Web Sec Challenges
I'm proud of these and I sometimes send people to this page to find cool web problems. But I'm resetting the semester too. So you can find old problems at: 2021 Problems and Fall 22 CTF problems
(selector fun) https://websec.prof.ninja/ctf/selectors/
(Firebase fetching, dynamic client-side URLs) https://minceraft-game.web.app/ (WARNING this updates every 60 seconds)
(Firebase Oracle)
(Speedrun 1: LFI)https://dtctf.herokuapp.com/
(Speedrun 2: exposed .git)https://pswd.fsg.opalstacked.com/
(Speedrun 3: Type Juggling)https://lampdemo.herokuapp.com/
(Speedrun 4: UNSERIALIZATION)https://pickledrick.herokuapp.com/
(Hard XSS) https://xssflag.web.app/ On this one I'm asking you to hack me, so DM me if you need me to jump on the site and get hacked by you. Flag is in admin's private user data.
(10 flags RSA workshop): https://gist.github.com/AndyNovo/db07790dc9bd57a343de8a42d5b992ad
(BurpSuite Repeater): https://screeching-possible-talk.glitch.me/
(Prototype Pollution) https://knotty-conscious-firewall.glitch.me/
(OWASP Juice Shop) Setup Juice Shop in CTF FLAG MODE take a screenshot of a flag you get
(S3 Misconfig) http://fall23webhost.s3-website-us-east-1.amazonaws.com/