Write-Ups

CopyPasta: Forgeable Session Tokens Enable Cross-User Impersonation

CopyPasta issues session cookies as base64(md5(username)); any account's session can be recomputed offline from the public username and replayed for full cross-user impersonation, including admin.

easy
Cheesy Does It: Password-Reset Account Takeover via OTP Verification Bypass

POST /api/verify-otp returns a valid reset_token when the OTP is null or a non-numeric string, so an unauthenticated attacker resets any account's password without the code and takes over admin.

easy
Vaultly: Prototype Pollution to Anonymous Cross-Tenant File Disclosure

An unsanitized merge-patch on PATCH /api/v1/files/:id lets any account pollute Object.prototype; the published-rooms projection then serves every tenant's private file content to anonymous callers.

medium
Sokudo: Version-Drift Mass-Assignment to Admin

A deprecated /api/profile mount skips the field whitelist the current /v2 mount applies, letting any authenticated user set their own role to admin and reach admin-only data.

easy
CopyPasta: Collection Share Endpoint Over-Exposes Private Snippets

GET /api/collections/share/:slug omits the per-snippet is_public filter that the integer-id endpoint applies, so any registered user can read private snippets placed in a public collection, includi...

easy
Ottergram: Unauthenticated Path Traversal / Arbitrary File Read

GET /api/post/image?file= reads a client-supplied path off disk with no traversal guard and no authentication; a ../ climb out of the uploads directory reads arbitrary files unauthenticated.

easy
GalaxyDash: Server-Side Template Injection → Secret Disclosure

An org's invoice_template renders server-side into the invoice branding response. A property-path resolver lets a self-registered admin dump a backend billing api_token never shown in normal output.

medium
Ottergram: Broken Access Control on an Admin DELETE Verb

DELETE /api/admin/posts/:id omits the admin check its sibling verbs enforce, so any self-registered user can delete any user's post. Includes a latent unrestricted-upload finding.

easy
Sokudo: GraphQL Authorization Bypass via Introspection-Off Field Suggestions

The GraphQL `users` resolver returns every account's plaintext password to any non-admin token. Introspection was disabled, so the schema was rebuilt offline from graphql-js field-suggestion errors.

easy
FurHire: Client-Side Path Traversal to Account Takeover

FurHire's /invite builds its fetch path from URL parameters, so a support bot can be forced to change its own email; an open mailbox and unthrottled 2FA then give full account takeover.

hard
CopyPasta: API Token Name Confusion to Cross-User Impersonation

CopyPasta validates an X-API-Key token by value but resolves identity from the token's name, returning the oldest token of that name. Name a token to match a victim's and you act as them.

easy
CopyPasta: IDOR Snippet Delete (Broken Object-Level Authorization)

DELETE /api/snippets/:id enforces no ownership check, so any authenticated account can delete any user's snippet; the 200 success response also returns the flag as an extra key.

easy
Vaultly: Account Takeover via Unbound Password-Reset Token

POST /api/auth/reset/confirm picks the target account from an attacker-supplied email and only checks the token is valid, not that it was issued for that account. A self-minted reset token takes ov...

hard
Shady Oaks Financial: UNION-based SQL Injection

The /api/stocks/search endpoint concatenates the q parameter into a SQL string literal, allowing a UNION-based injection. A low-privilege user dumps the full users table, including admin credentials.

easy
Ottergram: Private Posts via Dual-Identifier Authorization Drift

GET /api/posts/:id resolves a post by either an integer id or a UUID public_id, but only the integer path enforces privacy. Because /api/search leaks the public_id of private posts, any authenticat...

medium
Galaxy Dash: Broken Access Control via Writable Avatar Field

GET /api/files authorizes requests by matching them against a caller-writable avatar_url field. Any registered org can self-grant read access to another org's confidential invoice files by pointing...

medium
Hacker's Paradise: Full-Response SSRF to Internal Admin Service

POST /api/limewire/download fetches an attacker-supplied URL and reflects the upstream body, reaching an internal admin service that requires no authentication. Any registered user reads the flag s...

