// provocativo
initializing secure sandbox_
> mounting sandbox fs
▲ PROVOCATIVO/SECURITY · LABS
// route /labs

Security Labs_

An offensive playground. Break things on purpose, in a sandbox, so you don't break them by accident in production.

// privacy is normal
operator rank0 / 18
INITIATENEXT · APPRENTICE @ 2
showing 15 labs · category All
SORT · CANONICAL
A01:2021WEB

Broken Access Control

Server fails to verify permissions — users access data and actions they shouldn't.

BEGINNER
A02:2021WEB

Cryptographic Failures

Weak crypto, plaintext storage, or exposed key material leaks sensitive data.

INTERMEDIATE
A03:2021WEB

Injection (SQL · NoSQL · Command)

Untrusted input is concatenated into a query — attackers rewrite the query.

BEGINNER
A07:2021WEB

Identification & Auth Failures

Weak credentials, missing MFA, or broken session handling let attackers walk in.

INTERMEDIATE
A10:2021WEB

Server-Side Request Forgery

Attackers make the server fetch internal resources it should never touch.

ADVANCED
SC01CONTRACT

Access Control Vulnerabilities

Privileged contract functions exposed without onlyOwner / role checks.

BEGINNER
SC02CONTRACT

Business Logic Vulnerabilities

Edge cases in DeFi math, fees, or vesting that violate intended invariants.

INTERMEDIATE
SC03CONTRACT

Price Oracle Manipulation

Spot price reads from a single AMM are pumped to fool collateral checks.

ADVANCED
SC04CONTRACT

Flash Loan Attacks

Atomic, capital-free borrows weaponize tiny edge cases at massive scale.

ADVANCED
SC05CONTRACT

Lack of Input Validation

Public methods accept arbitrary addresses, amounts, calldata without checks.

BEGINNER
SC06CONTRACT

Unchecked External Calls

Ignoring .call() return values silently drops failures and corrupts state.

INTERMEDIATE
SC07CONTRACT

Arithmetic Errors

Off-by-one, rounding, and unit confusion bleed value from the protocol.

INTERMEDIATE
SC08CONTRACT

Reentrancy Attacks

External call before state update — attacker re-enters and drains the vault.

ADVANCED
SC09CONTRACT

Integer Overflow & Underflow

Pre-0.8 Solidity rolls past type bounds — balances become astronomical.

BEGINNER
SC10CONTRACT

Proxy & Upgradeability

Storage-slot collisions in proxies turn an upgrade into a takeover.

ADVANCED
CVE-2024-38063 · Windows TCP/IP RCE · CRITICAL//NPM supply-chain · 14 packages typosquatting react-router//EU mandates HSTS preload for .eu domains by Q3//Reentrancy variant spotted on Base · ~$1.2M drained//Phishing kit "Tycoon 2FA" v3 in the wild//Mass scans for /.git/config from 91.x.x.x range//New ATT&CK technique T1659 · Content Injection//CVE-2024-38063 · Windows TCP/IP RCE · CRITICAL//NPM supply-chain · 14 packages typosquatting react-router//EU mandates HSTS preload for .eu domains by Q3//Reentrancy variant spotted on Base · ~$1.2M drained//Phishing kit "Tycoon 2FA" v3 in the wild//Mass scans for /.git/config from 91.x.x.x range//New ATT&CK technique T1659 · Content Injection//