Practical, browser-based lab environments across ethical hacking, pen testing, cloud and OT security. Free labs unlock with any account; advanced labs require a plan upgrade.
HackerVerse 2025 Finals — GraphQL hides a server-side fetcher; the fetcher reaches a key store; a sealed payload is waiting.
HackerVerse 2025 Round 3 — API Expert. VaultDoor JWT — the kid header tells the server which key to use.
HackerVerse 2025 Round 2 — API Hard. Mapless API treats login fields as document filters.
HackerVerse 2025 Round 2 — API Hard. DocVault's GraphQL API has more shape than its docs admit.
A login API that 'enforces' rate limits — but broken in 3 ways: IP spoofing via X-Forwarded-For, case-normalization bypass, and no limit on password reset.
A GraphQL API with introspection left enabled in production, a hidden admin query, and no batch protection.
Authentication API using JWT. Three classic token attacks: alg=none confusion, weak HS256 secret crack, and privilege escalation.
A SaaS user-profile API that blindly binds JSON payloads to DB fields and returns too much data. Two vulns: mass assignment and excessive data exposure.
A banking REST API with hidden Broken Object Level Authorization (BOLA) + Broken Function Level Authorization (BFLA) flaws across 3 endpoints.
Coding Challenge — HARD. Build a stack-based bytecode interpreter with frames, jumps, calls.
Coding Challenge — HARD. Content-addressable VCS with blob/tree/commit objects, log, diff, checkout.
Coding Challenge — HARD. Implement closed/open/half-open state machine with concurrent-call semantics.
Coding Challenge — HARD. Build a regex engine supporting . * + ? [..] \d \w \s and groups.
Coding Challenge — HARD. Build a Bloom filter with sizing, double-hashing, serialise/deserialise, union/intersection.
Coding Challenge — HARD. Build a RabbitMQ-style broker with direct/fanout/topic exchanges, ack/nack, DLX.
Coding Challenge — HARD. Build parser combinators and use them for arithmetic with precedence.
Coding Challenge — HARD. Implement diff/patch with keyed-children reorder using move ops.
Coding Challenge — HARD. A* on a 2D grid with 4-dir or 8-dir + manhattan/chebyshev heuristics.
Coding Challenge — HARD. Mustache-style renderer with sections, inverted sections, partials, dotted lookup, raw triple-mustache.
Coding Challenge — MEDIUM. Verify Stripe-style webhook signatures with timestamp tolerance, rotation, and constant-time compare.
Coding Challenge — MEDIUM. Compute next-run for a 5-field cron expression in UTC.
Coding Challenge — MEDIUM. LCS-based array diff with apply + unified-format output.
Coding Challenge — MEDIUM. Tiny ICU-message-format-lite with plural, number, date for en + hi.
Coding Challenge — MEDIUM. Convert a GFM markdown table to HTML with alignment.
Coding Challenge — HARD. Build a job queue with concurrency cap, priority, pause/resume, clear, and events.
Coding Challenge — HARD. Build a Redux-style store with subscribe, combineReducers, and applyMiddleware.
Coding Challenge — HARD. Build a chat-style room server with presence, broadcast, and per-user fan-out across multiple sockets.
Coding Challenge — HARD. Execute a parsed GraphQL AST against a resolver map with variables and error capture.
Coding Challenge — HARD. Implement async Semaphore, Mutex, and RWLock with writer-no-starvation.
Coding Challenge — HARD. Build a small markdown→HTML site generator with layout templating and an index.
Coding Challenge — HARD. Parse + execute SELECT with WHERE/ORDER BY/LIMIT/OFFSET against in-memory tables.
Coding Challenge — HARD. Build a leader-follower KV with monotonic ops, idempotent replication, and leader promotion.
Coding Challenge — HARD. Build an Express-style framework with routing, params, middleware chain, prefix middleware, and error handling.
Coding Challenge — HARD. Build a tiny ORM with operator-based where, query chain, and multi-collection support.
Coding Challenge — MEDIUM. Apply, snapshot, and restore an event-sourced bank-account store.
