portswigger 25

• Lab 09: Brute-forcing a stay-logged-in cookie Dec 20, 2025
• Lab 08: 2FA broken logic Dec 20, 2025
• Lab 07: 2FA simple bypass Dec 20, 2025
• Lab 06: Broken brute-force protection, multiple credentials per request Dec 19, 2025
• Lab 05: Username enumeration via account lock Dec 19, 2025
• Lab 04 : Broken brute-force protection, IP block Dec 19, 2025
• Lab 03: Username enumeration via response timing Dec 19, 2025
• Lab 02: Username enumeration via subtly different responses Dec 19, 2025
• Lab 01 : Username enumeration via different responses Dec 19, 2025
• Lab 03: Cross-site WebSocket hijacking Dec 18, 2025
• Lab 02: Manipulating the WebSocket handshake to exploit vulnerabilities Dec 18, 2025
• Lab 01: Manipulating WebSocket messages to exploit vulnerabilities Dec 18, 2025
• Lab 13: Referer-based access control Dec 17, 2025
• Lab 12: Multi-step process with no access control on one step Dec 17, 2025
• Lab 11 : Insecure direct object references Dec 17, 2025
• Lab 10: User ID controlled by request parameter with password disclosure Dec 17, 2025
• Lab 09: User ID controlled by request parameter with data leakage in redirect Dec 17, 2025
• Lab 08: User ID controlled by request parameter, with unpredictable user IDs Dec 17, 2025
• Lab 07: User ID controlled by request parameter Dec 17, 2025
• Lab 06: Method-based access control can be circumvented Dec 16, 2025
• Lab 05: URL-based access control can be circumvented Dec 16, 2025
• Lab 04: User role can be modified in user profile Dec 16, 2025
• Lab 03: User role controlled by request parameter Dec 16, 2025
• Lab 02: Unprotected admin functionality with unpredictable URL Dec 15, 2025
• Lab 01: Unprotected Admin Functionality Dec 15, 2025