What are vulnerable practice labs?

Practice labs are intentionally vulnerable web applications that run entirely in your browser. They let you safely test security payloads like XSS, SQL injection, and command injection without any server-side setup.

Are these labs safe to use?

Yes. XSS labs run inside sandboxed iframes with no access to the parent page. SQL injection and command injection labs simulate backend behavior entirely client-side. No real servers or databases are involved.

Do I need to install anything?

No. All labs run directly in your browser. No Docker, no VMs, no downloads. Just open the page and start practicing.

Vulnerable by Design — Practice Labs

Five browser-based vulnerable labs to practice your offensive security skills. Test XSS, SQL injection, command injection, and SSTI payloads in safe sandboxed environments. No setup required.

X LinkedIn Reddit

Progress: 0/5 labs solved

Reflected XSS

Easy

A search form reflects user input into the page without sanitization. Inject a payload that executes JavaScript.

Objective: Make an alert(), prompt(), or confirm() dialog appear in the sandbox.

This lab runs entirely in your browser. XSS payloads execute inside a sandboxed iframe with no access to the parent page. No real servers, databases, or systems are affected. Practice responsibly and only test against systems you own or have authorization to test.

$loading...