Learn to hack with community-created challenges


Help others learn

Can you code? Help others learn by creating a challenge around a bug you found or a general security issue and let other researchers see if they can work it out.


Contribute new challenge

Learn to hack live

View our live mentoring sessions and participate in a live mentoring hacking challenge. Brush up on your skills, learn new techniques & meet other hackers.


View Mentoring

Challenge Information Created By

Easy/medium FastFoodHackings - Is our new profile updater secure?

Note For this challenge you will need an account on https://www.bugbountytraining.com/FFH/


Thanks again for...

zseano Category: idor
7 accepted submissions
Solution shared in 19 days

Easy/medium Give some space to this XSS Filter. ;)

One of our developer who doesn't RTFM come up with this XSS filter. He thinks his filter is super duper secure. Can you prove him wrong?

rakeshmane Category: Cross Site Scripting (XSS)
10 accepted submissions
Solution shared in 16 days

Hard Can you trick this browser extension into revealing its data?

This tiny browser extension is the keeper of a well-hidden secret. We would like to access it from our website, but the extension will only give it to mycompany.invalid which we don't own. Can you...

palant Category: Misc / Application Logic
4 accepted submissions
Solution has been shared. »

Easy/medium Your scanner just found include.html - but what does the javascript do?

This is a re-created bug I recently found on a public bugbounty program. My scanner was hunting for interesting subdomains&files and I noticed one interesting subdomain which contained nothing...

zseano Category: Cross Site Scripting (XSS)
47 accepted submissions
Solution has been shared. »

Medium Make HTML dirty again!

Sanitizing HTML is hard! Can you get XSS on this website?

The solution does not require any user interaction.

sheddow Category: Cross Site Scripting (XSS)
5 accepted submissions
Solution has been shared. »

Medium/hard XSS and bypass me

Can you execute an alert-box with one user click.

slawbra Category: Cross Site Scripting (XSS)
8 accepted submissions
Solution has been shared. »

Easy/medium Can you alert()

Challenge is Vulnerable to basic XSS ,you need alert() to complete the challenge.

shapa Category: Cross Site Scripting (XSS)
9 accepted submissions
Solution has been shared. »

Medium Can you add yourself to the hall of fame?

I created a hall of fame with one condition: you have to add yourself, and only one user can control the hall of fame! Can you become the king and show your name proudly? Find a way to get your...

zseano Category: Misc / Application Logic
14 accepted submissions
Solution has been shared. »

Medium Can you get the flag from this browser extension?

This is a convenient extension, storing the logins you use on various webpages and offering them to you on next visit so that you don't have to retype. It also doubles as a flag storage, websites...

palant Category: Cross Site Scripting (XSS)
3 accepted submissions
Solution has been shared. »

Medium/hard Can you XSS when redirecting?

You'll have to somehow get XSS.

May be by stopping something? May be by abusing unexpected behaviour of browser? May be by fuzzing?

All upto you.

Note : Intended solution...

rakeshmane Category: Cross Site Scripting (XSS)
11 accepted submissions
Solution has been shared. »

Hard Try out my Screenshotter.PRO browser extension!

Did you know that a browser extension to capture websites can be written with little to no knowledge? I've done it and it works great!

By the way, maybe you could help me with a serious...

palant Category: Misc / Application Logic
2 accepted submissions
Solution has been shared. »

Medium/hard An unusual XSS

This challenge was inspired (and reproduced exactly) by a real-life XSS I've recently exploited in a private bug bounty program. It requires some out of the box thinking, it's not an easy...

harisec Category: Cross Site Scripting (XSS)
11 accepted submissions
Solution has been shared. »

Medium/hard Hack The Admin Panel Challenge

Can you exploit the XSS vulnerability present in a hidden feature to gain access of admin panel?

Note: Admin prefers clicking. He doesn't like moving his mouse here and there.

rakeshmane Category: Cross Site Scripting (XSS)
6 accepted submissions
Solution has been shared. »

Medium/hard Steal teh token!

Can you steal the token?

structhack Category: Cross Site Scripting (XSS)
15 accepted submissions
Solution has been shared. »

Easy A properly secured parameter

We recently learned that the message parameter on this page was vulnerable to XSS. While we couldn't afford changing this page, we configured our WAF to prevent exploitation. So it's all fine now,...

palant Category: Cross Site Scripting (XSS)
45 accepted submissions
Solution has been shared. »

Easy/medium Our redirect blacklist is top-notch, right?

We built a secure redirect system, to redirect from our website to our application. There is not a way to bypass this, right?

ebelties Category: Open URL Redirect
11 accepted submissions
Solution has been shared. »

Medium Exploiting a static page

This is a static page, no server side involved. So looking for XSS vulnerabilities should be pointless, right?

palant Category: Cross Site Scripting (XSS)
7 accepted submissions
Solution has been shared. »

Medium/hard Can you find the flag via SQL injection?

The form is vulnerable to SQL injection and there's a flag inside the database waiting for you. Using ONLY union based injection, can you retrieve it?

noob Category: SQL Injection (SQLi)
11 accepted submissions
Solution has been shared. »

Medium/hard This strict URL filter should prevent XSS, right?

This one is pretty simple. One parameter is vulnerable, ?url=. Can you get XSS to execute?

filedescriptor Category: Cross Site Scripting (XSS)
11 accepted submissions
Solution has been shared. »

Medium Blind testing - debug mode

This one will require a bit of thinking. It's designed to be a complete blackbox so you have no idea what it's looking for but using information on the page and basic understanding of HTTP...

zseano Category: Cross Site Scripting (XSS)
22 accepted submissions
Solution has been shared. »

Easy/medium Can you bypass the Open URL redirect filter?

Try not to overthink this one. Even though a website sometimes tell you how a function SHOULD function, sometimes it doesn't always do that. Look at what request is being sent, and can anything be...

zseano Category: openurl
58 accepted submissions
Solution has been shared. »

Medium/hard There's cross site request forgery (CSRF) protection, but how good is it?

Note: Use a keen eye on this challenge to notice what's happening

Our admin panel was hacked because someone discovered a way to force a request to be sent when we visited a malicious...

zseano Category: Cross Site Request Forgery (CSRF)
13 accepted submissions
Solution has been shared. »

Easy This developer didn't realise people could view the HTML source. What can you find?

Note: This challenge just requires you to have a keen eye. Look carefully!

Firstly, this developer hid his admin panel at a random subdomain he didn't think anyone could find. Because of...

zseano Category: Test your recon
138 accepted submissions
Solution has been shared. »

Easy Find the vulnerable parameter and try beat the XSS filter!

I couldn't use the traditional methods of stopping XSS because of the way my application works. Because of this i've had to create a "strict" filter to stop malicious attackers and help...

zseano Category: Cross Site Scripting (XSS)
176 accepted submissions
Solution has been shared. »