Coding Challenge — MEDIUM. Bounded cache with both TTL expiry and LRU eviction, plus stats counters.
Coding Challenge — MEDIUM. Implement keyset pagination with opaque base64 cursors.
Coding Challenge — MEDIUM. Validate, hash, magic-check, dedupe an image upload batch.
Coding Challenge — MEDIUM. Three Express-style middlewares: authenticate, requireRole, rateLimitByUser.
Coding Challenge — MEDIUM. Implement a DataLoader-style batcher: dedupes keys, batches per microtask, caches results, isolates errors.
Coding Challenge — MEDIUM. In-memory pub/sub with + and # topic wildcards, error isolation, ordering.
Coding Challenge — MEDIUM. Parse + validate + transform + dedupe a member-import CSV.
Coding Challenge — MEDIUM. Reimplement Promise.all / .race / .allSettled from scratch.
Coding Challenge — MEDIUM. Build /search with multi-field matching, simple ranking, category filter, and pagination.
Coding Challenge — LOW. Implement async retry with exponential backoff, shouldRetry predicate, onRetry callback.
Coding Challenge — LOW. Append query params to a URL with proper encoding, array repetition, and fragment preservation.
Coding Challenge — LOW. Throttle with leading/trailing edge options + cancel.
Coding Challenge — LOW. Build a bounded LRU with O(1) get/set, MRU-first iteration, has() does NOT promote.
Coding Challenge — LOW. Build a 7-class error hierarchy with status codes, reason phrases, factory, and toJSON.
Coding Challenge — LOW. Parse one or more 'Name <email>' addresses, respecting quoted commas.
Coding Challenge — LOW. Implement chunk + chunkBy with input validation and immutability.
Coding Challenge — LOW. URL slug generator with diacritics + collision handling.
Coding Challenge — LOW. Format INR (lakh/crore), USD, EUR, GBP, JPY with correct grouping and decimal rules.
Coding Challenge — LOW. Implement deepEqual covering primitives, NaN, arrays, objects, Date, RegExp.
Coding Challenge — MEDIUM. Implement a sliding-window rate limiter with retryAfterMs.
Coding Challenge — MEDIUM. Implement query() with filters, search, multi-sort, and pagination.
Coding Challenge — MEDIUM. Implement refresh-token rotation that's safe under concurrent calls with the same old token.
Coding Challenge — MEDIUM. Refactor a feed query that does N+1+M lookups down to ≤ 4 prepared-statement calls.
Coding Challenge — MEDIUM. Build a small REST API with JWT auth, bcrypt passwords, and per-user ownership.
Coding Challenge — LOW. Implement signup validation that catches multiple errors at once.
Coding Challenge — LOW. Date range filter excludes the `to` day. Make it inclusive without excluding the start.
Coding Challenge — LOW. Fix missing awaits, error propagation, GST + rounding in getOrderTotal.
Coding Challenge — LOW. CORS allowlist with subdomain wildcard. No * fallback, no suffix-attack vulnerabilities.
Coding Challenge — LOW. Five REST handlers always return 200. Make them return the correct status codes.
Coding Challenge — LOW. Implement debounce(fn, ms) with cancel() and `this` preserved.
Coding Challenge — LOW. A user cache never invalidates. Add proper invalidation, update, delete.
Coding Challenge — LOW. SQL by string concatenation is vulnerable. Convert to a parameterised query.
Coding Challenge — LOW. paginate() has off-by-one and clamping bugs. Fix all 10 assertions.
Coding Challenge — LOW. Two pure functions drive a React signup form. Both have bugs — fix them so submission and per-keystroke updates work correctly.
HackerVerse 2025 Finals — recover keys from a memory dump, factor a small modulus, decrypt the payload.
HackerVerse 2025 Round 2 — Crypto Hard. Token verifier with two distinct error responses.
A SCIM 2.0 endpoint with 3 flaws: unauth enumeration, filter injection, and bulk-update privilege escalation.
You've captured network traffic. Analyze it to find 3 secrets: a cleartext password, an exfil'd file, and a DNS tunneling channel.
Low-priv shell as 'victim'. Escalate to root via 3 paths: SUID binary, sudo NOPASSWD, writable cron script.
A login flow with 3 MFA flaws: response tampering, flow skip via direct endpoint call, and backup-code brute force.
A SAML 2.0 SP that performs weak XML validation — susceptible to XML signature wrapping (XSW) and assertion tampering.
Three classic password-reset flaws: predictable token, host header injection, and user-enumeration race condition.
A CRM app with Role-Based Access Control — implemented wrong 3 ways. Escalate from 'salesperson' to 'admin' via header tampering, cookie flags, and endpoint-level auth gaps.
An OAuth provider with 3 redirect_uri validation flaws: prefix match, open redirect chain, and path traversal in the allowlist.
Three command injection challenges with filter bypasses: basic shell injection, filtered metachars, and blind time-based injection.
Simulated nmap + banner grab against a corporate network. Enumerate 5 hosts, find open ports and fingerprint versions — one service is vulnerable.
A legacy webapp with 3 session flaws: predictable session IDs, session fixation, and cookie exposure in URL.
Examine 6 login pages (banking, Google, PayPal, Microsoft) and identify which are phishing. Analyze URL, form action, branding cues, cert details.
Multi-stage OSINT challenge. Follow breadcrumbs across fake GitHub, social profiles, and a pastebin to uncover an employee's credentials and find the hidden internal document.
Database — HARD. SQL allowlist + anomaly detection.
Database — HARD. Sync/async replication with quorum.
Database — HARD. Priority scheduling with aging.
Database — HARD. Logged 2PC coordinator with crash recovery.
Database — HARD. Non-blocking ADD COLUMN with chunked backfill + dual-write.
Database — HARD. Single-decree Paxos with quorum + value adoption.
Database — MEDIUM. Postgres-style cost arithmetic for plan nodes.
Database — MEDIUM. Index skip scan for composite indexes.
Database — MEDIUM. SQL:2011 system-versioned tables.
Database — MEDIUM. BEFORE/AFTER triggers with mutate/reject.
Database — MEDIUM. TF-IDF ranking + phrase queries.
Database — MEDIUM. Matview with sync + concurrent refresh + staleness.
Database — EASY. Session-scoped temp tables with name resolution.
Database — EASY. JSONB path query with predicates + wildcards.
Database — HARD. Change-data-capture stream with consumer offsets.
Database — HARD. Trace replay with parallelism + regression detection.
Database — HARD. Range/hash sharded routing with rebalance.
Database — HARD. Log-structured merge tree with SSTables + compaction.
Database — HARD. Strict 2-phase locking with growing/shrinking phases.
Database — MEDIUM. Row↔column transposition with aggregation.
Database — MEDIUM. GROUP BY with multiple aggregates + HAVING.
Database — MEDIUM. WITH RECURSIVE fixed-point iteration.
Database — MEDIUM. Timestamp-based deadlock prevention.
Database — MEDIUM. Full + incremental snapshot chain with restore.
Database — MEDIUM. Page-image redo log with replay and reconstruction.
Database — EASY. SQL collation comparison: binary/CI/locale/natural.
Database — HARD. Federated multi-backend queries with pushdown.
Database — HARD. Row-oriented and columnar storage with cost model.
Database — HARD. Pattern-based SQL injection scanner with scoring.
Database — HARD. SQL savepoints with selective rollback.
Database — HARD. HLC-based LWW with union-merge strategy for arrays.
Database — HARD. Cost-based row estimation with selectivity + join math.
Database — MEDIUM. Histogram + MCV-based selectivity estimation.
Database — MEDIUM. ROW_NUMBER/RANK/LAG/LEAD/SUM with PARTITION BY.
Database — MEDIUM. Stable keyset pagination over sorted data.
Database — MEDIUM. Foreign key constraints with CASCADE/RESTRICT/SET NULL.
Database — MEDIUM. Bitmap index for low-cardinality columns.
Database — MEDIUM. Linear-probing hash index with growth + tombstones.
Database — EASY. Storage/index cost of BIGINT vs UUID strategies.
