Featured track
Bits n Bites: deep dive
A live money-laundering operation hidden inside a food delivery app: rise through the ranks to find out who's behind the suspicious looking restaurants.
Why it matters in the real world
These are not theoretical vulnerabilities. In 2017, Equifax lost 147 million records because a single web framework went unpatched. In 2023, a SQL injection flaw in MOVEit compromised data across more than 2,000 organisations. In 2012, a mass assignment bug on GitHub let an attacker add his own SSH key to any repository. In 2016, Uber's broken access controls exposed 57 million user records. Bits n Bites combines all of these vulnerability classes into a single target, because that is exactly how real applications fail: not through one flaw, but through a chain of them. The track starts the same way a real attacker would, by mining leaked breach data. Knowing how to spot and connect these weaknesses is the difference between shipping secure code and becoming the next incident report.
What you'll hack
Your target is Bits n Bites, a mobile delivery app whose API endpoints do nearly everything except protect user data. Before you even touch the app, you will query a leaked Equifax-style dataset in Azure Table Storage and use differential login responses to identify active accounts. From there, the attack chain never stops.
Boolean-based blind SQL injection on the restaurant search endpoint lets you extract MFA identifiers the UI never shows. Insecure direct object references let you read TOTP secrets belonging to other users. A mass assignment flaw lets you hijack MFA configurations the frontend deliberately hides. Client-side JavaScript reveals hardcoded AES encryption keys. Stored XSS in the driver-vendor chat steals live authentication tokens. And an XML export feature, vulnerable to XXE, becomes a server-side request forgery gadget that reaches the internal financial ledger.
Each vulnerability feeds the next. You are not running isolated exercises. Across 13 challenges and 5 phases, you are building a single, continuous attack chain from a leaked dataset all the way to the internal ledger that proves the laundering operation exists.
Challenges
Mobile applications can have the same vulnerabilities
Chain real-world vulnerabilities across five phases, from Equifax-style data recon to a full XXE-to-SSRF exfiltration chain. Every technique maps to a documented breach.
The attack starts before you touch the app. Query a leaked dataset in Azure Table Storage using OData filters, then cross-reference hits against the platform's login form, which leaks account existence through differential error messages. This is how real attackers weaponise breach data.
The restaurant search endpoint returns results or an empty list depending on an injected boolean condition. No error messages, no timing tricks. Just true or false, one bit at a time, until you have extracted MFA identifiers the API was built to hide. The same pattern behind the MOVEit breach that compromised over 2,000 organisations in 2023.
The frontend hides the MFA ownership field, but the API accepts it. Send a crafted JSON body with someone else's email and your own MFA settings ID, and the platform reassigns their second factor to you. In 2012, the same class of vulnerability on GitHub let an attacker add his SSH key to any repository.
The driver-vendor chat blocks exact script tags but not case variations. Inject a stored XSS payload that steals the vendor's authentication token from localStorage. Then use that token to access the vendor portal and exploit an XXE vulnerability in the XML export feature, turning it into an SSRF gadget that reaches the internal financial ledger.
Change a single ID in the MFA settings endpoint and read another user's TOTP secret. Then find a hardcoded AES key buried in client-side JavaScript and use it to decrypt the driver's email from order receipts. Uber lost 57 million records to broken access controls like these in 2016.
