PortSwigger Web Security Academy

Марафон по решению лаб PortSwigger Web Security Academy.

Статистика по дням

всего решено: 63

Дата	Решено	Лабы
чт, 4 июня 2026 г. сегодня	2 ⏱ 1h 40m	Web shell upload via extension blacklist bypass⏱ 1h Web shell upload via obfuscated file extension⏱ 40m
ср, 3 июня 2026 г.	3 ⏱ 1h	Remote code execution via web shell upload⏱ 20m Web shell upload via Content-Type restriction bypass⏱ 20m Web shell upload via path traversal⏱ 20m
вт, 2 июня 2026 г.	6 ⏱ 1h 55m	File path traversal, simple case⏱ 20m File path traversal, traversal sequences blocked with absolute path bypass⏱ 15m File path traversal, traversal sequences stripped non-recursively⏱ 20m File path traversal, traversal sequences stripped with superfluous URL-decode⏱ 20m File path traversal, validation of file extension with null byte bypass⏱ 20m File path traversal, validation of start of path⏱ 20m
пн, 1 июня 2026 г.	1 ⏱ 30m	Exploiting blind XXE to retrieve data via error messages⏱ 30m
сб, 30 мая 2026 г.	2 ⏱ 1h 10m	Blind XXE with out-of-band interaction via XML parameter entities⏱ 30m Exploiting blind XXE to exfiltrate data using a malicious external DTD⏱ 40m
пт, 29 мая 2026 г.	3 ⏱ 2h 40m	Blind XXE with out-of-band interaction⏱ 25m Server-side template injection in an unknown language with a documented exploit⏱ 1h 15m Server-side template injection with information disclosure via user-supplied objects⏱ 1h
вт, 26 мая 2026 г.	4 ⏱ 3h 25m	Basic password reset poisoning⏱ 50m Offline password cracking⏱ 1h Password brute-force via password change⏱ 55m Password reset poisoning via middleware⏱ 40m
ср, 20 мая 2026 г.	2 ⏱ 2h 40m	2FA broken logic⏱ 1h 20m Brute-forcing a stay-logged-in cookie⏱ 1h 20m
пн, 18 мая 2026 г.	5 ⏱ 4h 20m	2FA simple bypass⏱ 20m Broken brute-force protection, IP block⏱ 1h Password reset broken logic⏱ 20m Username enumeration via account lock⏱ 1h 10m Username enumeration via response timing⏱ 1h 30m
сб, 16 мая 2026 г.	4 ⏱ 2h 35m	Multi-step process with no access control on one step⏱ 25m Referer-based access control⏱ 30m Username enumeration via different responses⏱ 40m Username enumeration via subtly different responses⏱ 1h
пт, 15 мая 2026 г.	5 ⏱ 1h 45m	Insecure direct object references⏱ 30m User ID controlled by request parameter with data leakage in redirect⏱ 20m User ID controlled by request parameter with password disclosure⏱ 20m User ID controlled by request parameter, with unpredictable user IDs⏱ 20m User ID controlled by request parameter⏱ 15m
чт, 14 мая 2026 г.	5 ⏱ 2h 15m	Method-based access control can be circumvented⏱ 30m Unprotected admin functionality with unpredictable URL⏱ 20m URL-based access control can be circumvented⏱ 45m User role can be modified in user profile⏱ 25m User role controlled by request parameter⏱ 15m
ср, 13 мая 2026 г.	5 ⏱ 2h 50m	CORS vulnerability with basic origin reflection⏱ 45m CORS vulnerability with trusted null origin⏱ 30m CSRF where Referer validation depends on header being present⏱ 30m CSRF with broken Referer validation⏱ 45m Unprotected admin functionality⏱ 20m
вт, 12 мая 2026 г.	1 ⏱ 2h 50m	SameSite Lax bypass via cookie refresh⏱ 2h 50m
сб, 9 мая 2026 г.	1 ⏱ 5h 30m	SameSite Strict bypass via sibling domain⏱ 5h 30m
пн, 4 мая 2026 г.	1 ⏱ 1h 15m	SameSite Strict bypass via client-side redirect⏱ 1h 15m
вс, 3 мая 2026 г.	1 ⏱ 30m	SameSite Lax bypass via method override⏱ 30m
сб, 2 мая 2026 г.	2 ⏱ 2h 45m	CSRF where token is duplicated in cookie⏱ 30m CSRF where token is tied to non-session cookie⏱ 2h 15m
пт, 1 мая 2026 г.	1	Reflected XSS into HTML context with most tags and attributes blocked
чт, 30 апреля 2026 г.	1	Exploiting XSS to bypass CSRF defenses
ср, 29 апреля 2026 г.	2	Exploiting cross-site scripting to capture passwords Exploiting cross-site scripting to steal cookies
вт, 28 апреля 2026 г.	1	Reflected XSS into a JavaScript template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped Было мало времени. Пытался решить без Burp Collaborator.
пн, 27 апреля 2026 г.	5	Reflected XSS into HTML context with all tags blocked except custom onesReflected XSS in canonical link tagReflected XSS into a JavaScript string with single quote and backslash escapedReflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escapedStored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped

чт, 4 июня 2026 г.

