⚠ Intentionally vulnerable. Every host under vulnlab.dev contains real, exploitable bugs by design. Point your tools here and see what they catch.

vulnlab.dev

A reference target for security tools

Each vulnerability class lives on its own subdomain. Every lab links to its own source. Bring a SAST scanner, a DAST scanner, an LLM, or all three — see what each one finds.

Scanner results

What do off-the-shelf scanners actually catch when pointed at these labs? See /results/ — per-lab table of what Semgrep (SAST) and Nuclei (DAST) flagged versus the ground truth declared in each lab's /meta/<slug>.

Vulnerability classes

Server-Side Request Forgery live

ssrf.vulnlab.dev

The server fetches a URL you control. Find ways past the validators and reach things you shouldn't.

12 labs

Cross-Site Scripting live

xss.vulnlab.dev

Reflected, stored, DOM, CSP-bypass, and mutation XSS — the variants tools differ on. Each lab shows what the scanner should fire on.

5 labs

SQL Injection live

sqli.vulnlab.dev

In-band UNION, error-based, blind boolean, blind time-based, and second-order — sitting on a real MariaDB backend.

5 labs

Server-Side Template Injection live

ssti.vulnlab.dev

Jinja2 render_template_string, Python str.format() attribute walk, blocklist bypass, sandbox bypass via an over-privileged helper, and second-order through a stored draft.

5 labs

Who built this

Carl Sampson (chs) — application security researcher. vulnlab.dev is a side project alongside other things I run:

chs.us — personal site, with hands-on guides like the SSRF guide that informed these labs.
appsec.fyi — curated AppSec reading and reference, including the SSRF page.
outofbits.com — out-of-band application security testing service: "the OAST listener that talks back." Useful for the blind SSRF lab.

Found a bug in the lab platform itself (not in the intentionally-vulnerable apps)? Email carl.sampson@gmail.com.