PantsirПанцирь
Labs

Labs

Browse public labs, filter by language and difficulty, and sort by recency.

Analytics Logs (Path Traversal)
A logs endpoint reads files by name from a logs directory without path sanitization, allowing traversal.
go
easy180 pts30 Aug 2025
Auth Service (PHP) - SQL Injection & Weak Hash
A PHP auth endpoint concatenates user input into SQL and uses md5 for passwords.
php
medium220 pts30 Aug 2025
Inventory Lookup (SQL Injection)
A Spring inventory service constructs a SQL query with string concatenation, allowing SQL injection.
java
hard300 pts30 Aug 2025
Orders Receipt Renderer (SSRF)
A receipt rendering endpoint fetches a user-provided URL, enabling server-side request forgery.
python
medium240 pts30 Aug 2025
Payments User Search (NoSQL Injection)
A payments microservice exposes a user search endpoint that trusts a JSON filter from the query string, enabling NoSQL injection.
javascript
medium220 pts30 Aug 2025