A hands-on knowledge base of web vulnerabilities - clear writeups, vulnerable & fixed code in 8 languages, attack-path diagrams, and a runnable, intentionally vulnerable lab for each one.
Who it's for: AppSec engineers, pentesters, developers, and anyone preparing for HTB, OffSec OSWA / OSWE.
Each entry is a type of vulnerability (e.g. SQL Injection, XSS), not a specific CVE. The goal is to understand the nature of the flaw, see it in code, break it in a lab, and learn to fix it.
| # | Vulnerability | OWASP Top 10 | Lab | Status |
|---|---|---|---|---|
| 01 | Reflected XSS (Server-Side) | A05:2025 – Injection |
Run | Ready |
| 02 | Stored XSS (Server-Side) | A05:2025 – Injection |
Run | Ready |
| 03 | Reflected XSS (Client-Side) | A05:2025 – Injection |
Run | Ready |
| 04 | Stored XSS (Client-Side) | A05:2025 – Injection |
Run | Ready |
Every vulnerability lives in its own folder:
02-stored-xss/
├─ readme.md # the writeup (English; translations later in i18n/)
├─ diagram.drawio # attack-path diagram (+ exported diagram.svg)
└─ lab/ # the runnable, intentionally vulnerable app
A writeup contains: summary → OWASP Top 10 alignment → how it works → attack-path diagram → vulnerable code (8 languages) → fixed code (8 languages) → detection signatures → remediation checklist → references → lab instructions.
Each lab is a self-contained Docker image that runs fully offline after
build and is reachable only from 127.0.0.1.
cd 01-reflected-xss/lab
docker compose up --build # build once (needs network), then runs offline
# open http://127.0.0.1:8000Every lab generates a fresh random hash flag on each start. Exploit the vulnerability to recover the flag, then paste it into the answer box to confirm the solve. Restarting the container rotates the flag.
Lab contains simple web application with several forms for vulnerability demonstration and practice.
These labs are intentionally vulnerable and exist for education and authorized testing only. Do not deploy them on a public or shared network. Use the techniques shown here only against systems you own or have explicit written permission to test. The authors accept no liability for misuse.