active ./docs
hands-on security // isolated target range

Break it. Then
break the fix.

Two editions of one application, deployed side by side as live targets. One is left deliberately broken so its flaws sit exposed; the other is rebuilt with real defenses, so every attack you just landed quietly dies. Your own private environment spins up in seconds — no setup, no shared state.

10+
Vuln Types
2
Target Editions
3h
Session Life
100%
Isolated
your active sessions open · resume · dismiss
select a target
Vulnerable Offense

The Broken Edition

An intentionally insecure blog carrying the real OWASP Top 10. Find the flaws, exploit them, watch the impact land first-hand.

  • SQL Injection — authentication bypass and data extraction
  • Stored XSS — persistent script injection via posts
  • IDOR — reach any user's private data by its identifier
  • Insecure file upload — execute arbitrary files
  • Broken session management and absent CSRF defenses
  • Live CVSS scoring dashboard tracking each exploit
Secure Defense

The Hardened Edition

The identical application rebuilt with industry-standard defenses — see exactly why each attack from the broken edition fails here.

  • Parameterized queries — injection blocked at the driver
  • DOMPurify and a strict CSP — XSS has no path to run
  • Ownership checks on every resource — IDOR made impossible
  • MIME enforcement — only genuinely safe files accepted
  • Helmet, CSRF tokens and rate limiting throughout
  • bcrypt hashing and session regeneration on login
Full isolation guaranteed. Each session runs in its own dedicated container with a private database — nothing you do can reach another user. Targets retire themselves after three hours, and you may keep one broken and one hardened edition running at the same time.