⚠️ THIS IS A VULNERABLE LAB — YOU ARE ALLOWED TO HACK ITLearn more
⚠️
This is a Vulnerable Lab
ratnews.thexssrat.com is an intentionally vulnerable web application built by
The XSS Rat as a safe, legal environment for practising offensive security techniques.
You have explicit permission to attack this application. Do not use what you learn here against systems you do not own.
Why this lab exists
Real bug bounty hunters and penetration testers need live targets to sharpen their skills. This lab mirrors a realistic content-delivery stack
— a FastAPI app with a database, user accounts, an admin API, and RSS aggregation — so you can practise against something that behaves like a real application,
document your findings, and build a repeatable methodology without any legal risk.
What vulnerabilities are hidden here
→Reflected & Stored XSS — unsanitised user input rendered in the browser
→SQL Injection — boolean-based blind injection in search and filter endpoints
→SSRF — server-side request forgery via RSS feed ingest
→IDOR — insecure direct object references in user and preference endpoints
→Auth bypass & API key exposure — weak admin token enforcement and session manipulation
→Open redirect — unsafe next parameter handling after login
These community-loved tools are field tested by red teams and bug bounty hunters. Pair them with the lab data to document
high-impact findings and give defenders actionable fixes.
Recon & Discovery
Aquatone
Visual subdomain discovery with smart screenshot diffing.
httpx
Fast web probing to fingerprint services and capture metadata.
MassDNS
Blazing-fast DNS brute forcing with wildcard filtering.
Exploitation
Burp Community Extensions
Open-source add-ons for request smuggling, desync, and prototype pollution.
Nuclei
Template-based scanner for modern web vulns, easily tuned for new findings.
Reporting
Obsidian + Threat Drag-and-Drop
Create living lab notes with graph view for attack paths.
Dradis CE
Collaborate on disclosure write-ups with reusable evidence blocks.