Our challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic. Please practise hacking on our challenges manually.
Failure to abide by the rules will put you at risk of being restricted from using our free challenges.
There's cross site request forgery (CSRF) protection, but how good is it?
Can you successfully force the admin password to be updated via CSRF? This means you must be on YOUR site and be able to force the data to be updated successfully.
The CSRF token generated is unique to your session so you must be able to send anyone a proof of concept and force the admin password to be changed.