🧩 Secure Coding Review Lab Scenarios by Language

Use this page when: you want ready-to-run exercises that convert the KB’s vulnerable/safer snippets into practice.

How to use these scenarios

For each lab:

show only the vulnerable snippet first;
ask participants to identify the defect class;
ask for likely business impact;
ask for the minimum safe fix direction;
compare with the linked example page.

PHP scenarios

defect family: injection;
prompt: which user-controlled value changes the meaning of the query?
follow-up: what would you require in PR review before merge?
compare with: PHP Vulnerability Examples and Fixes

PHP Lab 2 — unsafe upload to public path

defect family: unsafe file handling;
prompt: what attacker goals become possible if the upload lands under a served path?
follow-up: what retrieval architecture would you prefer instead?
compare with: PHP Vulnerability Examples and Fixes

Python scenarios

Python Lab 1 — shell command built from request data

defect family: command execution;
prompt: could a safer design avoid the shell entirely?
follow-up: where should validation happen if this becomes a worker job later?
compare with: Python Vulnerability Examples and Fixes

Python Lab 2 — IDOR in record lookup

defect family: broken object-level authorization;
prompt: what ownership proof is missing?
follow-up: should this be enforced in the query, service layer, or both?
compare with: Python Vulnerability Examples and Fixes

Go scenarios

Go Lab 1 — direct row fetch by object id

defect family: object authorization;
prompt: what does the handler assume about the caller that it has not proven?
compare with: Go Vulnerability Examples and Fixes

Go Lab 2 — outbound fetch from untrusted URL

defect family: SSRF;
prompt: what internal assets could this reach in a cloud-native service?
compare with: Go Vulnerability Examples and Fixes

Java scenarios

Java Lab 1 — unsafe XML / parser configuration

defect family: parser misuse;
prompt: what could an attacker force the parser to do that the developer did not intend?
compare with: Java Vulnerability Examples and Fixes

Java Lab 2 — unsafe object deserialization or trust in serialized input

defect family: deserialization;
prompt: is deserialization needed at all, and where is the trust boundary?
compare with: Java Vulnerability Examples and Fixes

JavaScript scenarios

JavaScript Lab 1 — reflected XSS in templated output

defect family: XSS;
prompt: what rendering context are we actually in?
compare with: JavaScript Vulnerability Examples and Fixes

JavaScript Lab 2 — dangerous redirect or URL fetch

defect family: open redirect / SSRF-adjacent trust bug;
prompt: which destinations should be impossible here?
compare with: JavaScript Vulnerability Examples and Fixes

TypeScript scenarios

TypeScript Lab 1 — runtime trust hidden behind types

defect family: input validation gap;
prompt: what does the type system make look safe that is still unsafe at runtime?
compare with: TypeScript Vulnerability Examples and Fixes

TypeScript Lab 2 — typed ORM query with missing tenant scope

defect family: authz / data-scope bug;
prompt: how would you prove isolation here?
compare with: TypeScript Vulnerability Examples and Fixes

SQL scenarios

SQL Lab 1 — dynamic ORDER BY / filter abuse

defect family: query manipulation;
prompt: which parts of the statement can safely be dynamic and how should they be constrained?
compare with: SQL Vulnerability Examples and Fixes

SQL Lab 2 — missing tenant predicate in reporting query

defect family: data-scope failure;
prompt: should the safety property live in the view, procedure, or application query?
compare with: SQL Vulnerability Examples and Fixes

Facilitator close-out template

End each lab with three outputs:

one review comment the team would actually write;
one safer coding rule for that stack;
one prevention mechanism (test, lint rule, framework helper, or gate).

Use with

Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.