Generated: February 28, 2026 ✍️ This report accompanies the article: "Sonnet Took the Exam, I Just Watched"
| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Date | February 28, 2026 |
| Total Labs | 19 across 14 vulnerability categories |
| Levels | Apprentice (13) · Practitioner (5) · Expert (1) |
All 19 targeted labs on the PortSwigger Web Security Academy were successfully exploited and solved. The assessment covered 14 distinct vulnerability categories spanning Apprentice, Practitioner, and Expert difficulty levels. Exploitation was performed programmatically using browser automation, raw Python TLS sockets, and Burp Suite MCP integration. Each lab was documented with before/after screenshots and browser session recordings.
| 🧪 Labs Solved | 📂 Categories | ✅ Success Rate |
|---|---|---|
| 19 | 14 | 100% |
| # | Lab Title | Category | Level |
|---|---|---|---|
| 01 | SQL Injection WHERE Clause Bypass | SQL Injection | Apprentice |
| 02 | Reflected XSS into HTML Context | Cross-Site Scripting | Apprentice |
| 03 | SQL Injection UNION Attack — Retrieve Data from Other Tables | SQL Injection | Practitioner |
| 04 | Stored XSS into HTML Context with Nothing Encoded | Cross-Site Scripting | Practitioner |
| 05 | SQL Injection with Filter Bypass via XML Encoding | SQL Injection | Expert |
| 06 | OS Command Injection — Simple Case | OS Command Injection | Apprentice |
| 07 | 2FA Simple Bypass | Authentication | Apprentice |
| 08 | Basic SSRF Against the Local Server | SSRF | Apprentice |
| 09 | File Path Traversal — Simple Case | Path Traversal | Apprentice |
| 10 | Excessive Trust in Client-Side Controls | Business Logic | Apprentice |
| 11 | Unprotected Admin Functionality | Access Control | Apprentice |
| 12 | Manipulating WebSocket Messages to Exploit Vulnerabilities | WebSockets | Apprentice |
| 13 | Exploiting XXE Using External Entities to Retrieve Files | XXE Injection | Apprentice |
| 14 | Basic Server-Side Template Injection | SSTI | Practitioner |
| 15 | DOM XSS via Client-Side Prototype Pollution | Prototype Pollution | Practitioner |
| 16 | Accessing Private GraphQL Posts | GraphQL | Apprentice |
| 17 | HTTP Request Smuggling — Basic CL.TE Vulnerability | HTTP Request Smuggling | Apprentice |
| 18 | HTTP Request Smuggling — Basic TE.CL Vulnerability | HTTP Request Smuggling | Apprentice |
| 19 | HTTP Request Smuggling — Obfuscating the TE Header | HTTP Request Smuggling | Practitioner |
🟢 Apprentice | Category: SQL Injection
Technique: Injected ' OR 1=1-- into the category filter, making the WHERE clause always true and returning all products including hidden ones.
Payload / Request:
GET /filter?category=' OR 1=1--