week 23 · 2026 · weekly challenge live now

Code review is a skill.
Practice it.

Build the instinct that catches vulnerabilities in review. Hands-on challenges in real production code.

Start today's challenge↵Browse all 205 →

205challenges

70learning articles

10+languages

weekly

+100 pts

easyphpXSS (Cross-Site Scripting)

Food Truck Map

Review the backend code for StreetBite, a popular food truck discovery app that lets users find nearby trucks and share notes about their favorite spots. The app displays user-submitted truck locations on an interactive public map with info popups. Recent user complaints mention strange browser behavior when viewing certain truck locations. Examine how user-generated content is handled and rendered in the map interface.

1<?php

2require_once 'config/database.php';

3require_once 'core/Router.php';

5session_start();

Open challenge↵

01how it works

Read the brief

A short scope statement: what the service does, what you're looking for, and any context that matters.

Review the code

Real world snippets - interfaces, handlers, services, scripts. Skim, then audit. The defect is on a single line.

Click the line

No multiple choice. You point at the bug. Right or wrong, you get an annotated explanation.

02this week's set

view all →

03by class

Web Security

XSS, CSRF, SSRF, open redirects, auth flaws.

explore →

Injection

SQL, command, LDAP, NoSQL, template injection.

explore →

Authentication

Tokens, password storage, session fixation, MFA.

explore →

Web3

Reentrancy, integer overflow, access control.

explore →

Mobile

iOS / Android secure storage, deep links, IPC.

explore →

API

REST, GraphQL, gRPC — auth and rate limiting.

explore →

“We dropped Code Review Lab into our security training rotation. Two weeks later our engineers were catching things in PR review we'd historically missed.”

L. Ivanova

App Sec Lead · Series-C fintech

Ready when you are.

Today's challenge takes about 15 minutes.

Start daily challenge ↵See pricing

loading…