HARD tier

12 challenges spanning injection, auth confusion, access control, SSRF, logic, and client-side — calibrated to actually resist one-shot scanners. Captured a FLAG{…}? → submit it on the 🚩 scoreboard.

H1 · JWT alg confusion hard

RS256→HS256: sign an admin token with the exposed public key as the HMAC secret.

/api/hard/jwt-confusion · /.well-known/hard-jwks.json

tool: browser_cdp_jwt_analyze

H2 · Blind boolean/time SQLi hard

No errors — extract the admin secret char-by-char, then unlock.

/api/hard/report?id=

tool: browser_cdp_sqli_probe

H3 · Blind SSRF → internal expert

Confirm SSRF out-of-band via an OAST hit, then pivot to an internal endpoint.

/api/hard/preview?url= · /api/hard/oast/<token>

tool: browser_oast_* + browser_cdp_ssrf_probe

H4 · Race / TOCTOU hard

Double-redeem a single-use code via a check-then-act window.

/api/hard/redeem?code=GOLD100

tool: browser_cdp_race_condition_test

H5 · OAuth redirect_uri bypass hard

Defeat the prefix allowlist to leak the auth code off-origin.

/api/hard/oauth-authorize

tool: browser_oauth_redirect_uri_attack

H6 · XSS behind a WAF blocklist hard

Bypass the script/onerror/onload/alert filter and exfiltrate the bot's cookie.

/hard/waf-xss/ · /api/hard/greet?name=

tool: browser_cdp_xss_payload_inject

H7 · Server-side prototype pollution expert

Pollute __proto__.isAdmin to bypass an authz check.

/api/hard/account (POST JSON)

tool: browser_cdp_prototype_pollution_scan

H8 · GraphQL field-authz bypass hard

Alias/batch/nest around the own-id check to read admin's secret field.

/api/hard/graphql (POST)

tool: browser_cdp_graphql_scan

H9 · Reset host-header poisoning hard

Poison the reset link host to capture the victim's token → ATO.

/api/hard/reset (POST)

tool: browser_cdp_header_injection

H10 · Business-logic price tamper medium+

Buy the enterprise SKU for a total ≤ 0 via client-supplied price / negative qty.

/api/hard/checkout (POST)

tool: browser_cdp_boundary_value_test

H11 · Second-order stored SSTI expert

Store a template payload in your profile that detonates when rendered later.

/api/hard/profile → /api/hard/render

tool: browser_cdp_ssti_probe

H12 · CSP bypass via JSONP gadget expert

Defeat script-src 'self' using a same-origin JSONP callback.

/hard/csp/ · /api/hard/jsonp?callback=

tool: browser_cdp_csp_bypass_probe