Challenges by vulnerability¶
Injection¶
- Command injection: looking_glass
- SQL injection: sanitize, Pentest Notes
- Server-side template injection (SSTI): Spookifier
- XXE: baby_WAFfles_order
XSS / HTML injection¶
- XSS: full_stack_conf
- HTML injection / XSS: onlyhacks
Auth / access control¶
Deserialization / gadget chains¶
- Insecure deserialization (RCE): baby_website_rick
Prototype pollution / sandbox escape¶
- Prototype pollution (RCE): baby_breaking_grad
- Next.js / RSC gadget chain: ReactOOPS
Info disclosure / logic¶
- Sensitive data exposure: baby_nginxatsu
- Application logic bug: baby_todo_or_not_todo
- Input validation / type confusion: Magical Palindrome