medium
DiceForge: Authentication Bypass via Spoofable Client-IP Header

GET /api/admin/config trusts a client-supplied X-Client-IP header for its loopback-only allowlist. Setting it to 127.0.0.1 returns the app secret to any anonymous caller.

easy
CopyPasta: API Token Disclosure to Dual-Auth Admin Takeover

GET /api/profile/ leaks any user's full API token while the dedicated /api/tokens endpoint masks it. The leaked admin token on X-API-Key resolves the admin identity and returns the flag.

easy
Cafe Club: Readable SSRF to Internal Admin API

POST /api/profile/avatar/import saves the body of an attacker-supplied URL to a public path, a readable SSRF. Pointed at the loopback-only admin API, it disclosed the JWT signing secret and the flag.

easy
Sokudo: JWT Signature Verification Bypass on a Legacy Route Mount

A legacy /v1 API mount verifies no JWT signatures. A forged alg=none token claiming the seeded admin's id reaches GET /v1/admin/flag and the full admin route group with no valid credential.

easy
Appointments: Blind Boolean SQL Injection in a Path Parameter

POST /api/appointments/:id/cancel concatenates its numeric path id straight into a SQL query, exposing a blind boolean SQL injection that reads arbitrary database content as any authenticated patient.

easy
Tanuki: Stored XXE via a Hidden JSON Field

The deck restore endpoint stores an undocumented dtd JSON field that the backup endpoint splices raw into an XML DOCTYPE. Any registered user can declare an external entity and read files off the a...

easy
Shady Oaks Financial: Broken Access Control on Admin Route Group

GET /api/admin/flag and GET /api/admin/users have no server-side role check. Any registered user retrieves the flag and reads the full user table (PII plus EUR/USD/GBP balances) using a freshly-iss...

easy
Galazy Dash: Cross-Organization IDOR via Sibling-Endpoint Authorization Drift

GET /api/bookings/:uuid/tracking omits the organization-scope filter its two sibling routes enforce, letting any authenticated user read every other tenant's booking record after harvesting a forei...

medium
Tanuki: XXE via XInclude (DOCTYPE Filter Bypass)

The deck import endpoint at POST /api/decks/import is fronted by a case-sensitive substring filter on the literal bytes easy

FurHire: SSRF to Internal Reporting Endpoint

Recruiter company profile's logo_url field is fetched server-side with no scheme or host validation. Pointing it at http://localhost:3000/reporting bypasses the source-IP gate on an internal endpoi...

medium
Tanuki: Arbitrary File Read via XXE on XML Deck Import (2026-05-08 rotation)

POST /api/decks/import accepts XML files and parses them with a parser that resolves DOCTYPE-declared external entities. Entity references placed in deck or card fields are expanded into the persis...

easy
Copypasta: Predictable Session Token + Unverified Password Change

Server issues session=base64(md5(username)) URL-encoded, and PUT /api/profile/password takes only {password}. Forge admin's cookie from 'admin' and overwrite the password in one request.

easy
Cheesy Does It: Account Takeover via 4-Digit OTP Brute Force on Password Reset

POST /api/verify-otp accepts 4-digit OTPs with no rate limit or lockout. The 10,000-candidate space sweeps in seconds at concurrency 50, enabling pre-authenticated takeover of any account including...

easy
DiceForge: User-Agent Paywall Bypass

POST /api/quantum gates premium access on a User-Agent substring match. Sending Googlebot/2.1 returns the flag in an extra response key.

easy
Sokudo: Predictable Bearer Token + Timestamp Leak via Leaderboard

GET /api/stats/leaderboard exposes every user's last_login while bearer tokens are derived from that exact value. Any authenticated user can derive admin's currently valid token and call admin endp...

medium
Tanuki: Mass Assignment via Registration Role Field

POST /api/register persists a client-supplied role field. One unauthenticated request creates an admin account; one more retrieves the flag.

easy
Cheesy Does It: JWT HS256 Weak Secret to Admin Role Flip

The Express backend signs JWTs with HS256 using the literal string `secret`, and the `/api/admin/*` route guard authorizes off the role claim in the token. Cracking the secret with hashcat against ...

