The Web War()
(Audience: Pentester/BountyHunter)



Welcome, Ninja!

Web has been everywhere from mobile app, digital signage to iOT. It has been growing and more and more feature-rich than before including recent HTTP2, WebSocket, WebAssembly. In this challenge series, all challenges are based on bounty write-ups, real-world assessments, incidents and researches. 

To be able to successfully play the challenges, please make sure: 

  • You have already known how to develop a web application from basic to intermediate level.

  • You have already known how to play with web proxy tools such as Burp Suite, ZAP.

  • You have already read through a book or two on web application penetration testing.


OSINT/Recon

Organizations have been failing to maintain basic CIS controls - inventory of assets and secure configurations.  This has been the case of the major success in bounty programs where identifyin...

Exploitation Lab

Handcraft your beautiful payload proof-of-concept for a given vulnerability scenario. Creating POC has been necessary more than ever as developers have been fatigue with thousands of vulnerabilitie...

Bypasses in Cross Site Scripting (XSS)

We keep getting to learn tons of evasion techniques. But only a few of us have chances to get our hands dirty on such challenges in real world. Now this challenge series, this is no more dreamy ima...

BYPASSES IN INPUT RESTRICTION

With this advanced world where security is embedded in most organizations, how many times have you faced input validation and have assumed this is safe to let go? You will find challenges that you ...

Bypassing Web Application Firewall

Web Application Firewall (WAF) is used as a quick-fix approach for various injection attacks. For fear of breaking existing application functions, WAFs deploy rulesets very loosely defined to suit ...

Bypassing Anti-CSRF protection

With the awareness of Cross-Site Request Forgery (CSRF) attack, developers have been protecting their applications from adding anti-CSRF token or other means. Normal IT audit inspector or lazy pent...

Bypassing Open Redirect Protection

URL Redirection has been one of the most prevalent features in today's web sites as they need users to navigate from one page to another.

In a normal web site, URL redirection to an externa...

XSS/HTMLi: Universal Browser Edition

Well, it is a usual argument from developers that XSS does not work on all browsers as Internet Explorer, Safari, Mobile Opera and Samsung browsers protect XSS. When you attempt to crack this serie...

DATA IS GOLDEN

We,pentesters, way too much focus on technical aspects of vulnerability. Advanced attackers are goal-driven and objective-based. They set goal and identify which attack vectors can bring them acces...

THINK BEYOND

With this complex world where applications are massively interconnected and cohesively making the best use of one another's data, an attack can happen from every angle if you don't think beyond. Th...

Parsers Playground

With the popularity of templating engines and parsers, plain old attack payloads may be neutralized or may still work depending on how an application is developed.  In this challenge series, y...

Bypassing UI-based CAPTCHAs

Creating bots has never been more important than ever before: be it for worm-like massive hacking attacks, remote access, automating workflows and more. Developers have come out with CAPTCHA soluti...

Bypassing Referrer-check Protection

Developers have been protecting their applications against some attacks such as CSRF, JSONP-Hijacking, Hotlink protection by comparing Referrer header with allowed domains or URLs. This challenge f...

Bypassing Access Control

Authentication and access control have been common security mechanisms to authenticate genuine users of the application since decades ago.  Yet, gaps do happen. We should not assume things as ...