Break it to
understand it.
Bastion is a sandboxed range of hands-on labs. Each one lets you trigger a real class of vulnerability in a safe environment — and see exactly what goes wrong under the hood.
Three steps, every time.
Every challenge follows the same shape, so once you've done one you know the drill for all of them.
Read the briefing
A short, plain-language explainer of the vulnerability — what it is, where it shows up, and why it matters.
Run the lab
Interact with a live, instrumented model of the flaw. Inputs are visualized so you can see cause and effect directly.
Capture the concept
Trigger the failure condition, read the result, and walk away understanding the mechanism — not just the name.
Pick a challenge.
One lab is live to start. The rest of the range is being commissioned.
Buffer Overflow
Write past the end of a fixed-size buffer and watch the bytes spill into adjacent memory.
SQL Injection
Slip syntax into a query string and bend a database to read data it was never meant to return.
Cross-Site Scripting
Get the browser to run your script by smuggling it through unescaped, reflected input.
Path Traversal
Walk out of the intended directory with ../ and reach files off-limits to the app.
Auth Bypass
Find the logic gap that lets a request reach a protected route without ever proving who it is.
Weak Hashing
See why an unsalted, fast hash folds quickly against a dictionary — and what replaces it.