Home/Specialised/Security Labs
New · Hands-on Security Testing

Security Labs — Spot the Vulnerability

The hands-on companion to Security Testing. Read the code. Find the hole. Fix it.

Most security training tells you what a vulnerability is. This track makes you read real NZ-context code and configuration, point at the exact line that is broken, rewrite it safely, and then write the test cases that would catch it. Every lab follows the same three-step pattern — spot it, fix it, build the tests. The vulnerable snippets here exist only to be identified and repaired. This is defensive testing practice, never an attack guide.

Start with Lab 1 → Read Security Testing first

This track covers

Injection Flaws Broken Auth & Access Control Security Misconfiguration OWASP Top 10 Writing Security Tests

Standards alignment

OWASP Top 10 · NZISM

Mapped to the OWASP Top 10 (A01, A03, A05, A07) and grounded in the NZ Information Security Manual and the Privacy Act 2020. These are labs, not a certification — the aim is to build the muscle of reading code for security.

Who this is for

Testers who can read code and want to test for security, not just functionality. Pairs with Security Testing — that page teaches the concepts, this track is the practice. Assumes some familiarity with HTTP and a server-side language.

The 3 labs

Spot the vulnerability, then fix it

Lab 1

Injection Flaws

SQL injection, command injection, and the OWASP A03 family. Spot the injectable query in a RealMe login endpoint, rewrite it with parameterised queries, and design the injection test cases.

~30 min read · ~70 min with exercises · OWASP A03

 Lab 2

Broken Auth & Access Control

Broken authentication, IDOR, and missing authorisation checks — OWASP A01 and A07. Spot the missing ownership check in an IRD-number lookup, add it, and write the access-control tests.

~30 min read · ~70 min with exercises · OWASP A01/A07

 Lab 3

Security Misconfiguration

Misconfigured CORS, missing security headers, verbose errors, and exposed secrets — OWASP A05. Spot the leak in a payments API config, lock it down, and build the misconfiguration tests.

~30 min read · ~70 min with exercises · OWASP A05
Why this track

Reading code is a testing skill

A tester who can only click through a UI will miss most security defects. The dangerous ones live in the code and the config — a query that builds SQL from a string, a handler that trusts an ID from the URL, a CORS line that says yes to everyone. You cannot find those by exercising the happy path. You find them by reading.

So that is what you do here. Each lab hands you a short, realistic snippet from an NZ system — a login endpoint, an IRD-number lookup, a payments API. You read it, name the exact vulnerability and how an attacker would abuse it, then rewrite the code to close it. After that you switch hats and design the test cases that would catch the bug before it ships.

This matters in NZ because the systems you test handle real harm. A broken access-control check on a Te Whatu Ora record exposes health data. An injection flaw in a benefits portal exposes MSD client details. Under the Privacy Act 2020 and the NZISM, “we did not test for that” is not a defence. These labs make the testing concrete.

Related

More specialised tracks

Concepts

Security Testing

The concept layer this track pairs with — the OWASP Top 10, threat modelling, and security testing in the NZ context.

 Specialised

API Testing

Testing REST APIs — contracts, status codes, and the endpoints where most injection and access-control bugs live.

 Specialised

Privacy Testing

Testing for compliance with the Privacy Act 2020 — the regulation behind most NZ data-exposure failures.