Flap Copy
A pastel marketing site for a beloved iOS task app. Two static files meant for native-app plumbing happen to describe the staff-only routes the website itself doesn't link.
The Scenario
Flap Copy is an obsessively designed task manager for iPhone, iPad and Mac. The marketing site is a static export — fonts, screenshots, App Store badges — but it also doubles as the host for the iOS app's Universal Links file and the PWA manifest. Both of those JSON files were generated from the same internal route table.
Challenge Intel
Synopsis
The PWA manifest and Apple's apple-app-site-association both reference an unlinked staff dispatch URL that returns the flag without auth.
What It Is
/manifest.webmanifest lists a "shortcuts" array that includes a /console/quick-actions entry, and /.well-known/apple-app-site-association declares a Universal Links "paths" entry for /staff-only/dispatch. Both files are served unauthenticated by nginx. Visiting /staff-only/dispatch on the site returns an HTML page containing the FLAG environment variable. The shortcut and Universal Links files were generated from the same internal route table the website itself intentionally doesn't link.
Who It's For
Players who know that PWAs and iOS apps publish discovery files at fixed locations and want to practice mining them.
Skills You'll Practice
- Reading manifest.webmanifest shortcuts
- Reading .well-known/apple-app-site-association
- Pivoting from native-app plumbing to web routes
What You'll Gain
- An intuition that mobile-platform discovery files leak web routes
- Practice with the standardised /.well-known/ namespace