week 20 · 2026 · weekly challenge live now

Code review is a skill.
Practice it.

Build the instinct that catches vulnerabilities in review. Hands-on challenges in real production code.

Start today's challenge↵Browse all 198 →

198challenges

70learning articles

10+languages

weekly

+100 pts

easygoInjection

Password Reset

Review code for UserCore, an enterprise identity management system handling authentication for a SaaS platform with over 50,000 users. The password reset flow was recently refactored to improve performance by replacing an ORM with direct SQL queries. Examine how password reset tokens are validated to ensure the implementation is secure against common attack vectors.

1package auth

3import (

4 "encoding/json"

5 "net/http"

Open challenge↵

01how it works

Read the brief

A short scope statement: what the service does, what you're looking for, and any context that matters.

Review the code

Real world snippets - interfaces, handlers, services, scripts. Skim, then audit. The defect is on a single line.

Click the line

No multiple choice. You point at the bug. Right or wrong, you get an annotated explanation.

02this week's set

view all →

03by class

Web Security

XSS, CSRF, SSRF, open redirects, auth flaws.

explore →

Injection

SQL, command, LDAP, NoSQL, template injection.

explore →

Authentication

Tokens, password storage, session fixation, MFA.

explore →

Web3

Reentrancy, integer overflow, access control.

explore →

Mobile

iOS / Android secure storage, deep links, IPC.

explore →

API

REST, GraphQL, gRPC — auth and rate limiting.

explore →

“We dropped Code Review Lab into our security training rotation. Two weeks later our engineers were catching things in PR review we'd historically missed.”

L. Ivanova

App Sec Lead · Series-C fintech

Ready when you are.

Today's challenge takes about 15 minutes.

Start daily challenge ↵See pricing

loading…