|
Empty User Registration
|
Improper Input Validation |
250 |
|
|
Admin Registration
|
Improper Input Validation |
450 |
|
|
Deluxe Fraud
|
Improper Input Validation |
450 |
|
|
Reset Uvogin's Password
|
Sensitive Data Exposure |
700 |
|
|
Login Amy
|
Sensitive Data Exposure |
450 |
|
|
Forgotten Developer Backup
|
Sensitive Data Exposure |
700 |
|
|
Forgotten Sales Backup
|
Sensitive Data Exposure |
700 |
|
|
API-only XSS
|
XSS |
450 |
|
|
Client-side XSS Protection
|
XSS |
450 |
|
|
CSP Bypass
|
XSS |
700 |
|
|
HTTP-Header XSS
|
XSS |
700 |
|
|
Video XSS
|
XSS |
1350 |
|
|
Cross-Site Imaging
|
Security Misconfiguration |
1000 |
|
|
Login Support Team
|
Security Misconfiguration |
1350 |
|
|
Leaked Access Logs
|
Observability Failures |
1000 |
|
|
Access Log
|
Observability Failures |
700 |
|
|
Database Schema
|
Injection |
450 |
|
|
Ephemeral Accountant
|
Injection |
700 |
|
|
User Credentials
|
Injection |
700 |
|
|
CAPTCHA Bypass
|
Broken Anti Automation |
450 |
|
|
Privacy Policy Inspection
|
Security through Obscurity |
450 |
|
|
Arbitrary File Write
|
Vulnerable Components |
1350 |
|
|
Local File Read
|
Vulnerable Components |
1000 |
|
|
Unsigned JWT
|
Vulnerable Components |
1000 |
|
|
Imaginary Challenge
|
Cryptographic Issues |
1350 |
|
|
Premium Paywall
|
Cryptographic Issues |
1350 |
|
|
Nested Easter Egg
|
Cryptographic Issues |
700 |
|
|
Email Leak
|
Sensitive Data Exposure |
1000 |
|
|
Missing Encoding
|
Improper Input Validation |
100 |
|
|
Exposed credentials
|
Sensitive Data Exposure |
250 |
|
|
Forged Signed JWT
|
Vulnerable Components |
1350 |
|
|
Blocked RCE DoS
|
Insecure Deserialization |
1000 |
|
|
Successful RCE DoS
|
Insecure Deserialization |
1350 |
|
|
Memory Bomb
|
Insecure Deserialization |
1000 |
|
|
Extra Language
|
Broken Anti Automation |
1000 |
|
|
Multiple Likes
|
Broken Anti Automation |
1350 |
|
|
Reset Morty's Password
|
Broken Anti Automation |
1000 |
|
|
Bjoern's Favorite Pet
|
Broken Authentication |
450 |
|
|
SSTi
|
Injection |
1350 |
|
|
SSRF
|
Broken Access Control |
1350 |
|
|
NoSQL Manipulation
|
Injection |
700 |
|
|
NoSQL DoS
|
Injection |
700 |
|
|
NoSQL Exfiltration
|
Injection |
1000 |
|
|
Allowlist Bypass
|
Unvalidated Redirects |
700 |
|
|
Outdated Allowlist
|
Unvalidated Redirects |
100 |
|
|
Poison Null Byte
|
Improper Input Validation |
700 |
|
|
Misplaced Signature File
|
Observability Failures |
700 |
|
|
Easter Egg
|
Broken Access Control |
700 |
|
|
Deprecated Interface
|
Security Misconfiguration |
250 |
|
|
Upload Type
|
Improper Input Validation |
450 |
|
|
Upload Size
|
Improper Input Validation |
450 |
|
|
Kill Chatbot
|
Vulnerable Components |
1000 |
|
|
Supply Chain Attack
|
Vulnerable Components |
1000 |
|
|
Server-side XSS Protection
|
XSS |
700 |
|
|
Vulnerable Library
|
Vulnerable Components |
700 |
|
|
Weird Crypto
|
Cryptographic Issues |
250 |
|
|
Legacy Typosquatting
|
Vulnerable Components |
700 |
|
|
Frontend Typosquatting
|
Vulnerable Components |
1000 |
|
|
Steganography
|
Security through Obscurity |
700 |
|
|
Blockchain Hype
|
Security through Obscurity |
1000 |
|
|
GDPR Data Erasure
|
Broken Authentication |
450 |
|
|
Change Bender's Password
|
Broken Authentication |
1000 |
|
|
Login Jim
|
Injection |
450 |
|
|
Login Bender
|
Injection |
450 |
|
|
Visual Geo Stalking
|
Sensitive Data Exposure |
250 |
|
|
Meta Geo Stalking
|
Sensitive Data Exposure |
250 |
|
|
NFT Takeover
|
Sensitive Data Exposure |
250 |
|
|
Login Bjoern
|
Broken Authentication |
700 |
|
|
Five-Star Feedback
|
Broken Access Control |
250 |
|
|
Web3 Sandbox
|
Broken Access Control |
100 |
|
|
Admin Section
|
Broken Access Control |
250 |
|
|
Privacy Policy
|
Miscellaneous |
100 |
|
|
DOM XSS
|
XSS |
100 |
|
|
Score Board
|
Miscellaneous |
100 |
|
|
View Basket
|
Broken Access Control |
250 |
|
|
Exposed Metrics
|
Observability Failures |
100 |
|
|
Login Admin
|
Injection |
250 |
|
|
Bully Chatbot
|
Miscellaneous |
100 |
|
|
Error Handling
|
Security Misconfiguration |
100 |
|
|
Confidential Document
|
Sensitive Data Exposure |
100 |
|