Practice Environment
A hands-on practice ground for QA engineers. Each scenario contains intentionally planted bugs, vulnerabilities, and edge cases. No accounts. No scores. No hints beyond the scenario page. Your job is to find what's broken.
Login form vulnerable to classic SQLi bypass. Find the input that breaks authentication.
↗A bio field that sanitizes one XSS vector but not another. Find the one that executes.
Two forms — one protected, one not. Craft a forged request and find the unprotected one.
A div-based dropdown with 4 planted bugs — JS errors, outside-click, form value, and keyboard nav.
↗A Terms & Conditions modal with broken close button and focus trap issues.
Extension-only validation that misses MIME type, empty files, and script-injected filenames.
Six endpoints — some return mismatched status codes vs body content. Find the 200 that means failure.
↗Submit the same form twice — one endpoint creates duplicates, one uses a token to deduplicate.
↗Click publish twice rapidly — the buggy endpoint has no lock and produces duplicate records.
↗Error responses that leak stack traces, file paths, DB strings, and secret key prefixes.
↗A save endpoint that silently drops the status field — only part of the record is updated.
↗Failed logins and access violations that produce no log entries — invisible to monitoring.
↗A login endpoint with no rate limit — hammer it 50+ times without ever getting blocked.
↗A logout that skips session.flush() — the session data persists after logout.
↗Update a profile name — one endpoint skips cache busting, leaving the cached view stale.
↗A list endpoint with no pagination — returns all 500 records in one ~50KB response.
↗