Web eXploitation Laboratory

Challenges

Choose a challenge to begin

4 道挑戰

#001Door Is Openeasyweb2026年4月2日

A file-sharing app with an IDOR vulnerability — download other users' private files by manipulating the file ID.

idoraccess-controlfastapisqlite

#002FastAPI IDOR Demoeasyweb2025年4月1日

A FastAPI notes app with an IDOR vulnerability. Can you access a note that doesn't belong to you?

idorfastapirest-api

#003PHP File Inclusion Demoeasyweb2025年3月15日

A PHP application with a file inclusion vulnerability. Can you read the flag?

lfiphpfile-inclusion

#004SQL Injection Demoeasyweb2025年3月1日

A simple Flask app with a SQL injection vulnerability. Can you retrieve all users from the database?

sqlinjectionflasksqlite