Other Labs

These are experimental and may break at any time. Thanks! - Anthony

Hashing Laboratory (Integrity): This tool demonstrates that hashing is a one-way street.

Integrity: Hashing Laboratory

Concept: One-way functions. Change one letter, and the entire "fingerprint" changes.

SHA-256 (Modern Standard): ...

SHA-1 (Legacy/Insecure): ...

Education Note: Notice how you cannot "reverse" these strings back into your original text. This is why we hash passwords instead of storing them in plain text.

Encoding Converter (Representation): This is the most important "myth-buster" lab. It teaches that Base64 and Hex are not encryption because they require no key to reverse.

Representation: Encoding Converter

Concept: Encoding is just a different way of writing the same data. It provides ZERO secrecy.

Base64: ...

Hexadecimal: ...

Education Note: Attackers often use Base64 to hide malicious scripts from basic security filters, but a security analyst can decode it instantly.

JWT Debugger (Authentication): This lab helps us visualize how modern web sessions work. It breaks the token into its three distinct parts.

Authentication: JWT Inspector

Concept: Tokens are often "Signed," not "Encrypted." You can see what's inside.

Header (Algorithm)

...

Payload (Data)

...

Education Note: The red and blue parts are just Base64. Anyone who intercepts this token can read your user ID and permissions. The Signature (third part) is what prevents you from changing your "admin" status to "true."

Password Entropy Lab: Here we look at long passwords vs the character pool of passwords and examine their strength. Most people think adding a ! at the end of a password makes it "strong." This tool proves them wrong with math.

Defense: Entropy Calculator

Concept: Mathematical strength. Don't just guess if a password is strong—calculate it.

Entropy (Bits)

Strength

N/A

Education Note: 128 bits of entropy is considered "unbreakable" by current standards. Notice how adding just 2 more characters increases entropy more than changing a letter to a symbol.

The Zero-Knowledge Vault (AES-GCM)

This is a more advanced lab. It uses the SubtleCrypto API to encrypt a message using a password. We use AES-GCM because it provides "Authenticated Encryption," meaning if someone tries to tamper with the encrypted text, the decryption will fail.

Defense: Client-Side Vault

Concept: Local Encryption. The "Master Key" never leaves your browser.

Output:

...

Diceware Generator (Passphrases): This tool teaches the EFF (Electronic Frontier Foundation) method of password generation. By picking random words, you create a string that is easy for a human to visualize but very difficult for a computer to "guess" via brute force.

Defense: Diceware Passphrase Generator

Concept: High entropy, high memorability. Random words > Random characters.

Number of words

Click Generate...

Education Note: This tool uses crypto.getRandomValues() to ensure the "dice rolls" are truly random. A 6-word passphrase has roughly 77 bits of entropy, making it strong enough to resist even sophisticated cracking attempts.

The "Pwned" Checker (K-Anonymity): This tool teaches how we can check if a password has been leaked without actually sending the password to a server. It uses the Have I Been Pwned API with a technique called "K-Anonymity."

The Lesson: Privacy-preserving APIs. You only send the first 5 characters of the password's SHA-1 hash. The server sends back all hashes starting with those characters, and your browser does the final check.

Defense: Data Breach Checker

Concept: K-Anonymity. Check for leaks without exposing your password.

Education Note: This tool hashes your password locally. It only sends the first 5 characters of the hash to the API. This ensures the service provider never knows what your password actually is.

The XSS (Cross-Site Scripting) Playground

This tool demonstrates the "Reflected XSS" vulnerability. It shows what happens when a web application takes user input and puts it directly into the page without cleaning it.

Laboratory: XSS Defense & Injection

This lab demonstrates how attackers inject malicious code into a website and how developers use Sanitization to stop them.

SECURITY DISABLED (Vulnerable Mode)

Copy/Paste this payload: <img src=x onerror="alert('Hacked!')">

ENTER ATTACK PAYLOAD:

Browser Rendering Output

How it Works

Vulnerable Mode: The website uses .innerHTML. This tells the browser to treat your input as executable code. If the code is valid (like an image that fails to load), the browser runs the script immediately.

Secure Mode: The website uses .textContent. This tells the browser to treat your input as raw data. The browser renders the literal characters (like < and >) but refuses to execute them.

CORS & Fetch Tester

This tool helps visualize the Same-Origin Policy (SOP). Users can try to fetch data from a site that allows cross-origin requests (like https://jsonplaceholder.typicode.com/posts/1) vs. one that likely blocks them (like https://google.com).

Web Sec: CORS Visualizer

Concept: Same-Origin Policy. Browsers block scripts from reading data from other sites unless permitted.

Status: Ready

Result will appear here...

Education Note: If you see "TypeError: Failed to fetch," that's the browser's CORS policy in action. It protects your session data from being stolen by third-party scripts.

Regex Bypass Tester

Security analysts often use Regular Expressions to filter out "bad" input (like SQL injection). This tool lets users test if their filter is strong enough or if it can be bypassed with clever formatting.

Web Sec: Regex Filter Lab

Concept: Input Validation. Can you bypass the filter?

Filter Pattern (Regex):

Test String (Attack Payload):

Education Note: A common bypass for the default pattern is using newlines or different cases (e.g., <SCRIPT>). Try changing the pattern or the payload to see what gets through!

OSINT Lab

OSINT Investigation Dashboard

Gather intelligence on connections, files, and links using publicly available data.

1. Identity Mirror (Passive OSINT)

Concept: Every website you visit sees your IP and ISP. Use this to see your digital "handshake."

Click to analyze connection...

2. Image Forensic Lab (EXIF Data)

Try This: Upload an original photo (not from social media) to find the hidden GPS coordinates and camera model.

Waiting for file...

3. Link Redirect Tracer

Try This: Paste a bit.ly or t.co link to see the final destination without visiting it.

Destination will appear here...

Safety Note: All processing for the Metadata Lab happens 100% locally in your browser. For the Connection and Link labs, we use public APIs to fetch data. No data is stored by this website.

Tip: You will often get bit.ly links from scammers over email and text. Use this to check them before clicking any bit.ly links.