Database — EASY. SQL lexer producing typed token stream.
Database — HARD. Range + hash partitioning with pruning.
Database — HARD. DB connection pool with queue + idle eviction.
Database — HARD. Rule-based plan rewrites (pushdown, fold, combine).
Database — HARD. Snapshot isolation with version chain + conflict detect.
Database — MEDIUM. Autovacuum threshold + priority scheduler.
Database — MEDIUM. Track replica lag in bytes + ms.
Database — MEDIUM. LRU buffer pool with dirty pages + pinning.
Database — MEDIUM. Row-lock manager with deadlock detection.
Database — MEDIUM. Recommend indexes from workload analysis.
Database — MEDIUM. Cost-based join order with greedy heuristic.
Database — EASY. Parse Postgres EXPLAIN ANALYZE output.
DevOps — HARD. Multi-service coordinated rollout with rollback.
DevOps — HARD. Health-based DNS failover with flap detection.
DevOps — HARD. Detect orphan cloud resources not in IaC.
DevOps — HARD. Cordon/drain/upgrade orchestrator with PDB.
DevOps — HARD. Service dependency graph with impact + topo + cycles.
DevOps — HARD. Linear regression cost forecasting + anomaly detection.
DevOps — HARD. N-of-M approval gates with author exclusion.
DevOps — MEDIUM. Detect perf regressions via threshold + z-score.
DevOps — MEDIUM. Alert dedup + grouping + exponential backoff.
DevOps — MEDIUM. Pull-model metric scraper with staleness + parsing.
DevOps — MEDIUM. Distributed trace span aggregation with critical path.
DevOps — MEDIUM. API gateway with routes, auth, rate-limit.
DevOps — EASY. PII redaction in logs and structured data.
DevOps — EASY. Percentage feature flag rollout with ramp + segments.
DevOps — HARD. Multi-tenant router with rate-limit + isolation.
DevOps — HARD. Registry pull-through cache with LRU + single-flight.
DevOps — HARD. Detect stuck/orphan jobs with action recommendation.
DevOps — HARD. Reusable workflow templates with param substitution.
DevOps — HARD. Resource tag policy enforcement engine.
DevOps — HARD. IAM role assumption with chain + cycle detection.
DevOps — HARD. IaC plan/apply with create/update/delete/replace.
DevOps — MEDIUM. Tiered audit log retention with auto-migration.
DevOps — MEDIUM. Ordered DB migrations with up/down + checkpoint.
DevOps — MEDIUM. Compare desired vs actual infrastructure state.
DevOps — MEDIUM. Helm-style template renderer with if/range/default.
DevOps — MEDIUM. GFS retention with daily/weekly/monthly tiers.
DevOps — EASY. HMAC webhook signing with replay protection.
DevOps — EASY. Track TLS cert expiry with warning tiers.
DevOps — HARD. Weighted traffic routing with sticky sessions.
DevOps — HARD. Dev → staging → prod with attestation gates.
DevOps — HARD. Topo-ordered build DAG with cache invalidation.
DevOps — HARD. SLO error budget tracking with burn rate alerts.
DevOps — HARD. Multi-source aggregator with dedup + tag index.
DevOps — HARD. Multi-region failover with freeze + quorum.
DevOps — MEDIUM. Bin-packing scheduler with affinity + selectors.
DevOps — MEDIUM. k8s-style label-based network policies.
DevOps — MEDIUM. Serialize PR merges with path-overlap detection.
DevOps — MEDIUM. Probabilistic fault injection with match rules.
DevOps — MEDIUM. Target-tracking HPA with stabilization windows.
DevOps — MEDIUM. SRV-style registry with priority + weight.
DevOps — EASY. Deterministic cache keys for build steps.
DevOps — EASY. Liveness/readiness probe with hysteresis.
DevOps — HARD. k8s-style namespace quota admission.
DevOps — HARD. Rotation schedule + escalation chain.
DevOps — HARD. Rolling restart honoring maxUnavailable + maxSurge.
DevOps — HARD. 3-layer config merge with provenance tracking.
DevOps — HARD. Versioned secrets with overlap grace window.
DevOps — HARD. Per-service breaker with per-route overrides.
DevOps — HARD. Metric-driven canary progression with auto-rollback.
DevOps — MEDIUM. Enforce semver/registry/digest policies on image refs.
DevOps — MEDIUM. Dynamic port pool with sticky + reserved bindings.
DevOps — MEDIUM. Blue/green deployment state machine with healthcheck + rollback.
DevOps — MEDIUM. Streaming log tailer with grep + context + follow.
DevOps — MEDIUM. Detect Dockerfile anti-patterns.
DevOps — MEDIUM. 5-field cron parser with next-fire computation.
DevOps — EASY. Merge .env layers with provenance tracking.
DevOps — EASY. Parse YAML-lite + dot-path get/set.
HackerVerse 2025 Finals — RE the verifier, write a keygen, then notice the format itself has a flaw.
HackerVerse 2025 Round 3 — RE Expert. A stripped ELF with one entry point. Recover the password it accepts.
HackerVerse 2025 Round 2 — Forensics Hard. Memory dump with decoy flags. The real one isn't ASCII.
HackerVerse 2025 Round 1 — OSINT Medium. A user posts photos online. Find their real name, the city of their latest landscape, and their employer. Submit name|city|employer.
HackerVerse 2025 Round 1 — Forensics Medium. An image with something hidden in it. Read it, follow it, and carve what you find.
HackerVerse 2025 Round 1 — Forensics Easy. A packet capture from a suspicious workstation. Login is in the clear. The data after isn't.
The system has 7 deliberate security vulnerabilities. Find and fix them all. The capstone for the Linux Administration path.
Generate SSH keys, set up passwordless login, copy files securely with SCP, create config profiles.
Essential Linux networking tools: ip, ss, ping, curl, dig, traceroute, and more.
Manage software packages on Ubuntu/Debian with APT and dpkg. Install, remove, search, inspect.
Manage running processes, monitor system resources, find and kill rogue processes.
Write your first bash scripts. Variables, loops, conditionals, arguments, functions.
Create, modify, delete users and groups. Understand /etc/passwd, /etc/shadow, /etc/group.
Master Linux file permissions. Fix broken configs, change ownership, set proper modes.
Master ls, cat, head, tail, wc, sort, uniq, cut, grep, pipes, and redirection.
Master navigating the Linux filesystem. Find hidden files, extract archives, follow symlinks, use find/grep.
Learn what Linux is, explore distributions, run your first commands on a real Linux system.
Multi-host OT lab with a simulated Siemens SIMATIC S7-300 controlling a chemical reactor. Three S7-protocol attacks: reconnaissance, recipe-secret extraction (DB2), and STOP CPU.
Multi-host OT lab simulating a tank/pump system. PLC (Modbus TCP) + HMI dashboard + your Kali workstation, all on an isolated industrial subnet. Recon Modbus, manipulate registers, take down the pump.
System Design — HARD. Tiered downsampling: raw → 1m → 1h → 1d.
System Design — HARD. Misra-Gries heavy-hitter detection in bounded memory.
System Design — HARD. Resumable bulk import with checkpoint + skip-on-error.
System Design — HARD. Atomic state + outbox with replay-safe relay.
System Design — HARD. Price-time priority limit order book.
System Design — HARD. Push-pull gossip protocol with version-based reconciliation.
System Design — HARD. Chubby-style lease lock with global sequencer.
System Design — MEDIUM. Per-user hourly+daily quotas, all must pass.
System Design — MEDIUM. K-way merge of sorted feed sources with dedup.
System Design — MEDIUM. Bounded async queue with block/drop policies.
System Design — MEDIUM. Weighted variant assignment with allowlist.
System Design — MEDIUM. Online-user tracking via heartbeats.
System Design — MEDIUM. Shortest path + friends-of-friends in social graph.
System Design — EASY. JSON-Schema-style validator with collected errors.
System Design — EASY. In-memory KV with per-key time-to-live.
System Design — HARD. Async cross-region replication with LWW.
System Design — HARD. Priority queue with aging to prevent starvation.
System Design — HARD. Power-of-two-choices load balancer with healthchecks.
System Design — HARD. Tail-and-ship with offset checkpoint and retry.
System Design — HARD. PN-Counter CRDT (commutative, idempotent, associative).
System Design — HARD. Vector clocks for causal ordering of events.
System Design — HARD. Raft election state machine.
System Design — MEDIUM. Sub-linear frequency estimator.
System Design — MEDIUM. Probabilistic ordered set in O(log n).
System Design — MEDIUM. Weighted trie with top-k prefix completion.
System Design — MEDIUM. SHA-256 merkle tree with proofs and diff.
System Design — MEDIUM. Probabilistic membership filter with bit array.
System Design — MEDIUM. O(1) LRU cache with capacity-bounded eviction.
System Design — EASY. 64-bit unique IDs with timestamp + workerId + sequence.
System Design — EASY. Byte-rate shaper that schedules egress timing.
System Design — HARD. Sidecar with retries, timeouts, and circuit breaker.
System Design — HARD. Tumbling-window inner join over two streams.
System Design — HARD. 2PC coordinator with prepare/commit/abort phases.
System Design — HARD. Cassandra-style replicated KV with quorum + read-repair.
System Design — HARD. Consistent-hash CDN cache with stampede protection.
System Design — HARD. Append-only event log with materialized projections.
System Design — HARD. Saga pattern with compensating transactions.
System Design — MEDIUM. Aggregate ticks into 1s OHLC bars per symbol.
System Design — MEDIUM. Point-in-polygon geofence with bbox indexing.
System Design — MEDIUM. Inverted-index search with TF-IDF scoring + prefix completion.
System Design — MEDIUM. Session store with sliding idle timeout + absolute cap + per-user destroy.
System Design — MEDIUM. Multi-channel notifications with prefs, quiet hours, dedup, channel-error isolation.
System Design — MEDIUM. Inventory with TTL'd reservations; never oversells under concurrency.
System Design — EASY. Track clicks per resource in 1-min/1-hour/24-hour rolling windows with bounded memory.
System Design — EASY. Per-user flag service with percent rollout, allow/deny lists, and stable bucketing.
System Design — HARD. Geo-bucketed driver-rider matching with throughput and fairness budgets.
System Design — HARD. Delayed-job scheduler with at-least-once delivery, visibility timeout, retries, dead-letter.
System Design — HARD. Idempotent charge endpoint with conflict detection + concurrent-retry safety.
System Design — HARD. Lock service with TTLs and globally-monotonic fencing tokens.
System Design — HARD. LRU cache with crash-safe write-ahead log + compaction.
System Design — HARD. Quorum-based replicated shortener: handles failures, partitions, recovery.
System Design — HARD. URL shortener with strict throughput + p99 latency budgets.
System Design — MEDIUM. Priority queue with dedup, sendAt delay, retries with backoff, dead-letter.
System Design — MEDIUM. Approximate distinct counter (HyperLogLog) with merge + serialise.
System Design — MEDIUM. Maintain top-K efficiently under heavy churn with O(log n) ops.
System Design — MEDIUM. High-fanout pub/sub with error isolation and 1M deliveries/sec target.
System Design — MEDIUM. Consistent-hash ring with virtual nodes; minimal remap on add/remove.
System Design — MEDIUM. Distributed sliding-window rate limiter that holds globally across N edge nodes via shared store.
System Design — EASY. Build a tinyurl-style shortener with idempotency, custom aliases, hit counting.
System Design — EASY. Per-key token bucket with capacity + refill rate. Auto-graded for correctness, throughput, and fairness.
HackerVerse 2025 Finals — pickle RCE → recover token → HMAC-sign admin command.
HackerVerse 2025 Finals — three-stage chain. SSTI, file read, JWT forge.
HackerVerse 2025 Round 3 — Web Expert. NoteVault search returns 200 OK for everything. The response time isn't constant.
HackerVerse 2025 Round 3 — Web Expert. RewardOne single-use coupons. Reach ₹150.
HackerVerse 2025 Round 3 — Web Expert. YamlPort loads configs. External requests get safe_load. Internal ones get more.
HackerVerse 2025 Round 3 — Web Expert. StatusOne fetches localhost diagnostics. There's a daemon listening that shouldn't be exposed.
HackerVerse 2025 Round 3 — Web Expert. SessionPort imports a session, but checks for dangerous strings.
HackerVerse 2025 Round 3 — Web Expert. A frontend and a backend disagree about how to read a request.
HackerVerse 2025 Round 3 — Web Hard. VaultPanel checks Origin before running admin commands. The check has shape.
HackerVerse 2025 Round 3 — Web Hard. NewsLine has a CDN cache. The admin reviewer visits every 20 seconds.
HackerVerse 2025 Round 2 — Web Hard. CSVImporter runs `wc -l` on what you upload.
HackerVerse 2025 Round 2 — Web Hard. DocBack validates purchase-order XML. They've blocked the obvious external-entity attack.
HackerVerse 2025 Round 2 — Web Hard. Greetly renders user input through a template. The filter is opinionated.
HackerVerse 2025 Round 2 — Web Hard. A small wallet API. The transfer flow is sequential but pauses in the middle.
HackerVerse 2025 Round 2 — Web Hard. Prefly merges user preferences into a settings object. Their merge function blocks the textbook payload.
HackerVerse 2025 Round 2 — Web Hard. A URL-preview service with a hostname blocklist. The blocklist isn't enough.
HackerVerse 2025 Round 1 — API Medium. Plinth ships a clean REST API with two flags hidden inside. Both reachable, neither obvious.
HackerVerse 2025 Round 1 — API Medium. FintechCo's banking API uses HS256 JWTs with a defensive guard against the obvious bypass. Find a way through it.
HackerVerse 2025 Round 1 — Web Medium. Westgate Public Library's staff portal trusts a homebrew sanitiser. Bypass it, then exfiltrate from a table the catalogue doesn't list.
HackerVerse 2025 Round 1 — Web Easy. The Voice blog ships a comment sanitiser that strips <script> tags but allows event handlers. An admin bot reviews comments every 30s carrying a session cookie that contains the flag. Steal it.
HackerVerse 2025 Round 1 — Web Easy. A small e-commerce site went live with an admin panel left in robots.txt and default credentials in production. Find the panel, find the creds, retrieve the flag.
An e-commerce checkout with 3 business logic flaws: coupon double-apply race, negative quantity, and checkout step skip.
Legacy SOAP/XML endpoint with 3 flaws: classic XXE file read, blind XXE via error, and Python pickle deserialization RCE.
Photo sharing platform with 5 file upload vulnerabilities: extension bypass, MIME spoofing, path traversal, SVG polyglot, ZIP slip.
Project management app with SSRF (URL preview + webhook tester), CSRF (team transfer + email change), and open redirect.
A digital banking platform with 5 authentication/session vulnerabilities: brute force, JWT alg=none, predictable reset tokens, session fixation, and forgeable 'remember me' cookies.
A medical records system with 5 broken access control vulnerabilities: IDOR, privilege escalation, path traversal, missing function-level auth, and cookie-based role bypass.
An analytics SaaS platform with 6 injection vulnerabilities: SQLi (UNION + blind), NoSQL injection, command injection, LDAP injection, and SSTI.
A SaaS invoicing dashboard with 5 XSS vulnerabilities buried in modern-web patterns: prototype pollution, postMessage, JSONP, client-side templates, and filter bypass via exotic schemes.
A Twitter-like social platform with a 'working' sanitizer. Five XSS vulnerabilities hidden in filter bypasses, DOM re-parsing, and client-side enrichment logic.
A developer note-sharing platform with 4 XSS vulnerabilities hidden in plain sight. Explore like a real user, identify the weak spots, and pop prompt(1).
Exploit a corporate portal with 7 real vulnerabilities: XSS (reflected & stored), SQL injection (auth bypass & data extraction), CSRF, command injection, and IDOR.