A practice ground for web application hacking — every vulnerability class mapped to a free, legal lab you can break right now, plus the methodology and tooling to take it to real, in-scope targets.
You already know this, but it's the part that's worth re-reading before every session. As a bug hunter, the program's scope document is the only thing standing between research and a crime. The labs linked below exist precisely so you can attack without that risk.
A repeatable workflow beats raw payload-spraying every time. The hunters who find the most bugs are the ones who understand the application better than anyone — then test it methodically.
Read the policy, then enumerate the full attack surface: subdomains, historical URLs, JS files, parameters, and the tech stack. Most bugs live on the asset nobody else looked at.
Proxy everything through Burp or Caido. Catalog every endpoint, parameter, role, and state transition. Understand auth, sessions, and how data flows before testing a single payload.
Walk the vulnerability catalog below against each feature. Prioritize where impact is highest — auth, access control, and anything handling money, files, or other users' data.
Confirm the finding with a clean, reproducible proof of concept. Demonstrate real impact without overreaching — one stolen record, not the whole database.
A great report is half the work. Clear title, accurate severity, exact reproduction steps, and a remediation suggestion. Triagers reward clarity.
The web hacker's bread and butter. Each card is a class to master, with where to look and a free lab to go practice it on a target you're allowed to break — most link straight to PortSwigger's Web Security Academy. Mark each one as you clear it; progress saves in this browser.
The everyday encoder/decoder utilities, right here so you don't break flow. Everything runs locally in your browser — nothing is sent anywhere. Read-only by design: it transforms and inspects text, it doesn't attack anything.
The bug is only worth what you can communicate. Triagers read dozens of reports a day — make yours the easy one to validate and pay.
Score impact honestly with CVSS — inflating severity costs you credibility with triage. A few things that consistently raise report quality:
The tools, targets, and reading that web hunters actually use. Start with the free practice grounds — they'll teach you more than any paid course.