Write-Ups

POST /api/appointments/:id/cancel concatenates its numeric path id straight into a SQL query, exposing a blind boolean SQL injection that reads arbitrary database content as any authenticated patient.

The deck restore endpoint stores an undocumented dtd JSON field that the backup endpoint splices raw into an XML DOCTYPE. Any registered user can declare an external entity and read files off the a...

GET /api/admin/flag and GET /api/admin/users have no server-side role check. Any registered user retrieves the flag and reads the full user table (PII plus EUR/USD/GBP balances) using a freshly-iss...

GET /api/bookings/:uuid/tracking omits the organization-scope filter its two sibling routes enforce, letting any authenticated user read every other tenant's booking record after harvesting a forei...

The deck import endpoint at POST /api/decks/import is fronted by a case-sensitive substring filter on the literal bytes easy

Recruiter company profile's logo_url field is fetched server-side with no scheme or host validation. Pointing it at http://localhost:3000/reporting bypasses the source-IP gate on an internal endpoi...

POST /api/decks/import accepts XML files and parses them with a parser that resolves DOCTYPE-declared external entities. Entity references placed in deck or card fields are expanded into the persis...

Server issues session=base64(md5(username)) URL-encoded, and PUT /api/profile/password takes only {password}. Forge admin's cookie from 'admin' and overwrite the password in one request.

POST /api/verify-otp accepts 4-digit OTPs with no rate limit or lockout. The 10,000-candidate space sweeps in seconds at concurrency 50, enabling pre-authenticated takeover of any account including...

POST /api/quantum gates premium access on a User-Agent substring match. Sending Googlebot/2.1 returns the flag in an extra response key.

GET /api/stats/leaderboard exposes every user's last_login while bearer tokens are derived from that exact value. Any authenticated user can derive admin's currently valid token and call admin endp...

POST /api/register persists a client-supplied role field. One unauthenticated request creates an admin account; one more retrieves the flag.

The Express backend signs JWTs with HS256 using the literal string `secret`, and the `/api/admin/*` route guard authorizes off the role claim in the token. Cracking the secret with hashcat against ...

Unauthenticated OS command injection on POST /api/roll's rollOptions field returns command stdout in an extra `output` key on the JSON response. Full RCE on the server.

A verb tampering sweep across the known API surface surfaced PUT /api/stats, an undocumented endpoint not called by the UI that accepts mass assignment writes from any authenticated user. Flag retu...

DELETE /api/snippets/:id has no ownership check, so any authenticated user can delete any snippet, including admin's. The matching PUT on the same route enforces ownership correctly. Flag returned ...

PUT /api/profile/:username trusts the path username instead of the JWT, so any authenticated user can rewrite admin's password and take over the account in a single request. The body side has a fie...

POST /api/orders accepts an array on the `discount` field and applies every code multiplicatively with no de-duplication or stacking guard. Sending `["PIZZA-10", "PIZZA-10"]` compounds the 10% disc...

Second-order blind boolean SQLi via the stored application status field, chained with role self-assignment at registration to give an unauthenticated attacker full database read. Admin password ext...

UNION-based SQLi in the `:id` path parameter on GET /api/products/:id, detected by arithmetic since DB exceptions are swallowed as 404s: `/api/products/5-1` evaluates as SQL and returns the row wit...

Overview Platform: BugForge Vulnerability: Admin authorization bypass via predictable adminAccessToken cookie Key Technique: Compared the cookie across users and logins to reveal a fixed 12-...

The GraphQL `user(id:)` resolver returns admin's plaintext password to any authenticated caller. The matching REST admin endpoints are correctly gated, so the authorization boundary holds on one su...

Overview Platform: BugForge Vulnerability: Insecure Direct Object Reference (IDOR) on a secondary read endpoint, discovered via public source map disclosure Key Technique: Review unminified ...

Overview Platform: BugForge Vulnerability: SSRF on /api/fetch bypasses the access-control gate on /admin. The gate denies public traffic (403 Access forbidden) but admits loopback-originated r...

Overview Platform: BugForge Vulnerability: Business Logic — Unvalidated Client-Supplied Refund Amount Key Technique: Submit an arbitrarily large refund_amount to /api/orders/:id/refund on an...

Overview Platform: BugForge Vulnerability: Insecure Direct Object Reference (IDOR) — Arbitrary Profile Modification Key Technique: Manipulating the id parameter in the PUT /api/profile reque...

Overview Platform: BugForge Vulnerability: Server-Side Prototype Pollution → Price Bypass Key Technique: Exploiting vulnerable deep merge on organization settings endpoint to pollute Object....

Overview Platform: BugForge Vulnerability: OTP Recipient Manipulation (Authentication Bypass) — admin login send-code endpoint accepts arbitrary username, routing the OTP to any user’s message...

Overview Platform: BugForge Vulnerability: SQL Injection (UNION-based) — share_code path parameter concatenated directly into SQL query Key Technique: UNION SELECT to extract usernames and p...

Overview Platform: BugForge Vulnerability: JWT None-Algorithm Bypass leading to admin privilege escalation Key Technique: Forging an unsigned JWT with alg:"none" and type:"admin" to bypass s...

Overview Platform: BugForge Vulnerability: Client-Side Price Tampering — Server Trusts Client-Sent Prices Key Technique: Modifying the amount, unit_price, and total_price values in payment a...

Overview Platform: BugForge Vulnerability: Business Logic Flaw — Hidden Purchase Type Bypasses Payment Key Technique: Fuzzing the checkout type parameter to discover an undocumented “till” v...

Overview Platform: BugForge Vulnerability: Insecure Direct Object Reference (IDOR) on User Statistics Endpoint Key Technique: Path parameter manipulation on /api/stats/:userId to access othe...

Overview Platform: BugForge Vulnerability: SQL Injection (Authentication Bypass), Client-Side Price Manipulation Key Technique: Classic SQLi on login username field — string concatenation in...

Overview Platform: BugForge Vulnerability: Broken Access Control — Cross-Organization User Hijacking, Broken Object-Level Authorization on Permission Updates Key Technique: Adding an existin...

Overview Platform: BugForge Vulnerability: Insecure Direct Object Reference (IDOR) Key Technique: Password change endpoint uses id from request body instead of JWT — any authenticated user c...

Overview Platform: BugForge Vulnerability: Race Condition (TOCTOU) on currency conversion endpoint Key Technique: HTTP/2 single-packet attack exploiting non-atomic balance check/deduction wi...

Overview Platform: BugForge Vulnerability: Stored Cross-Site Scripting (XSS) via Direct Messages Key Technique: Injecting HTML into unsanitized DM content field rendered via dangerouslySetIn...

Overview Platform: BugForge Vulnerability: IDOR via Predictable Share Token Key Technique: Reverse-engineering base64-encoded share tokens to access arbitrary gift lists without authenticati...

Overview Platform: BugForge Vulnerability: Insecure Direct Object Reference (IDOR) — password change endpoint trusts client-supplied user_id Key Technique: Replacing user_id in the password ...

Overview Platform: BugForge Vulnerability: XXE via XInclude — Arbitrary File Read Key Technique: XInclude directive bypass of DTD restrictions in XML parser to exfiltrate server files Resu...

Overview Platform: BugForge Vulnerability: IDOR (Insecure Direct Object Reference), Client-Side Price Manipulation, Wildcard CORS Key Technique: Sequential ID enumeration on order detail end...

Vulnerability: Race Condition (TOCTOU), SQL Injection (INSERT-only) Key Technique: Cart/checkout time-of-check-time-of-use race — adding expensive items to cart during checkout processing wind...

Overview Platform: BugForge Vulnerability: Insecure Direct Object Reference (IDOR) via Socket.io WebSocket event Key Technique: Enumerating message IDs through an unauthenticated Socket.io p...

Overview Platform: BugForge Vulnerability: OTP Bypass via JSON Array Parameter Injection, Broken Access Control via Gateway Entitlement Override Key Technique: Sending all 10,000 OTP codes i...

Overview Platform: BugForge Vulnerability: Broken Access Control on admin endpoints; Rounding exploit in stock trading Key Technique: Accessing admin-only API routes with a regular user JWT ...

Overview Platform: BugForge Vulnerability: Insecure Direct Object Reference (IDOR) — missing authorization check on snippet deletion Key Technique: Exploiting inconsistent authorization betw...

Overview Platform: BugForge Vulnerability: XML External Entity (XXE) Injection Key Technique: XXE via XML deck import endpoint with in-band exfiltration through stored entity values Result...

Overview Platform: BugForge Vulnerability: Payment calculation bug (tip formula error), inconsistent input validation between endpoints Key Technique: Exploiting a flawed tip calculation for...

Overview Platform: BugForge Vulnerability: Mass Assignment Key Technique: Injecting unvalidated fields into profile update JSON body to overwrite server-side loyalty points balance Result:...

Vulnerability: GraphQL Introspection Disclosure, IDOR via GraphQL Query, Plaintext Password Storage Key Technique: GraphQL introspection to discover schema, then direct object reference via us...

Overview Platform: BugForge Vulnerability: Stored XSS, WAF Bypass Key Technique: oncontentvisibilityautostatechange event handler bypasses keyword-based WAF blocklist, fires via content-visi...

SQL injection with function filter bypass on a cargo booking application. Bypassed WAF restrictions on SQL functions to extract database contents.

Mass assignment to enable MFA on admin account, then brute-force the 4-digit OTP to bypass MFA and access the admin panel.

Unicode case mapping bypass to access the admin panel. Exploiting server-side Unicode normalization to circumvent role validation.

SQL injection combined with information disclosure on MesaNet access panel. Error-based extraction to gain access to the dev console.

Second-order SQL injection via stored username payload. Injected during registration, triggered when the application queries user data.

Server-side template injection in Jinja2 via EXIF metadata, escalating from SSTI confirmation to full RCE and root shell.

Prototype pollution to bypass access controls and reach a 403-protected admin endpoint via __proto__ payload injection.