сегодня

⏱ 1h 40m

Web shell upload via extension blacklist bypass⏱ 1h Web shell upload via obfuscated file extension⏱ 40m

ср, 3 июня 2026 г.

⏱ 1h

Remote code execution via web shell upload⏱ 20m Web shell upload via Content-Type restriction bypass⏱ 20m Web shell upload via path traversal⏱ 20m

вт, 2 июня 2026 г.

⏱ 1h 55m

File path traversal, simple case⏱ 20m File path traversal, traversal sequences blocked with absolute path bypass⏱ 15m File path traversal, traversal sequences stripped non-recursively⏱ 20m File path traversal, traversal sequences stripped with superfluous URL-decode⏱ 20m File path traversal, validation of file extension with null byte bypass⏱ 20m File path traversal, validation of start of path⏱ 20m

пн, 1 июня 2026 г.

⏱ 30m

Exploiting blind XXE to retrieve data via error messages⏱ 30m

сб, 30 мая 2026 г.

⏱ 1h 10m

Blind XXE with out-of-band interaction via XML parameter entities⏱ 30m Exploiting blind XXE to exfiltrate data using a malicious external DTD⏱ 40m

пт, 29 мая 2026 г.

⏱ 2h 40m

Blind XXE with out-of-band interaction⏱ 25m Server-side template injection in an unknown language with a documented exploit⏱ 1h 15m Server-side template injection with information disclosure via user-supplied objects⏱ 1h

вт, 26 мая 2026 г.

⏱ 3h 25m

Basic password reset poisoning⏱ 50m Offline password cracking⏱ 1h Password brute-force via password change⏱ 55m Password reset poisoning via middleware⏱ 40m

ср, 20 мая 2026 г.

⏱ 2h 40m

2FA broken logic⏱ 1h 20m Brute-forcing a stay-logged-in cookie⏱ 1h 20m

пн, 18 мая 2026 г.

⏱ 4h 20m

2FA simple bypass⏱ 20m Broken brute-force protection, IP block⏱ 1h Password reset broken logic⏱ 20m Username enumeration via account lock⏱ 1h 10m Username enumeration via response timing⏱ 1h 30m

сб, 16 мая 2026 г.

⏱ 2h 35m

Multi-step process with no access control on one step⏱ 25m Referer-based access control⏱ 30m Username enumeration via different responses⏱ 40m Username enumeration via subtly different responses⏱ 1h

пт, 15 мая 2026 г.

⏱ 1h 45m

Insecure direct object references⏱ 30m User ID controlled by request parameter with data leakage in redirect⏱ 20m User ID controlled by request parameter with password disclosure⏱ 20m User ID controlled by request parameter, with unpredictable user IDs⏱ 20m User ID controlled by request parameter⏱ 15m

чт, 14 мая 2026 г.

⏱ 2h 15m

Method-based access control can be circumvented⏱ 30m Unprotected admin functionality with unpredictable URL⏱ 20m URL-based access control can be circumvented⏱ 45m User role can be modified in user profile⏱ 25m User role controlled by request parameter⏱ 15m

ср, 13 мая 2026 г.

⏱ 2h 50m

CORS vulnerability with basic origin reflection⏱ 45m CORS vulnerability with trusted null origin⏱ 30m CSRF where Referer validation depends on header being present⏱ 30m CSRF with broken Referer validation⏱ 45m Unprotected admin functionality⏱ 20m

вт, 12 мая 2026 г.

⏱ 2h 50m

SameSite Lax bypass via cookie refresh⏱ 2h 50m

сб, 9 мая 2026 г.

⏱ 5h 30m

SameSite Strict bypass via sibling domain⏱ 5h 30m

пн, 4 мая 2026 г.

⏱ 1h 15m

SameSite Strict bypass via client-side redirect⏱ 1h 15m

вс, 3 мая 2026 г.

⏱ 30m

SameSite Lax bypass via method override⏱ 30m

сб, 2 мая 2026 г.

⏱ 2h 45m

CSRF where token is duplicated in cookie⏱ 30m CSRF where token is tied to non-session cookie⏱ 2h 15m

пт, 1 мая 2026 г.

Reflected XSS into HTML context with most tags and attributes blocked

чт, 30 апреля 2026 г.

Exploiting XSS to bypass CSRF defenses

ср, 29 апреля 2026 г.

Exploiting cross-site scripting to capture passwords Exploiting cross-site scripting to steal cookies

вт, 28 апреля 2026 г.

Reflected XSS into a JavaScript template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped

Было мало времени. Пытался решить без Burp Collaborator.

пн, 27 апреля 2026 г.

Reflected XSS into HTML context with all tags blocked except custom onesReflected XSS in canonical link tagReflected XSS into a JavaScript string with single quote and backslash escapedReflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escapedStored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped