// Hands-on practice · Shared cohort instances

Uniq Labs.

Intentionally broken apps you can poke at without breaking the law. Practice the Burp Suite and OWASP techniques from the bootcamp on real targets. Safely, repeatedly, in your browser.

Heads up: these are shared instances. Everyone in the cohort hits the same targets. Stored payloads may be visible to others, the basic-auth login is the same for every student, and labs marked lockedbelow are still being prepared — they unlock when the matching challenge drops. That's by design for v1.

Available instances

online·OWASP project · v17.3

Juice Shop

Modern Node/Angular shop with 100+ challenges

A modern e-commerce app that contains every vulnerability OWASP could think of, plus a few they couldn't. Find broken auth, stored XSS, SQL injection, and a famously bad admin section. Bring Burp.

Est 45–90 min Difficulty Easy → Hard Shared instance · resets nightly 03:30 EAT

WebSQLiXSSAuthJWTIDORCrypto

~/labs/juice

$login••••••••

$password••••••••••••

online·Damn Vulnerable Web App · v1.10

DVWA

Classic PHP/MySQL with four difficulty levels per attack

The classic. A deliberately broken PHP application where each attack (SQLi, XSS, file-upload, CSRF) comes in low, medium, high, and impossible variants. Read the source after you exploit it: that's where the lesson lives.

Est 60–120 min Difficulty 4 levels Shared instance · resets nightly 03:30 EAT

WebSQLiCMDiXSSCSRFFile uploadBrute force

~/labs/dvwa

$login••••••••

$password••••••••••••

online·UniCyber original · Week 4

玄関 · Genkan

The front door — pure recon, no payloads

A small firm rushed their site to staging and left scraps behind. No login, no exploits — just look properly. Read what the site would rather you didn't: robots, source, and the files they forgot to delete.

Est 10–20 min Difficulty Easy Shared instance · read-only · no reset

WebReconInfo disclosure

~/labs/genkan

$login••••••••

$password••••••••••••

online·UniCyber original · Week 4

影武者 · Kagemusha

The impersonator — become someone you are not

A members-only portal. Sign in with the demo account (guest / guest), then chain three logic flaws — broken object access, a leaked secret, and a forgeable session — to walk into the admin console. No injection required.

Est 30–60 min Difficulty Hard Shared instance · read-only · no reset

WebIDORAuthInfo disclosure

~/labs/kagemusha

$login••••••••

$password••••••••••••

Locked

launching soon·UniCyber original · Week 4

蔵 · Kura

The storehouse — read your way to the flag

An internal document viewer that is a little too willing to open files. Its traversal filter looks fine but only runs once. Slip past it, read the application source to learn where the secret hides, then go take it.

Est 45–90 min Difficulty Insane Shared instance · read-only · no reset

WebLFIPath traversal

// How the labs work

Four steps. no setup.

Open a lab

Click "Open lab" below. Caddy asks for the shared username and password. Both are shown on each lab card.

Pick your angle

Each lab covers multiple OWASP categories. Use the chips on the card to know what you're walking into.

Break it. Repeat.

Use Burp, curl, sqlmap, whatever fits the bug. Shared labs that reset wipe nightly at 03:30 EAT, so leave them dirty.

Write it up

Drop your findings as a writeup. Mentors review, points hit the board, and the rest of the cohort learns from you.

// Roadmap · more labs incoming

Coming up

We add labs as the curriculum grows. Got a request? mail us.

// Forensics

Memory Forensics

Volatility on a captured memory image. Find the malware, name the C2, recover the flag.

// Network

PCAP Playground

Browser-based Wireshark with three pre-loaded incidents. Tag, filter, follow streams.

// Red Team

Mini Active Directory

A tiny 3-host domain. Get from nobody to Domain Admin. Privilege escalation, ticket abuse.

// Pwn

Stack Smash Range

Six binaries, increasing in difficulty. From ret2win to ROP chains. nc-style remote.