about hackxor

Hackxor is a realistic web application hacking game, designed to help players of all abilities develop their skills. All the missions are based on real vulnerabilities I've personally found while doing pentests, bug bounty hunting, and research.


Do I need to avoid causing damage, changing passwords etc?

Nope! This site uses an instance system to isolate players. Every player is assigned to a unique instance, and actions taken in one instance have no effect on others. It's just as if you're the only player :)

Access to your instance is governed by the _globalinstancekey cookie, so try to avoid tampering with this. You can share your instance with other browsers (and friends) using the invitation link in settings.

May I scan/spider/bruteforce?

None of the missions require automated tools to complete. If you must use automated tools, please throttle them to one request per second. This policy may change at a later date.

I solved a level, can I publish a writeup?

I can't stop you, but I'd prefer if you didn't.

What's hackxor1?

That's the predecessor to this game. You have to download it to play it, but the missions are still relevant (and challenging), so give it a go.

Will you start charging for access?

I plan to keep hackxor free forever. The running costs are currently minimal, and if the game rises in popularity I'll consider hosting recruitment adverts for security companies - please contact me if you're interested in promoting your company here.

If you'd like to express your support for hackxor, you can help by sharing it on social media.

I found a vulnerability, and I think it's unintentional!

Nice work, please send me the details. That said, I don't care about low severity best-practice junk. This is a hacking game after all.

My question wasn't answered!

Drop me an email.