Write-up

Start lab

Path traversal (LFI)

1

Inactive

View

lfi

Cross Site Scripting

1

Inactive

View

xss

Cross site scripting (attribute)

1

Inactive

View

xss-attribute

Cross site scripting (href)

1

Inactive

View

xss-url

XSSI

2

Inactive

View

untrusted-sources-js

Cross site request forgery

3

Inactive

View

csrf

Cross site request forgery (same site)

3

Inactive

View

csrf-samesite

Cross site request forgery weak

2

Inactive

View

csrf-weak

External entity attack

2

Inactive

View

xxe

Insecure file upload

1

Inactive

View

file-upload

Clickjacking

1

Inactive

View

clickjacking

Rate-limiting

1

Inactive

View

ratelimiting

HttpOnly (session hijacking)

3

Inactive

View

session-hijacking-xss

SQLI (union select)

2

Inactive

View

sqli

Open redirect

1

Inactive

View

url-redirection

Open redirect ( harder )

2

Inactive

View

url-redirection-harder

Open redirect ( hard )

3

Inactive

View

url-redirection-harder2

CORS exploitation

3

Inactive

View

cors

Formulla injection

1

Inactive

View

formula-injection

Mass assingment attack

1

Inactive

View

parameter-binding

SQLI -like

2

Inactive

View

sqli-like

SQLI-blind

3

Inactive

View

sqli-blind

Remote file inclusion

1

Inactive

View

rfi

Local file inclusion ( harder )

1

Inactive

View

lfi-2

Local file inclusion ( hard )

1

Inactive

View

lfi-3

Content security policiy

1

Inactive

View

csp

Server side request forgery

3

Inactive

View

ssrf

Server side template injection

3

Inactive

View

ssti

Insecure direct object reference

2

Inactive

View

idor

JWT null

2

Inactive

View

jwt-null

JWT weak secret

2

Inactive

View

jwt-secret

Insecure deserialization (yaml)

3

Inactive

View

des-yaml

Insecure deserialization pickle ( hard )

3

Inactive

View

des-pickle

Insecure deserialization pickle ( harder )

3

Inactive

View

des-pickle-2

Race condition

3

Inactive

View

racecondition

Regex Ddos

1

Inactive

View

dos-regex

Command injection

1

Inactive

View

cmd

Command injection ( easy )

1

Inactive

View

cmd2

Command injection ( harder )

2

Inactive

View

cmd3

Command injection ( hard )

3

Inactive

View

cmd4

Command injection ( blind )

3

Inactive

View

cmd-blind

Information disclosure 1

1

Inactive

View

info-leakeage-comments

Information disclosure 2

1

Inactive

View

info-leakeage-metadata

Authentication bypass ( easy )

1

Inactive

View

auth-bypass-simple

Authentication bypass

1

Inactive

View

auth-bypass

Threat-modeling

3

Inactive

View

threatmodeling

Session management

1

Inactive

View

session-management-1

Authentication bypass ( harder )

2

Inactive

View

auth-bypass-2

Authentication bypass ( hard )

3

Inactive

View

auth-bypass-3

Right to left override attack

1

Inactive

View

rtlo

Session puzzeling

3

Inactive

View

sessionpuzzle

Graphql DOS

3

Inactive

View

graphql-dos-resource-exhaustion

GraphQL IDOR

3

Inactive

View

graphql-idor

GraphQL Injections

3

Inactive

View

graphql-injections

GraphQL Introspection

3

Inactive

View

graphql-info-introspection

GraphQL Mutations

3

Inactive

View

graphql-mutation

Client side template injection

2

Inactive

View

csti

Prototype pollution

3

Inactive

View

prototype

CSS Injection

2

Inactive

View

cssi

Client side restriction bypass

1

Inactive

View

client-side-restriction-bypass

Client side restriction bypass ( harder )

2

Inactive

View

client-side-restriction-bypass-2

Credentials guessing ( easy )

2

Inactive

View

credentials-guessing-1

Credentials guessing ( harder )

2

Inactive

View

credentials-guessing-2

Credentials guessing ( hard )

2

Inactive

View

credentials-guessing-3

« »

2023 Security Knowledge Framework.

SKF is part of Linux Foundation