Web has been everywhere from mobile app, digital signage to iOT. It has been growing and more and more feature-rich than before including recent HTTP2, WebSocket, WebAssembly. In this challenge series, all challenges are based on bounty write-ups, real-world assessments, incidents and researches. 

To be able to successfully play the challenges, please make sure: 

• You have already known how to develop a web application from basic to intermediate level.

• You have already known how to play with web proxy tools such as Burp Suite, ZAP.

• You have already read through a book or two on web application penetration testing.

Organizations have been failing to maintain basic CIS controls - inventory of assets and secure configurations.  This has been the case of the major success in bounty programs where identifyin...

Handcraft your beautiful payload proof-of-concept for a given vulnerability scenario. Creating POC has been necessary more than ever as developers have been fatigue with thousands of vulnerabilitie...

We keep getting to learn tons of evasion techniques. But only a few of us have chances to get our hands dirty on such challenges in real world. Now this challenge series, this is no more dreamy ima...

With this advanced world where security is embedded in most organizations, how many times have you faced input validation and have assumed this is safe to let go? You will find challenges that you ...

Web Application Firewall (WAF) is used as a quick-fix approach for various injection attacks. For fear of breaking existing application functions, WAFs deploy rulesets very loosely defined to suit ...

With the awareness of Cross-Site Request Forgery (CSRF) attack, developers have been protecting their applications from adding anti-CSRF token or other means. Normal IT audit inspector or lazy pent...

URL Redirection has been one of the most prevalent features in today's web sites as they need users to navigate from one page to another.

In a normal web site, URL redirection to an externa...

Well, it is a usual argument from developers that XSS does not work on all browsers as Internet Explorer, Safari, Mobile Opera and Samsung browsers protect XSS. When you attempt to crack this serie...

We,pentesters, way too much focus on technical aspects of vulnerability. Advanced attackers are goal-driven and objective-based. They set goal and identify which attack vectors can bring them acces...

With this complex world where applications are massively interconnected and cohesively making the best use of one another's data, an attack can happen from every angle if you don't think beyond. Th...

With the popularity of templating engines and parsers, plain old attack payloads may be neutralized or may still work depending on how an application is developed.  In this challenge series, y...

Creating bots has never been more important than ever before: be it for worm-like massive hacking attacks, remote access, automating workflows and more. Developers have come out with CAPTCHA soluti...

Developers have been protecting their applications against some attacks such as CSRF, JSONP-Hijacking, Hotlink protection by comparing Referrer header with allowed domains or URLs. This challenge f...

Authentication and access control have been common security mechanisms to authenticate genuine users of the application since decades ago.  Yet, gaps do happen. We should not assume things as ...