A self-hosted training platform for web application security — like OWASP Juice Shop or PortSwigger Academy, but yours, offline, and pedagogical.
WhiteCap teaches penetration testing the way it's actually learned: by trying real payloads against real-feeling targets, with hints when you get stuck, theory pages that explain why something works, and a write-up after you solve it.
Every lab is a simulated, fully contained vulnerable scenario. You'll never attack anyone's real system — the platform validates your payloads against built-in models of the vulnerability. The whole thing runs in a Go binary on your laptop.
WhiteCap is an educational simulator. It teaches you what an attacker can do so you can build software that resists it.
- All targets are simulated locally in the backend. No external traffic. No real exploitation.
- The platform never explains how to evade detection, attack production systems, or exfiltrate data from third parties.
- Use this to study for the OSCP/Sec+, to onboard junior security engineers, to seed an internal CTF, or just to satisfy curiosity.
- You are responsible for using what you learn here ethically and within the law.
| Feature | Notes |
|---|---|
| 15+ hands-on labs | SQLi, XSS, IDOR, path traversal, JWT, command injection, CSRF, SSRF, XXE, open redirect, weak crypto, more |
| 3 difficulty levels | Beginner · Intermediate · Advanced — earn points and level up |
| Briefing → Lab → Hint → Write-up | Every lab has a 4-tab teaching loop |
| Theory library | Standalone articles on each vulnerability class — read before, during, or after |
| Leaderboard | Global ranking by points and labs solved |
| Achievements | Unlock badges (First Blood, OWASP Top 10 sweep, Hint-free run, etc.) |
| Progress tracking | Per-user dashboard of solved / attempted / locked labs |
| Hints with cost | Stuck? Reveal a hint — costs ~25% of the lab's points |
| Self-hosted | One Go binary + one SQLite file. Runs anywhere. |
| Layer | Technology |
|---|---|
| Backend | Go 1.22+ · Gin · modernc.org/sqlite (pure Go) · JWT + bcrypt |
| Frontend | Next.js 14 · TypeScript · Tailwind CSS · Recharts |
| Auth | JWT bearer + bcrypt password hashing |
| Lab engine | Pure-Go validators — pattern-match real-world payloads against an in-memory model of each vulnerable scenario |
WhiteCap Hack Simulator/
├── backend/
│ ├── cmd/server/main.go
│ └── internal/
│ ├── api/ # Gin handlers (auth, labs, progress, leaderboard, theory)
│ ├── auth/ # JWT + bcrypt
│ ├── config/ # env loader
│ ├── db/ # SQLite + migrations
│ ├── models/ # Data types
│ └── labs/
│ ├── catalog.go # All 15+ lab definitions
│ ├── theory.go # Theory articles
│ ├── validator.go # Submission validation per lab
│ └── solutions.go # Reference write-ups
│
├── frontend/
│ ├── app/
│ │ ├── (auth)/ # login, register
│ │ ├── dashboard/
│ │ ├── labs/ # catalog
│ │ ├── labs/[id]/ # play a lab
│ │ ├── theory/ # vulnerability articles
│ │ ├── leaderboard/
│ │ └── profile/
│ ├── components/
│ └── lib/
│
├── docker-compose.yml
└── README.md
cd backend
cp .env.example .env
go mod download
go run ./cmd/serverListens on http://localhost:7000.
cd frontend
cp .env.local.example .env.local
npm install
npm run devOpen http://localhost:3000. Register → start with the Warm-up: Open Redirect lab for an easy win, then work down the catalog.
docker compose up --buildEach lab follows the same loop:
- Briefing — the scenario in plain English. "You're a pentester hired by a startup. Their login looks like…"
- Lab — a form where you enter your payload (e.g.
' OR '1'='1'--). The backend validates by simulating what the vulnerable system would do with it. - Hint (optional) — a one-line nudge. Costs ~25% of the lab's points to reveal.
- Write-up (after solving) — full explanation of why your payload worked, plus the fix in real code.
The validator on the backend is pure logic — it knows the shape of the underlying vulnerability and answers "would this payload exploit it?". No actual SQL is run. No actual XSS executes. You learn the technique without producing a real exploit.
| # | Title | Category | Difficulty | Points |
|---|---|---|---|---|
| 1 | Open Redirect Warm-up | Redirect | ★ Beginner | 30 |
| 2 | SQL Injection: Login Bypass | Injection | ★ Beginner | 50 |
| 3 | Reflected XSS | XSS | ★ Beginner | 50 |
| 4 | IDOR: Read someone else's order | Access | ★ Beginner | 50 |
| 5 | SQL Injection: UNION attack | Injection | ★★ Intermediate | 100 |
| 6 | Stored XSS via comment field | XSS | ★★ Intermediate | 100 |
| 7 | Path Traversal: read /etc/passwd | Traversal | ★★ Intermediate | 75 |
| 8 | Command Injection: the ping page | Injection | ★★ Intermediate | 75 |
| 9 | CSRF: change-email without token | CSRF | ★★ Intermediate | 75 |
| 10 | JWT alg: none bypass |
Auth | ★★ Intermediate | 100 |
| 11 | Weak password reset token | Crypto | ★★ Intermediate | 75 |
| 12 | SSRF to cloud metadata | SSRF | ★★★ Advanced | 150 |
| 13 | XXE via XML upload | XXE | ★★★ Advanced | 150 |
| 14 | Blind SQL injection | Injection | ★★★ Advanced | 200 |
| 15 | DOM-based XSS via postMessage | XSS | ★★★ Advanced | 150 |
Standalone articles, readable independently of the labs:
- Injection 101 (SQLi, NoSQLi, command injection, SSI)
- Cross-Site Scripting (reflected · stored · DOM)
- Access control: IDOR, BOLA, vertical/horizontal privilege escalation
- CSRF and SameSite cookies
- SSRF and the metadata-endpoint problem
- XXE and unsafe XML parsers
- JWT pitfalls (none-alg, weak keys, missing aud/iss checks)
- Path traversal and the
..problem - The OWASP Top 10 in 10 minutes
backend/.env:
PORT=7000
DATABASE_PATH=./whitecap.db
JWT_SECRET=replace-with-a-long-random-string
JWT_TTL_HOURS=168
ALLOW_REGISTRATION=true
ALLOWED_ORIGINS=http://localhost:3000MIT. Use it to teach, learn, and ship more secure software.