You are viewing our old website
We are busy working on a brand new website and platform. All of the content on this website is considered out-dated, however challenges and our members section are working as before. Stay tuned for updates!
Identifying vulnerabilities on web applications
Below you can find a variety of free challenges recreated based on real bug bounty findings. Practise your knowledge learnt from our website and see if you can complete each challenge. After you think you've found the answer you can then reveal the solution to check if you are right!
If you are struggling with a challenge then hints are available however we recommend giving them a try before using the help.
|
|
When you press Begin Challenge you'll be sent to https://www.bugbountytraining.com/challenges/challenge-16.php and will see...
|
|
We recommend using Firefox for your PoC.
If you visit https://www.bugbountytraining.com/challenges/challenge-15.php then you'll see Not authenticated!.
Visit...
|
|
This is just a static page with some basic javascript, but what's it do, and is anything vulnerable?
|
|
Developers will often lock down their open redirects to only allow for *.theirdomain.com.
Can you find out how to redirect to any website? Remember, this challenge is designed to only allow for...
|
|
Sometimes developers want to redirect the user after a certain action has been completed but they don't want users to redirect to third party websites.
To combat this developers will sometimes check if the first character is...
|
|
Our basic HTML web application will allow you to easily change the style via class change. View various styles of images and decide which you think is best!
Once you're done playing, can you find any XSS? The developer's have made sure no...
|
|
This is a simple web application designed to show you some interesting facts on various animals. I've made sure that the search field does NOT allow for HTML tags, but is it secure?
How many XSS vulnerabilities can you find?
|
| Challenge Details |
|
As the title says, are you able to access our private tool, XSS destroyer? It's currently in BETA mode and we aren't accepting new users but if you have access to it, let us know what you think!
|
|
There's an info leak somewhere on https://www.bugbountytraining.com/* can you find it? You'll know when you do!
|
|
We've built a super secure login portal to access our diet plan and we'd love your help to make sure we've set it up correctly.
You can login to ManageMyDiet with the following credentials:
admin:test
We've added...
|
|
We know people love to say they've some bounties so simply input your username & bounty amount and then generate your image!
Can you discover how the application works and if there's anything interesting happening? Perhaps there is XSS...
|
|
We've created a basic web application called "HackerPhotos" to hightlight some awesome hacker-tagged photography. It is just in BETA and we'd love for you to give it a try and make sure we've not made any mistakes!
You can login...
|
|
You are faced with a login panel, but what do you do? Close the tab and find something else? Of course not, you try find what's behind the login page!
Investigate the login page and see if you can find a way to grab the admins session...
|
|
This one is pretty simple. One parameter is vulnerable, ?url=. Can you get XSS to execute?
|
|
Can you successfully force the admin password to be updated via CSRF? This means you must be on YOUR site and be able to force the data to be updated successfully.
The CSRF token generated is unique to your session so you must be able to...
|
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles