Easy
Token Tomb
PulsePay console uses JWTs but accepts alg=none, allowing role escalation to admin and exposure of foreign partner PII.
What you’ll practice in Token Tomb
Token Tomb is a realistic web hacking lab you can run locally in a controlled environment. You’ll practice mapping attack surface, testing authentication and authorization boundaries, and chaining weaknesses into impact — without spoilers.
- • Difficulty: Easy
- • Format: Local-first lab environment (recommended: Docker)
- • Focus areas: Web exploitation fundamentals