week 26 · 2026 · weekly challenge live now

Code review is a skill.
Practice it.

Build the instinct that catches vulnerabilities in review. Hands-on challenges in real production code.

Start today's challenge↵Browse all 217 →

217challenges

70learning articles

10+languages

weekly

+100 pts

easypythonSSRF (Server-Side Request Forgery)

Avatar URL Import

SnapProfile is a Flask-based social app where members can set their profile picture by pasting an image URL instead of uploading a file. The backend fetches that URL server-side and saves the bytes. The service runs on a cloud instance with an attached IAM role. Review the avatar-import flow and how the remote image is retrieved.

1from flask import Flask, request, jsonify

2from auth import require_login

3from avatar import import_avatar_from_url

5app = Flask(__name__)

Open challenge↵

01how it works

Read the brief

A short scope statement: what the service does, what you're looking for, and any context that matters.

Review the code

Real world snippets - interfaces, handlers, services, scripts. Skim, then audit. The defect is on a single line.

Click the line

No multiple choice. You point at the bug. Right or wrong, you get an annotated explanation.

02this week's set

view all →

03by class

Web Security

XSS, CSRF, SSRF, open redirects, auth flaws.

explore →

Injection

SQL, command, LDAP, NoSQL, template injection.

explore →

Authentication

Tokens, password storage, session fixation, MFA.

explore →

Web3

Reentrancy, integer overflow, access control.

explore →

Mobile

iOS / Android secure storage, deep links, IPC.

explore →

API

REST, GraphQL, gRPC — auth and rate limiting.

explore →

“We dropped Code Review Lab into our security training rotation. Two weeks later our engineers were catching things in PR review we'd historically missed.”

L. Ivanova

App Sec Lead · Series-C fintech

Ready when you are.

Today's challenge takes about 15 minutes.

Start daily challenge ↵See pricing

loading…