Web Exploitation
Web attack fundamentals, isolated into single-technique drills you can run until they're automatic.
Web vulnerabilities reward fluency: knowing the exact shape of a SQL injection, the right SSRF payload, or where a command-injection sink hides — and finding it under time pressure. That fluency comes from reps, not from reading a single example.
PwnKata turns each web class into a focused drill against a live target you actually exploit. The injection point, filter, or sink moves between reps, so you learn to probe and adapt rather than paste one known string. Capture the flag, reset, and go again until the workflow is second nature.
SQL Injection: Auth Bypass
Drill authentication-bypass SQL injection by matching the payload to the query context.
easyOS Command Injection
Find where user input reaches a shell, then pick a payload form that survives the filter and response style.
mediumSSRF via URL Parameter
Make the server fetch what it shouldn't. Internal targets are simulated safely inside the drill.
mediumWeb Content Discovery
Web Content Discovery distilled into repeatable single-technique reps on isolated targets.
easyDirectory Traversal
A file parameter that doesn't constrain the path lets you walk the filesystem. Drill traversing out and reading files you were never meant to see.
easyLocal File Inclusion
A page that includes a file by user-controlled name is a window into the whole host. Drill turning that read into proof — and toward code execution.
mediumFile Upload to Web Shell
An upload that doesn't validate file type or content is remote code execution waiting to happen. Drill bypassing the filter and landing a web shell.
mediumServer-Side Template Injection
A template that renders user input is a path to code execution. Drill detecting the engine and turning a math expression into a shell.
mediumSQL Injection UNION Extraction
When an injectable query reflects its results, UNION SELECT turns it into a read over the whole database. Drill the column-count-to-extraction workflow.
mediumBlind SQL Injection
Blind SQL Injection distilled into repeatable single-technique reps on isolated targets.
mediumSQL Injection Request Tuning
SQL Injection Request Tuning distilled into repeatable single-technique reps on isolated targets.
mediumReflected XSS
User input echoed into the page without escaping runs as code in the browser. Drill finding the unescaped reflection and firing a payload.
easyStored XSS with Simulated Visitor
Stored XSS with Simulated Visitor distilled into repeatable single-technique reps on isolated targets.
mediumJWT and Session Weaknesses
JWT and Session Weaknesses distilled into repeatable single-technique reps on isolated targets.
mediumInsecure Direct Object Reference
When the server trusts an ID in your request, changing it reaches data that isn't yours. Drill finding and proving that broken access control.
easyXML External Entity Injection
An XML parser that resolves external entities will read local files for you. Drill defining the entity and pulling the data back.
mediumWeb Proxy Request Tampering
Web Proxy Request Tampering distilled into repeatable single-technique reps on isolated targets.
easyScanner Output Triage
Scanner Output Triage distilled into repeatable single-technique reps on isolated targets.
easyPassive Recon Simulation
Passive Recon Simulation distilled into repeatable single-technique reps on isolated targets.
easySSRF via Import URL
SSRF via Import URL distilled into repeatable single-technique reps on isolated targets.
mediumUpload-Driven SSRF
Upload-Driven SSRF distilled into repeatable single-technique reps on isolated targets.
mediumWebhook Callback SSRF
Webhook Callback SSRF distilled into repeatable single-technique reps on isolated targets.
mediumHost Header SSRF
Host Header SSRF distilled into repeatable single-technique reps on isolated targets.
mediumWebDAV Upload Execution
WebDAV Upload Execution distilled into repeatable single-technique reps on isolated targets.
mediumStart drilling web exploitation
Free to start — live isolated targets, a fresh variant every rep.