The Challenges
Short, sharp targets. One flag each. Every challenge teaches a single vulnerability class against a believable fictional app.
Almanac
Almanac is a private journaling app — write dated entries, keep your photos, and carry the whole archive between devices. The catch is the "carry it across" part: exporting your capsule and importing it on another device are two halves of the same trusting handshake.
Cookbook
A recipe manager and meal planner. You can export any recipe to a portable backup and import it on another device — and the restore step trusts the backup a little too much.
Knockdown
A maker community for flat-pack furniture. Every build exports to one portable file you can share, and anyone can paste that file back in to restore the whole design — cut list, hardware, and the rendered preview, exactly as it shipped.
TicketSeason
A verified hockey-ticket marketplace that keeps you signed in between visits by stashing your account in a "remember me" cookie. The box office trusts whatever it finds in there.
DropCall
Wilderness Permits' search was rebuilt in 2023 with a deliberately minimal failure surface. Minimal is not the same as silent.
Dust Jacket
A cooperative bookstore that ships nationwide. The shop has been migrating off an old hosting plan — and they left a few crates of files where the public can poke at them.
Endpaper
A neighborhood newsroom running on a CMS they inherited from the previous editor. The server is friendlier than it should be — and one of the URLs it's chatting about is interesting.
Flap Copy
A pastel marketing site for a beloved iOS task app. Two static files meant for native-app plumbing happen to describe the staff-only routes the website itself doesn't link.
FreightManifest
Aerotrust Supply's parts catalog has been answering the same way since 1999. The wrapper around it has changed; the voice on the page hasn't.