Understudy
A bold investigative-journalism site with offline support. The offline layer is doing more than just caching the homepage.
The Scenario
Understudy is a small newsroom covering the businesses behind your apps — algorithmic pricing, scraped data brokers, content moderation contractors. Their reporters work on long trains, so the site ships as a progressive web app with an offline reading mode. The service worker that powers that mode is the easiest file on the server to read.
Challenge Intel
Synopsis
The site's service worker hardcodes a precache list that includes an internal health endpoint, which returns the flag without auth.
What It Is
/sw.js is served at the origin root so the service worker can claim the whole scope. Inside is a const precacheList = [...] array literal that includes every URL the SW warms up at install time. One of the entries is /_internal/health, which is also mounted on the Express server, requires no authentication, and returns the FLAG environment variable in its JSON body.
Who It's For
Players who've used dev-tools Application tab on a PWA but haven't used the service worker source itself as a recon target.
Skills You'll Practice
- Discovering a service worker at /sw.js
- Mining precache / asset lists for unlinked URLs
- Hitting service-worker-referenced endpoints directly
What You'll Gain
- An intuition for treating sw.js as a sitemap
- Practice connecting offline-cache plumbing to live endpoints
Ready to hack Understudy?
Upgrade to Pro to unlock this challenge and the full library.