The Challenges
Short, sharp targets. One flag each. Every challenge teaches a single vulnerability class against a believable fictional app.
SwiftSearch Hotels
SwiftSearch's hotel API accepts a JSON filter body that's merged straight into a MongoDB-style query. Ordinary users filter by city and price; operators slip in just as easily.
Nimbus Ledger
Nimbus Ledger's report builder accepts a client-supplied query spec and runs it against the documents in an embedded NoSQL store that shares a namespace with the admin audit log.
Herbalist Remedies
Herbalist Remedies — an herbal-blend catalog — trusts its login form to compare MongoDB query objects. Slip an operator in and see who else is home.
GlacierCache
GlacierCache's offline-sync pipeline trusts the metadata blob stored in a client-created sync token. The commit step replays that blob straight into a document query — including a collection that isn't the one you thought.
DroneFleet Ops
DroneFleet's callsign search pipes raw user input into a MongoDB-style $regex match. The results panel shows a match count but nothing else about the hidden ops-secrets collection — just enough to leak one bit per request.
Ciphered Cart
NovaStore's promo-code endpoint leaks one bit per request. The storefront only tells you "applied" or "invalid" — nothing more. Pry the hidden admin-vault secret out one boolean at a time. Requests are rate-limited, so brute force will not save you.
Voucher Vault
Redzone Rewards — an internal employee rewards portal — exposes a voucher search that concatenates user input straight into a SELECT. Find the hidden administrative voucher.
Trace Control
Trackboard, an internal issue tracker, rolled to production with display_errors accidentally left on. Its /issues page has a numeric id param and a loose sense of type safety. Coax a database error to tell you what you need.
Shadow Registrar
RegistryPro's WHOIS terminal returns three things: a status word, a reflected domain name, and a lookup time. The query layer accepts stacked statements. Everything you need leaks through the clock.