PortSwigger Web Security Academy

A marathon of PortSwigger Web Security Academy labs.

Per-day stats

total solved: 63

Date	Solved	Labs
Thu, June 4, 2026	2 ⏱ 1h 40m	Web shell upload via extension blacklist bypass⏱ 1h Web shell upload via obfuscated file extension⏱ 40m
Wed, June 3, 2026	3 ⏱ 1h	Remote code execution via web shell upload⏱ 20m Web shell upload via Content-Type restriction bypass⏱ 20m Web shell upload via path traversal⏱ 20m
Tue, June 2, 2026	6 ⏱ 1h 55m	File path traversal, simple case⏱ 20m File path traversal, traversal sequences blocked with absolute path bypass⏱ 15m File path traversal, traversal sequences stripped non-recursively⏱ 20m File path traversal, traversal sequences stripped with superfluous URL-decode⏱ 20m File path traversal, validation of file extension with null byte bypass⏱ 20m File path traversal, validation of start of path⏱ 20m
Mon, June 1, 2026	1 ⏱ 30m	Exploiting blind XXE to retrieve data via error messages⏱ 30m
Sat, May 30, 2026	2 ⏱ 1h 10m	Blind XXE with out-of-band interaction via XML parameter entities⏱ 30m Exploiting blind XXE to exfiltrate data using a malicious external DTD⏱ 40m
Fri, May 29, 2026	3 ⏱ 2h 40m	Blind XXE with out-of-band interaction⏱ 25m Server-side template injection in an unknown language with a documented exploit⏱ 1h 15m Server-side template injection with information disclosure via user-supplied objects⏱ 1h
Tue, May 26, 2026	4 ⏱ 3h 25m	Basic password reset poisoning⏱ 50m Offline password cracking⏱ 1h Password brute-force via password change⏱ 55m Password reset poisoning via middleware⏱ 40m
Wed, May 20, 2026	2 ⏱ 2h 40m	2FA broken logic⏱ 1h 20m Brute-forcing a stay-logged-in cookie⏱ 1h 20m
Mon, May 18, 2026	5 ⏱ 4h 20m	2FA simple bypass⏱ 20m Broken brute-force protection, IP block⏱ 1h Password reset broken logic⏱ 20m Username enumeration via account lock⏱ 1h 10m Username enumeration via response timing⏱ 1h 30m
Sat, May 16, 2026	4 ⏱ 2h 35m	Multi-step process with no access control on one step⏱ 25m Referer-based access control⏱ 30m Username enumeration via different responses⏱ 40m Username enumeration via subtly different responses⏱ 1h
Fri, May 15, 2026	5 ⏱ 1h 45m	Insecure direct object references⏱ 30m User ID controlled by request parameter with data leakage in redirect⏱ 20m User ID controlled by request parameter with password disclosure⏱ 20m User ID controlled by request parameter, with unpredictable user IDs⏱ 20m User ID controlled by request parameter⏱ 15m
Thu, May 14, 2026	5 ⏱ 2h 15m	Method-based access control can be circumvented⏱ 30m Unprotected admin functionality with unpredictable URL⏱ 20m URL-based access control can be circumvented⏱ 45m User role can be modified in user profile⏱ 25m User role controlled by request parameter⏱ 15m
Wed, May 13, 2026	5 ⏱ 2h 50m	CORS vulnerability with basic origin reflection⏱ 45m CORS vulnerability with trusted null origin⏱ 30m CSRF where Referer validation depends on header being present⏱ 30m CSRF with broken Referer validation⏱ 45m Unprotected admin functionality⏱ 20m
Tue, May 12, 2026	1 ⏱ 2h 50m	SameSite Lax bypass via cookie refresh⏱ 2h 50m
Sat, May 9, 2026	1 ⏱ 5h 30m	SameSite Strict bypass via sibling domain⏱ 5h 30m
Mon, May 4, 2026	1 ⏱ 1h 15m	SameSite Strict bypass via client-side redirect⏱ 1h 15m
Sun, May 3, 2026	1 ⏱ 30m	SameSite Lax bypass via method override⏱ 30m
Sat, May 2, 2026	2 ⏱ 2h 45m	CSRF where token is duplicated in cookie⏱ 30m CSRF where token is tied to non-session cookie⏱ 2h 15m
Fri, May 1, 2026	1	Reflected XSS into HTML context with most tags and attributes blocked
Thu, April 30, 2026	1	Exploiting XSS to bypass CSRF defenses
Wed, April 29, 2026	2	Exploiting cross-site scripting to capture passwords Exploiting cross-site scripting to steal cookies
Tue, April 28, 2026	1	Reflected XSS into a JavaScript template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped Had little time. Tried solving without Burp Collaborator.
Mon, April 27, 2026	5	Reflected XSS into HTML context with all tags blocked except custom onesReflected XSS in canonical link tagReflected XSS into a JavaScript string with single quote and backslash escapedReflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escapedStored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped

Thu, June 4, 2026

⏱ 1h 40m

Web shell upload via extension blacklist bypass⏱ 1h Web shell upload via obfuscated file extension⏱ 40m

Wed, June 3, 2026

⏱ 1h

Remote code execution via web shell upload⏱ 20m Web shell upload via Content-Type restriction bypass⏱ 20m Web shell upload via path traversal⏱ 20m

Tue, June 2, 2026

⏱ 1h 55m

File path traversal, simple case⏱ 20m File path traversal, traversal sequences blocked with absolute path bypass⏱ 15m File path traversal, traversal sequences stripped non-recursively⏱ 20m File path traversal, traversal sequences stripped with superfluous URL-decode⏱ 20m File path traversal, validation of file extension with null byte bypass⏱ 20m File path traversal, validation of start of path⏱ 20m

Mon, June 1, 2026

⏱ 30m

Exploiting blind XXE to retrieve data via error messages⏱ 30m

Sat, May 30, 2026

⏱ 1h 10m

Blind XXE with out-of-band interaction via XML parameter entities⏱ 30m Exploiting blind XXE to exfiltrate data using a malicious external DTD⏱ 40m

Fri, May 29, 2026

⏱ 2h 40m

Blind XXE with out-of-band interaction⏱ 25m Server-side template injection in an unknown language with a documented exploit⏱ 1h 15m Server-side template injection with information disclosure via user-supplied objects⏱ 1h

Tue, May 26, 2026

⏱ 3h 25m

Basic password reset poisoning⏱ 50m Offline password cracking⏱ 1h Password brute-force via password change⏱ 55m Password reset poisoning via middleware⏱ 40m

Wed, May 20, 2026

⏱ 2h 40m

2FA broken logic⏱ 1h 20m Brute-forcing a stay-logged-in cookie⏱ 1h 20m

Mon, May 18, 2026

⏱ 4h 20m

2FA simple bypass⏱ 20m Broken brute-force protection, IP block⏱ 1h Password reset broken logic⏱ 20m Username enumeration via account lock⏱ 1h 10m Username enumeration via response timing⏱ 1h 30m

Sat, May 16, 2026

⏱ 2h 35m

Multi-step process with no access control on one step⏱ 25m Referer-based access control⏱ 30m Username enumeration via different responses⏱ 40m Username enumeration via subtly different responses⏱ 1h

Fri, May 15, 2026

⏱ 1h 45m

Insecure direct object references⏱ 30m User ID controlled by request parameter with data leakage in redirect⏱ 20m User ID controlled by request parameter with password disclosure⏱ 20m User ID controlled by request parameter, with unpredictable user IDs⏱ 20m User ID controlled by request parameter⏱ 15m

Thu, May 14, 2026

⏱ 2h 15m

Method-based access control can be circumvented⏱ 30m Unprotected admin functionality with unpredictable URL⏱ 20m URL-based access control can be circumvented⏱ 45m User role can be modified in user profile⏱ 25m User role controlled by request parameter⏱ 15m

Wed, May 13, 2026

⏱ 2h 50m

CORS vulnerability with basic origin reflection⏱ 45m CORS vulnerability with trusted null origin⏱ 30m CSRF where Referer validation depends on header being present⏱ 30m CSRF with broken Referer validation⏱ 45m Unprotected admin functionality⏱ 20m

Tue, May 12, 2026

⏱ 2h 50m

SameSite Lax bypass via cookie refresh⏱ 2h 50m

Sat, May 9, 2026

⏱ 5h 30m

SameSite Strict bypass via sibling domain⏱ 5h 30m

Mon, May 4, 2026

⏱ 1h 15m

SameSite Strict bypass via client-side redirect⏱ 1h 15m

Sun, May 3, 2026

⏱ 30m

SameSite Lax bypass via method override⏱ 30m

Sat, May 2, 2026

⏱ 2h 45m

CSRF where token is duplicated in cookie⏱ 30m CSRF where token is tied to non-session cookie⏱ 2h 15m

Fri, May 1, 2026

Reflected XSS into HTML context with most tags and attributes blocked

Thu, April 30, 2026

Exploiting XSS to bypass CSRF defenses

Wed, April 29, 2026

Exploiting cross-site scripting to capture passwords Exploiting cross-site scripting to steal cookies

Tue, April 28, 2026

Reflected XSS into a JavaScript template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped

Had little time. Tried solving without Burp Collaborator.

Mon, April 27, 2026

Reflected XSS into HTML context with all tags blocked except custom onesReflected XSS in canonical link tagReflected XSS into a JavaScript string with single quote and backslash escapedReflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escapedStored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped