Submit a Flag
Hello! Set an optional nickname below so your submissions show up on the scoreboard. you've found 0 / 12 flags.
Nickname
Used for the scoreboard and your progress page. You can change it any time.
Your progress
-
·
1. Robots.txt Disclosure
Show hint
Web crawlers read a special file at a well-known path. Have you looked at it?
-
·
2. Secrets in HTML Comments
Show hint
Developers sometimes leave notes to themselves in the HTML. Right-click → View Source on any page.
-
·
3. IDOR on Student Profile
Show hint
Numbers in URLs are just numbers. What happens if you change them?
-
·
4. Forced Browsing / Missing Auth
Show hint
Being hidden from the navigation is not the same as being protected. Have you checked the paths the robots file gave away?
-
·
5. Username Enumeration
Show hint
Error messages can give things away. Try a username you made up, and then one you know exists. Is the response identical?
-
·
6. Client-side Price Tampering
Show hint
The browser is not a trusted client. Open DevTools and look at the form fields before you press Buy.
-
·
7. Sequential File Reference
Show hint
File names can follow a pattern. `timetable_1.pdf` is linked from the dashboard — what about the other numbers?
-
·
8. Reflected XSS
Show hint
Try searching for something that isn't plain text — something the browser would normally render.
-
·
9. Business-Logic Flaw (Discount)
Show hint
Every rule has a limit. What happens when you apply that discount code again? And again? And again?
-
·
10. Debug Endpoint Exposure
Show hint
Developers have a common URL path for dev-only pages. You may have seen it signposted earlier.
-
·
11. Hidden-Field Mass Assignment
Show hint
The dropdown is a suggestion. Look at the actual HTML <option> elements on the registration page.
-
·
12. Directory Listing Exposure
Show hint
Web servers sometimes show you a list of files when no index page is configured. Try a URL that looks like a folder (ends with `/`) — one of the paths listed in robots.txt might be worth a look.