
I built 41 browser hacking levels that walk the entire web attack surface
MIRAGE: L0 to L40, all in your browser. No SSH, no VM, no Kali
What you actually walk through:
- recon & client-side trust
- broken access control / IDOR / BOLA
- BaaS + RLS misconfig (the Firebase/Supabase class)
- auth, JWT & token abuse
- the full injection family SQLi, NoSQLi, SSTI, command
- XSS, SSRF, insecure deserialization, GraphQL
- and the finale: AI/LLM exploitation direct & stored prompt
- injection, insecure output handling (markdown-image exfil),
- excessive - agency / confused-deputy tool abuse, vector-store BOLA. Anchored to - real 2025-2026 CVEs and incidents (yes, EchoLeak-style indirect - injection is in there)
It's live right now: https://breachlab.org/tracks/mirage