Docs/For Learners/Practice Mode

Practice Mode

Practice Mode presents code review challenges where you identify vulnerable code and select the correct fix. Available across 185+ vulnerability types in multiple languages.

How It Works

Each challenge follows a two-phase system designed to test both your vulnerability detection and remediation skills:

Phase 1 — Find the Vulnerability

Read through a code snippet and identify which block contains the security vulnerability. Click the correct block among several highlighted options to advance.

Phase 2 — Select the Fix

Once you identify the vulnerability, choose the correct fix from multiple options. Each option looks plausible, but only one properly addresses the security issue.

Scoring: Each challenge is worth 100 XP total — 50 XP for Phase 1 and 50 XP for Phase 2. Using hints reduces your score.

Challenge Interface

Here's what a typical code review challenge looks like:

app.securecodinghub.com/practice/sql-injection
Phase 1 — Find the VulnerabilityPhase 2 — Select the Fix
Pythonviews.py
12def get_user(request):
13  user_id = request.GET['id']
14  query = "SELECT * FROM users WHERE id=" + user_id
15  cursor.execute(query)
16  return JsonResponse(cursor.fetchone())
Select the vulnerable code block above
Use Hint (-25 XP)

Choosing Your Language

Each topic has challenges in multiple programming languages. Your stack preference determines which language is shown by default — backend developers see Python, Java, or Go challenges, while frontend developers see React, Vue, or Angular.

You can switch languages at any time using the language selector. Your preference is saved so you always see challenges in your preferred stack first.

JavaScript
TypeScript
Python
Java
C#
PHP
Go
React
Vue
Angular
Swift
Kotlin

Using Hints

Each phase has a hint button. Using a hint reduces your score for that phase from 50 XP to 25 XP. Hints provide targeted guidance without giving away the answer — they point you in the right direction while still requiring you to think critically.

Hints are optional and you can complete any challenge without them. They are especially helpful when you encounter an unfamiliar vulnerability type for the first time.

Scoring & XP

Your score for each challenge depends on whether you use hints:

ActionXP
Phase 1 correct (no hint)50 XP
Phase 1 correct (with hint)25 XP
Phase 2 correct (no hint)50 XP
Phase 2 correct (with hint)25 XP
Maximum per challenge100 XP

Challenge Completion

After completing both phases, you see a score breakdown:

app.securecodinghub.com/practice/sql-injection
Challenge Complete!
+100 XP
Phase 1 — Find Vulnerability50 / 50
Phase 2 — Select Fix50 / 50
Next steps: Explore Learn Mode for interactive attack scenario walkthroughs, or jump straight into practice from the dashboard.

Reading the Phase 1 to Phase 2 Flow

The two-phase structure exists because vulnerability detection and remediation are different skills. Phase 1 trains your eye: given a complete function or method, which line is the dangerous one. You are not asked to write code; you are asked to read it the way a reviewer would. The vulnerable line is rarely the most syntactically interesting one. It is usually a quiet line that does something a developer would write without thinking, like concatenating a request parameter into a string that will later be parsed.

Phase 2 trains your judgement. Once you know where the problem is, the platform shows you several plausible fixes. Most of them compile, run, and look reasonable. Only one fully closes the vulnerability. Some options patch the obvious symptom while leaving the underlying primitive intact. Some options over-correct and break the function. The goal of Phase 2 is to make you reason about why a fix works, not just whether it looks safer than the original. Treat the wrong answers as a study guide: each one is a real mistake real developers make in real pull requests.

Why Guessing Wrecks the Learning Curve

The hint system reduces the XP for a phase from fifty to twenty-five, which sounds like a penalty but is structured as a trade. The trade is meaningful guidance for a lower score. Guessing without a hint loses you the same XP and teaches you nothing, because the feedback loop is too coarse to learn from. If you find yourself reading the snippet for less than thirty seconds before clicking, you are almost certainly guessing. Slow down, read the snippet twice, hypothesize where the trust boundary is, then click.

The right rhythm for a new vulnerability class is to read carefully, use the hint when you are stuck, and accept the score reduction as the cost of learning. After three or four challenges in the same class, you stop needing the hint. After ten, you start seeing the same pattern in your own code. That curve is impossible to compress by guessing. For deeper context on the attack chains behind these snippets, try the matching Learn scenario in Learn Mode.