⚠ Intentionally vulnerable. Every host under vulnlab.dev contains real, exploitable bugs by design. Point your tools here and see what they catch.

vulnlab.dev

A reference target for security tools

Each vulnerability class lives on its own subdomain. Every lab links to its own source. Bring a SAST scanner, a DAST scanner, an LLM, or all three — see what each one finds.

Vulnerability classes

Server-Side Request Forgery live

ssrf.vulnlab.dev

The server fetches a URL you control. Find ways past the validators and reach things you shouldn't.

6 labs

Coming next

Cross-Site Scripting — xss.vulnlab.dev
SQL Injection — sqli.vulnlab.dev
Server-Side Template Injection — ssti.vulnlab.dev

Who built this

Carl Sampson (chs) — application security researcher. vulnlab.dev is a side project alongside other things I run:

chs.us — personal site, with hands-on guides like the SSRF guide that informed these labs.
appsec.fyi — curated AppSec reading and reference, including the SSRF page.
outofbits.com — out-of-band application security testing service: "the OAST listener that talks back." Useful for the blind SSRF lab.

Found a bug in the lab platform itself (not in the intentionally-vulnerable apps)? Email carl.sampson@gmail.com.