This repo contains the code for my Secure Code Review challenges. The idea is to look at basic web vulnerabilities in a language-agnostic way.
If you like these challenges, you may want to check out my LeoTrace Community. Sign-up is free and it allows you to collaborate with like-minded people, ask me any questions you may have, and much more!
π Python
β¨οΈ Java
πΉ Go
π¨ JS (Node.js)
π PHP
βοΈ C / C++
π Bash
π΄π¬ = YouTube walkthrough available (you can find the link in the ./solution.md in the challenge folder).
- Open Redirect π -> π΄π¬
- Server-side Request Forgery π¨ -> π΄π¬
- Weak Password Hashing β¨οΈ
- Hardcoded Credentials π
- XML External Entity Attack β¨οΈ -> π΄π¬
- Cross-site Scripting πΉ
- Host Header Injection π¨ -> π΄π¬
- Nginx Off-By-Slash
- Broken Access Control (IDOR) π -> π΄π¬
- Broken Access Control (JWT missing verification) π¨
- Path Normalization Bypass π -> π΄π¬
- Unquoted Bash Variables ππ
- SQL Injection β¨οΈ
- Race Condition π¨ -> π΄π¬
- HTTP Response Splitting π
- RCE via File Upload β¨οΈ -> π΄π¬
- OS Command Injection πΉ
- Insecure Deserialization π
- Server-side Template Injection πΉ
- Local File Inclusion (Path Traversal) β¨οΈ
- CORS Misconfiguration (Reflected Origin header) π¨
- Eval Injection π¨
- Unsafe Reflection β¨οΈ
- XSLT Injection π
- NoSQL Injection πΉ
- Prototype Pollution π¨
- Integer Overflow βοΈ
- Web Cache Deception π¨
- ...
- ...
- ...