Labs
Every lab is a full stack. You’re not solving riddles — you’re chaining real bugs.
A retro arcade startup bolted "approval tokens" onto their onboarding flow...
Signed-URL fetch gateway with legacy v1 signing oracle, internal ops console SQLi, restricted SSTI env leak, and a canary code host that leaks the signing key in git history.
Sourcemap leak reveals a legacy ops bridge and hidden fixtures.
Chain: Unauthenticated order-tracking BOLA leaks customer creds -> discover hidden /login on store -> login posts to auth-user API -> invoice downloader URL pivot to auth-admin…
LinkLapse ops suite. Exploit an OAuth account-linking flaw to bind your LinkID identity to a support seat (ATO).
Password reset token forgery -> GraphQL object authorization bug -> documents key leak -> signed link path traversal -> JWT forgery -> SSRF into internal ops -> diagnostics comm…
Chain: SQLi auth foothold -> SQLi dump weak QA hash -> reuse creds to internal chat -> obtain Gitea creds -> leak internal API key from old commit -> command injection on intern…
Poppet is a boutique toy studio with interconnected services handling storefront, fulfillment, CRM, and payroll.
Quarter Shift is a multi-subdomain casino web app with tournaments, SSO, and an internal backoffice.
An independent cinema chain discovers irregularities in its internal management platform.
Accounting PM portal with a mass-assignment role escalation that unlocks classified client projects.
A partner-facing referral API ships with public docs that expose a demo webmail login.
Multi-tenant billing portal with a broken object-level authorization check in invoice retrieval.
PulsePay console uses JWTs but accepts alg=none, allowing role escalation to admin and exposure of foreign partner PII.
Unauthenticated debug endpoint leaks sensitive config (classic info disclosure).
Law firm case exports. Downloading exports by public ID leaks an internal subdomain and credentials, leading to a second API with hidden config.