Spin up a vulnerable machine, find the bug, capture the flag. No setup. No VPN. Just your browser.
A shoe blog left a little something in your session. Find the XSS vulnerability and steal the cookie.
Crapazon's product search reflects your input directly on the page. Something in that response shouldn't be there.
Crapazon's seller portal has a login form that talks directly to the database. No sanitisation, no prepared statements — just raw SQL.
Crapazon's order page shows your orders fine. But what happens if you change the order ID in the URL? Does it check who you are?
Crapazon's network diagnostics tool pings any host you enter. The host goes straight into a shell command.
Crapazon's account settings form has no CSRF token. Any page can silently change Alice's email on her behalf.
WhatsUp's link preview feature fetches any URL you send it — including internal ones.
InstaSnap lets you upload a photo to your profile. No file type validation — upload anything you want.
eCorp Fintech lets you pick a plan and send the price yourself. The server trusts whatever number you send.
Chirper has no rate limiting, no lockout, and no CAPTCHA. Brute-force the admin account.
CryptoBurner left debug mode on in production. Sensitive endpoints are wide open.
FirstBank's internet banking has no lockout and no rate limiting. The customer's PIN is 4 digits.
FirstBank's statement viewer takes an account number in the URL. It never checks who you are.
FirstBank's transfer API takes an amount from the client. No validation on whether it's positive.
FirstBank signs session JWTs with a weak secret. Crack it, forge a new token with role: admin.