← Benteng

Interactive labs

Reading about a bug is not the same as landing it. Exploit each one yourself, watch it work, then read the fix. Everything runs in your browser.

All simulated in your browser. No real backend and no real vulnerability is shipped. Each lab is a teaching model of the bug and its fix. Exploit it, then read the patch.
LAB 1Prompt injection — leak the secret couponCWE-1427

The bot was told to never reveal the staff coupon. Its code pastes your message straight into its instructions. Craft a message that makes it leak the coupon.

LAB 2IDOR — read another tenant's invoiceCWE-639

You are logged in as user 1001, invoice #1001. The endpoint returns any invoice by id with no ownership check. Read an invoice that isn't yours.

LAB 3JWT alg=none — forge an admin tokenCWE-347

This verifier trusts the token header's alg. Edit the token so it verifies you as role=admin without knowing the secret. Hint: set the header alg to "none".

Header {"alg":"none","typ":"JWT"} = eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0 · Payload {"user":"you","role":"admin"} = eyJ1c2VyIjoieW91Iiwicm9sZSI6ImFkbWluIn0

Want the theory behind each? See the case studies, or scan a real site on Benteng.