Don't like this style? Click here to change it! blue.css

Welcome .... Click here to logout

Web Sec Challenges

I've been hiding flags in each set of notes so far, here they are collected:

Test yourself: (harder than others as a test)
(get curious)
(debug the app (or not))
(firebase uuids)
(firebase auth)
MINCERAFT! (Single Page Apps)
(Server-Side Template Injection) ALSO SOURCE HERE
(MISC coding)
(MISC coding pt 2)
(SQL) A pure SQL (not injection) problem, how about that
(SQLi 1)
(SQLi 2)
Even the Least Among Us can make a difference
(AWS Lambda):
(XSS) You can only get your flag when the admin logs in. I'm the admin, ping me in Discord if you think you're ready to get the flag.
(Network Analysis) Sniffer101.pcapng
(Stretchers): gist follows
(Transforms): gist follows
(ECB Oracle): gist follows
(DHKE Mechanics): gist follows
(Pohlig-Hellman): gist follows
(TLS Handshakes): My malware found the following file on the target's computer: sslkey.log and of course we were capturing packets too: tls.pcapng
(PHP Sessions): (the admin is zero indexed)
(File Upload Exploit):
(JWT Mismanagement):
(MISC: Just a game) To win today's flag be voted top 3 in Mona Lisa Smile:
(prototype pollution)
(PHP Jail 1)
(DIY flags) Check the notes, let's try student-made problems together
(Authentic Experiences) Source follows: