12 challenges spanning injection, auth confusion, access control, SSRF, logic, and client-side — calibrated to actually resist one-shot scanners. Captured a FLAG{…}? → submit it on the 🚩 scoreboard.
RS256→HS256: sign an admin token with the exposed public key as the HMAC secret.
tool: browser_cdp_jwt_analyze
No errors — extract the admin secret char-by-char, then unlock.
tool: browser_cdp_sqli_probe
Confirm SSRF out-of-band via an OAST hit, then pivot to an internal endpoint.
tool: browser_oast_* + browser_cdp_ssrf_probe
Double-redeem a single-use code via a check-then-act window.
tool: browser_cdp_race_condition_test
Defeat the prefix allowlist to leak the auth code off-origin.
tool: browser_oauth_redirect_uri_attack
Bypass the script/onerror/onload/alert filter and exfiltrate the bot's cookie.
tool: browser_cdp_xss_payload_inject
Pollute __proto__.isAdmin to bypass an authz check.
tool: browser_cdp_prototype_pollution_scan
Alias/batch/nest around the own-id check to read admin's secret field.
tool: browser_cdp_graphql_scan
Poison the reset link host to capture the victim's token → ATO.
tool: browser_cdp_header_injection
Buy the enterprise SKU for a total ≤ 0 via client-supplied price / negative qty.
tool: browser_cdp_boundary_value_test
Store a template payload in your profile that detonates when rendered later.
tool: browser_cdp_ssti_probe
Defeat script-src 'self' using a same-origin JSONP callback.
tool: browser_cdp_csp_bypass_probe