Realistic application modules, each with hidden vulnerabilities
A social platform with profiles, posts, and messaging. Hidden XSS, IDOR, CSRF vulnerabilities.
Full shopping experience with cart, payments, and coupons. Business logic bugs everywhere.
Internal admin panel with user management and system tools. Command injection and forced browsing.
REST and GraphQL APIs with intentional misconfigurations. Introspection, SSRF, and more.
Upload and share files. Bypass upload restrictions and read server files.
Real-time WebSocket chat with message history. Injection and impersonation vulnerabilities.
Login, registration, OAuth, JWT, and MFA systems - all deliberately flawed.
Simulated banking with transfers and transactions. Race conditions and logic flaws.
Cryptocurrency wallet simulation with exposed private keys and transfer vulnerabilities.
Customer support with file attachments and status tracking. XSS and file upload issues.
Simulated CI/CD pipeline with exposed secrets, tokens, and configuration files.
Internal tools with weak access controls. Find backup files and hidden endpoints.