Calling Card
A security-conscious SaaS that ships a trust center and a /.well-known directory the way mature platforms do. Almost.
The Scenario
Calling Card is a B2B vendor-risk platform — companies use it to track the security posture of every SaaS they buy. The team published a security.txt and a /contact-security disclosure page. A pentester left a note that the disclosure page itself is doing something it shouldn't.
Challenge Intel
Synopsis
/.well-known/security.txt points to /contact-security; that page's inline JS contains a static bearer token that auths /internal/probe.
What It Is
The FastAPI app serves /.well-known/security.txt with a Contact line of /contact-security. That page renders a "Run internal probe" button that POSTs to /internal/probe with an Authorization: Bearer <token> header. The token is hardcoded into the inline <script> on the page. The /internal/probe endpoint validates the bearer (constant-time) and returns the flag in the JSON body. No other auth surface; the bearer in the inline script is the whole leak.
Who It's For
Players who already check /robots.txt but haven't built the habit of enumerating /.well-known/ — and reading inline page JS for the secrets a "internal-only" UI assumes nobody will see.
Skills You'll Practice
- Enumerating /.well-known/ paths (security.txt, change-password, etc.)
- Reading inline page JS for tokens, endpoints, and feature flags
What You'll Gain
- A first-touch recon checklist that includes /.well-known/*
- An intuition for 'the front-end has the secret embedded' as a class
Ready to hack Calling Card?
Upgrade to Pro to unlock this challenge and the full library.