Mirage — Web Application Exploitation
Forty-one browser targets, L0 to L40, in one linear chain — from view-source recon to AI/LLM exploitation. The biggest attack surface in the world, taught one self-contained product at a time.
Briefing
What this is. The web is the largest attack surface in the world, and where most real breaches start. Mirage walks the whole ladder — every level is a real-looking product with one intentional flaw.
What you'll learn. Recon and client trust, broken access control, BaaS and RLS, auth and tokens, the full injection family, XSS, SSRF, deserialization, GraphQL, and modern AI/LLM attacks. No filler — each level is a distinct technique.
How it's graded. Mirage is a fixed-flag track. Solve a level in your browser and it hands you the access password for the next one. That password is your flag — submit it here for points and a place on the leaderboard.
Note for beginners
Mirage is played entirely in your browser — no SSH. Start at Level 0 and clear each level in order. Every level is its own site at mirage-l<N>.breachlab.org. Open it, find the flaw, exploit it.
On success, the page hands you the login for the next level — user l<N+1> and a password. That password does double duty: it logs you into the next level, and it's the flag for the level you just solved. Paste it into the submit box to bank your points.
Stuck? Read the page closely, watch the network traffic, and ask what the app trusts that it shouldn't. Please don't spoil levels for others — see the rules.
Browser Access
https://mirage-l0.breachlab.orgEach level's flag is also the next level's login password — the page shows it once. Save it as you go. Real ops, you log credentials the moment you obtain them.