easy
DiceForge: OS Command Injection on POST /api/roll

Unauthenticated OS command injection on POST /api/roll's rollOptions field returns command stdout in an extra `output` key on the JSON response. Full RCE on the server.

easy
Sokudo: Hidden PUT via Verb Tampering + Mass Assignment

A verb tampering sweep across the known API surface surfaced PUT /api/stats, an undocumented endpoint not called by the UI that accepts mass assignment writes from any authenticated user. Flag retu...

medium
CopyPasta: Authorization Bypass on DELETE Snippet

DELETE /api/snippets/:id has no ownership check, so any authenticated user can delete any snippet, including admin's. The matching PUT on the same route enforces ownership correctly. Flag returned ...

easy
Tanuki: IDOR to Account Takeover

PUT /api/profile/:username trusts the path username instead of the JWT, so any authenticated user can rewrite admin's password and take over the account in a single request. The body side has a fie...

easy
Cheesy Does It: Discount Code Stacking via Array Type Confusion

POST /api/orders accepts an array on the `discount` field and applies every code multiplicatively with no de-duplication or stacking guard. Sending `["PIZZA-10", "PIZZA-10"]` compounds the 10% disc...

easy
FurHire: Second-Order Blind Boolean SQLi + Role Self-Assignment

Second-order blind boolean SQLi via the stored application status field, chained with role self-assignment at registration to give an unauthenticated attacker full database read. Admin password ext...

medium
Cafe Club: UNION-based SQL Injection + Plaintext Password Storage

UNION-based SQLi in the `:id` path parameter on GET /api/products/:id, detected by arithmetic since DB exceptions are swallowed as 404s: `/api/products/5-1` evaluates as SQL and returns the row wit...

easy
Gift Lab: Admin Bypass via Predictable adminAccessToken Cookie

Overview Platform: BugForge Vulnerability: Admin authorization bypass via predictable adminAccessToken cookie Key Technique: Compared the cookie across users and logins to reveal a fixed 12-...

medium
Sokudo: GraphQL Authorization Bypass + Plaintext Password Exposure

The GraphQL `user(id:)` resolver returns admin's plaintext password to any authenticated caller. The matching REST admin endpoints are correctly gated, so the authorization boundary holds on one su...

easy
Copypasta: IDOR via Source Map Disclosure

Overview Platform: BugForge Vulnerability: Insecure Direct Object Reference (IDOR) on a secondary read endpoint, discovered via public source map disclosure Key Technique: Review unminified ...

easy
Tanuki: SSRF to Admin Access Control Bypass

Overview Platform: BugForge Vulnerability: SSRF on /api/fetch bypasses the access-control gate on /admin. The gate denies public traffic (403 Access forbidden) but admits loopback-originated r...

medium
Cheesy Does It: Refund Amount Manipulation

Overview Platform: BugForge Vulnerability: Business Logic — Unvalidated Client-Supplied Refund Amount Key Technique: Submit an arbitrarily large refund_amount to /api/orders/:id/refund on an...

easy
OtterGram: IDOR on Profile Update

Overview Platform: BugForge Vulnerability: Insecure Direct Object Reference (IDOR) — Arbitrary Profile Modification Key Technique: Manipulating the id parameter in the PUT /api/profile reque...

easy
Galaxy Dash: Server-Side Prototype Pollution

Overview Platform: BugForge Vulnerability: Server-Side Prototype Pollution → Price Bypass Key Technique: Exploiting vulnerable deep merge on organization settings endpoint to pollute Object....

medium
Gift List: OTP Recipient Manipulation → Admin Access

Overview Platform: BugForge Vulnerability: OTP Recipient Manipulation (Authentication Bypass) — admin login send-code endpoint accepts arbitrary username, routing the OTP to any user’s message...

easy
Copypasta: UNION-Based SQL Injection

Overview Platform: BugForge Vulnerability: SQL Injection (UNION-based) — share_code path parameter concatenated directly into SQL query Key Technique: UNION SELECT to extract usernames and p...

easy
Tanuki: JWT None-Algorithm Bypass

Overview Platform: BugForge Vulnerability: JWT None-Algorithm Bypass leading to admin privilege escalation Key Technique: Forging an unsigned JWT with alg:"none" and type:"admin" to bypass s...

easy
Cheesy Does It: Client-Side Price Tampering

Overview Platform: BugForge Vulnerability: Client-Side Price Tampering — Server Trusts Client-Sent Prices Key Technique: Modifying the amount, unit_price, and total_price values in payment a...

easy
Cafe Club: Business Logic — Till Payment Bypass

Overview Platform: BugForge Vulnerability: Business Logic Flaw — Hidden Purchase Type Bypasses Payment Key Technique: Fuzzing the checkout type parameter to discover an undocumented “till” v...

easy
Tanuki: IDOR on User Statistics Endpoint

Overview Platform: BugForge Vulnerability: Insecure Direct Object Reference (IDOR) on User Statistics Endpoint Key Technique: Path parameter manipulation on /api/stats/:userId to access othe...

easy
Cheesy Does It: SQL Injection Authentication Bypass

Overview Platform: BugForge Vulnerability: SQL Injection (Authentication Bypass), Client-Side Price Manipulation Key Technique: Classic SQLi on login username field — string concatenation in...

medium
Galaxy Dash: Cross-Org User Hijacking

Overview Platform: BugForge Vulnerability: Broken Access Control — Cross-Organization User Hijacking, Broken Object-Level Authorization on Permission Updates Key Technique: Adding an existin...

medium
Cafe Club: IDOR on Password Change

Overview Platform: BugForge Vulnerability: Insecure Direct Object Reference (IDOR) Key Technique: Password change endpoint uses id from request body instead of JWT — any authenticated user c...

easy
Shady Oaks Financial: Race Condition on Currency Conversion

Overview Platform: BugForge Vulnerability: Race Condition (TOCTOU) on currency conversion endpoint Key Technique: HTTP/2 single-packet attack exploiting non-atomic balance check/deduction wi...

hard
Ottergram: Stored XSS — DM to Admin localStorage Exfil

Overview Platform: BugForge Vulnerability: Stored Cross-Site Scripting (XSS) via Direct Messages Key Technique: Injecting HTML into unsanitized DM content field rendered via dangerouslySetIn...

medium
Gift Lab: IDOR via Predictable Share Token

Overview Platform: BugForge Vulnerability: IDOR via Predictable Share Token Key Technique: Reverse-engineering base64-encoded share tokens to access arbitrary gift lists without authenticati...

medium
Copypasta: IDOR Password Reset to Account Takeover

Overview Platform: BugForge Vulnerability: Insecure Direct Object Reference (IDOR) — password change endpoint trusts client-supplied user_id Key Technique: Replacing user_id in the password ...

easy
Tanuki: XXE via XInclude Bypass

Overview Platform: BugForge Vulnerability: XXE via XInclude — Arbitrary File Read Key Technique: XInclude directive bypass of DTD restrictions in XML parser to exfiltrate server files Resu...

hard
Cheesy Does It: IDOR + Price Manipulation

Overview Platform: BugForge Vulnerability: IDOR (Insecure Direct Object Reference), Client-Side Price Manipulation, Wildcard CORS Key Technique: Sequential ID enumeration on order detail end...

medium
Cafe Club: Race Condition — Cart/Checkout TOCTOU

Vulnerability: Race Condition (TOCTOU), SQL Injection (INSERT-only) Key Technique: Cart/checkout time-of-check-time-of-use race — adding expensive items to cart during checkout processing wind...

hard
Ottergram: WebSocket IDOR via Socket.io

Overview Platform: BugForge Vulnerability: Insecure Direct Object Reference (IDOR) via Socket.io WebSocket event Key Technique: Enumerating message IDs through an unauthenticated Socket.io p...

medium
MesaNet: OTP Bypass + Gateway Entitlement Override

Overview Platform: BugForge Vulnerability: OTP Bypass via JSON Array Parameter Injection, Broken Access Control via Gateway Entitlement Override Key Technique: Sending all 10,000 OTP codes i...

hard
Shady Oaks Financial: Broken Access Control + Rounding Exploit

Overview Platform: BugForge Vulnerability: Broken Access Control on admin endpoints; Rounding exploit in stock trading Key Technique: Accessing admin-only API routes with a regular user JWT ...

medium
Copypasta: IDOR on Snippet Deletion

Overview Platform: BugForge Vulnerability: Insecure Direct Object Reference (IDOR) — missing authorization check on snippet deletion Key Technique: Exploiting inconsistent authorization betw...

easy
Tanuki: XXE Injection via Deck Import

Overview Platform: BugForge Vulnerability: XML External Entity (XXE) Injection Key Technique: XXE via XML deck import endpoint with in-band exfiltration through stored entity values Result...

medium
Cheesy Does It: Payment Calculation Bug

Overview Platform: BugForge Vulnerability: Payment calculation bug (tip formula error), inconsistent input validation between endpoints Key Technique: Exploiting a flawed tip calculation for...

medium
Cafe Club: Mass Assignment on Loyalty Points

Overview Platform: BugForge Vulnerability: Mass Assignment Key Technique: Injecting unvalidated fields into profile update JSON body to overwrite server-side loyalty points balance Result:...

easy
Ottergram: GraphQL IDOR via Introspection

Vulnerability: GraphQL Introspection Disclosure, IDOR via GraphQL Query, Plaintext Password Storage Key Technique: GraphQL introspection to discover schema, then direct object reference via us...

medium
FurHire: WAF Bypass — Stored XSS via Application Status

Overview Platform: BugForge Vulnerability: Stored XSS, WAF Bypass Key Technique: oncontentvisibilityautostatechange event handler bypasses keyword-based WAF blocklist, fires via content-visi...

hard
GalaxyDash: SQLi Function Filter Bypass

SQL injection with function filter bypass on a cargo booking application. Bypassed WAF restrictions on SQL functions to extract database contents.

medium
FurHire: MFA Bypass via Mass Assignment

Mass assignment to enable MFA on admin account, then brute-force the 4-digit OTP to bypass MFA and access the admin panel.

medium
SmallMart: Unicode Case Mapping Bypass

Unicode case mapping bypass to access the admin panel. Exploiting server-side Unicode normalization to circumvent role validation.

hard
MesaNet: SQL Injection + Info Disclosure

SQL injection combined with information disclosure on MesaNet access panel. Error-based extraction to gain access to the dev console.

hard
React2Shell: Pre-Auth RCE in React Server Components (CVE-2025-55182)

A missing hasOwnProperty check in the React Flight deserializer lets a crafted multipart chunk traverse `__proto__` and reach the Function constructor for pre-auth RCE. With HTTP egress blocked, th...

hard
FurHire: Second-Order SQL Injection

Second-order SQL injection via stored username payload. Injected during registration, triggered when the application queries user data.

medium
Verbose: SSTI to RCE

Server-side template injection in Jinja2 via EXIF metadata, escalating from SSTI confirmation to full RCE and root shell.

medium
Visible Error-Based SQLi: PostgreSQL Under a Character Limit

A TrackingId cookie is injectable but capped near 54 characters. Emptying the cookie value plus a short `::int` cast over `array_agg(password)[1]` leaks the admin password through the cast error.

medium
SQL Injection Filter Bypass via XML Entity Encoding

A stock-check endpoint takes XML and a WAF blocks SQL keywords. Hex entities like `SELECT` decode after the filter, and boolean-based blind extraction with CHR()/ASCII()/BETWEEN recovers the a...

medium
RCE via Server-Side Prototype Pollution

Polluting Object.prototype.execArgv with a `--eval` flag makes every subsequent Node child_process.fork() spawn with attacker-controlled arguments, executing fs.unlinkSync() for remote code execution.

hard
Bypassing Flawed Input Filters for Server-Side Prototype Pollution

The app strips `__proto__` keys but not the equivalent constructor.prototype path. A nested constructor/prototype object pollutes Object.prototype to set isAdmin and gain admin access.

medium
Privilege Escalation via Server-Side Prototype Pollution

An Express JSON endpoint merges user input without filtering `__proto__`. Sending `__proto__.isAdmin=true` pollutes Object.prototype so the account inherits admin privileges.

medium
Detecting Blind Server-Side Prototype Pollution

When polluted properties are not reflected, polluting `__proto__.status=599` and forcing a JSON parse error surfaces the inherited status code in the Express error response, confirming pollution.

medium
Client-Side Prototype Pollution in Third-Party Libraries

jQuery BBQ (CVE-2021-20086) pollutes Object.prototype from the URL hash, and Google Analytics' hitCallback gadget flows into setTimeout as a string sink. `#__proto__[hitCallback]=alert(...)` executes.

medium
DOM XSS via Client-Side Prototype Pollution

A vulnerable deparam() parser lets `?__proto__[transport_url]=...` pollute Object.prototype. A config object that never sets transport_url inherits the polluted value and injects a script src.

medium
DOM XSS via an Alternative Prototype Pollution Vector

A jQuery parseParams parser pollutes via dot notation. Polluting `__proto__.sequence` feeds an attacker string into a concatenated eval(), breaking out of manager.macro() to call alert().

medium
Client-Side Prototype Pollution via Flawed Sanitization

A sanitizer strips `__proto__` once and non-recursively. The nested key `__pro__proto__to__` collapses back to `__proto__` after removal, restoring the pollution path to a script-src gadget.

medium
Client-Side Prototype Pollution via Browser APIs

transport_url is defended with an own false value and Object.defineProperty, but the descriptor omits `value`. Polluting `__proto__[value]` makes defineProperty read the attacker's value off the pr...

medium
Poluted: Prototype Pollution to XSS

Prototype pollution to bypass access controls and reach a 403-protected admin endpoint via __proto__ payload injection.

easy
JavaScript URL XSS: Character-Blocking Bypass via Spread Operator

A reflected search value lands inside a javascript: URL's fetch() object literal with parentheses, brackets, backticks and backslashes all stripped. A spread-operator side effect sets window.onerro...

hard
SVG XSS: xlink:href Namespace Bypass

A filter blocks the SVG anchor's href but misses the legacy XML-namespaced xlink:href, which browsers treat identically. The namespaced attribute carries a javascript: URI to click-triggered XSS.

medium
SVG XSS: Dynamic href via SMIL Animation

A WAF blocks static href and all event handlers on whitelisted SVG tags. An `` sets the dangerous attribute at runtime, after the parse-time filter has already passed the markup.

medium
Canonical Link Tag XSS: accesskey + onclick Attribute Injection

Input reflected into a `` href escapes angle brackets but not quotes. Breaking out of the href to inject accesskey and onclick yields keyboard-triggered XSS from a tag in the document head.

medium
Attribute Breakout XSS: autofocus + onfocus Auto-Execution

Input reflected inside an `` attribute is HTML-encoded in the page body but not in the attribute. Closing the quote and injecting autofocus+onfocus fires JavaScript with no user interaction.

medium
JSON Injection via eval(): DOM XSS Breakout

A search response is concatenated into `eval('var x = ' + responseText)`. A backslash-quote payload breaks out of the JSON string literal so the reflected search term executes as JavaScript.

medium
Incomplete HTML Escaping: Single-Replace Double-Tag Bypass

An escape function calls String.replace() without the global flag, so only the first `` are encoded. A leading dummy `` absorbs the escaping and a trailing `` executes.

medium
AngularJS Template Injection: constructor.constructor Sandbox Escape

User input rendered inside AngularJS expressions (with ng-app present) reaches the Function constructor through constructor.constructor, escaping the expression sandbox to run arbitrary JavaScript.

medium
Intigriti November Challenge: SSTI to RCE

A chain through a negative-amount business-logic flaw and a JWT none-algorithm auth bypass reaches an admin profile field with Jinja2 SSTI. A `self.__init__.__globals__` os.popen payload executes c...

hard
Password Reset Race Condition: PHP Session-Locking Bypass

PHP serializes requests per session, hiding a password-reset token race. Issuing each parallel request under a separate session cookie defeats the lock so the two requests process concurrently.

hard