A hands-on knowledge base of web vulnerabilities - clear writeups, vulnerable & fixed code in 8 languages, attack-path diagrams, and a runnable, intentionally vulnerable lab for each one.
Who it's for: AppSec engineers, pentesters, developers, and anyone preparing for HTB, OffSec OSWA / OSWE.
Each entry is a type of vulnerability (e.g. SQL Injection, XSS), not a specific CVE. The goal is to understand the nature of the flaw, see it in code, break it in a lab, and learn to fix it.
| # | Vulnerability | OWASP Top 10 | Lab | Status |
|---|---|---|---|---|
| 01 | Reflected XSS (Server-Side) | A05:2025 – Injection |
Run | Ready |
| 02 | Stored XSS (Server-Side) | A05:2025 – Injection |
Run | Ready |
| 03 | Reflected XSS (Client-Side) | A05:2025 – Injection |
Run | Ready |
| 04 | Stored XSS (Client-Side) | A05:2025 – Injection |
Run | Ready |
| 05 | Cross-Site Request Forgery (CSRF) | A01:2025 – Broken Access Control |
Run | Ready |
Defenses that mitigate the vulnerabilities above. Each has its own writeup and a runnable lab that demonstrates the mechanism (what it stops, and what it does not).
| # | Protection | Protects against | Lab | Status |
|---|---|---|---|---|
| 01 | HttpOnly cookie flag | Cookie theft via XSS (document.cookie) |
Run | Ready |
| 02 | Same-Origin Policy | Cross-origin data theft (read isolation); CORS misconfiguration | Run | Ready |
| 03 | SameSite cookie attribute | Cross-Site Request Forgery (CSRF); cross-site cookie attachment | Run | Ready |
| 04 | Cross-Origin Resource Sharing (CORS) | Insecure cross-origin sharing; cross-origin data theft | Run | Ready |
Every vulnerability lives in its own folder:
02-stored-xss/
├─ readme.md # the writeup (English; translations later in i18n/)
├─ diagram.drawio # attack-path diagram (+ exported diagram.svg)
└─ lab/ # the runnable, intentionally vulnerable app
A writeup contains: summary → OWASP Top 10 alignment → how it works → attack-path diagram → vulnerable code (8 languages) → fixed code (8 languages) → detection signatures → remediation checklist → references → lab instructions.
WildWebApps has sequence diagrams — a more intuitive way to understand how complex web vulnerabilities work.
Each lab is a self-contained Docker image that runs fully offline after
build and is reachable only from 127.0.0.1.
git clone https://github.com/ErSilh0x/WildWebApps.git
cd 01-reflected-xss/lab
docker compose up --build # build once (needs network), then runs offline
# open http://127.0.0.1:8000Every lab generates a fresh random hash flag on each start. Exploit the vulnerability to recover the flag, then paste it into the answer box to confirm the solve. Restarting the container rotates the flag.
Lab contains simple web application with several forms for vulnerability demonstration and practice.
These labs are intentionally vulnerable and exist for education and authorized testing only. Do not deploy them on a public or shared network. Use the techniques shown here only against systems you own or have explicit written permission to test. The authors accept no liability for misuse.