Cross Origin Resource Sharing Checking if a whitelisted string is found is a bad approach
When you press
Misc / Application Logic Can you obtain the sensitive information somehow?
We recommend using Firefox for your PoC.
If you visit
Cross Site Scripting (XSS) Can you find any XSS on this "harmless" page?
Open URL Redirect You may only redirect to *.bugbountyhunter.com
Developers will often lock down their open redirects to only allow for
Can you find out how to redirect to any website? Remember, this challenge is designed to only allow for...
Open URL Redirect Only relative redirects are allowed!
Sometimes developers want to redirect the user after a certain action has been completed but they don't want users to redirect to third party websites.
To combat this developers will sometimes check if the first character is...
Cross Site Scripting (XSS) Change the class of our image and pick your favourite!
Our basic HTML web application will allow you to easily change the style via class change. View various styles of images and decide which you think is best!
Once you're done playing, can you find any XSS? The developer's have made sure no...
Cross Site Scripting (XSS) Can you find any XSS? No HTML tags allowed!
This is a simple web application designed to show you some interesting facts on various animals. I've made sure that the search field does NOT allow for HTML tags, but is it secure?
How many XSS vulnerabilities can you find?
Misc / Application Logic Can you access our private tool, XSS Destroyer?
As the title says, are you able to access our private tool, XSS destroyer? It's currently in BETA mode and we aren't accepting new users but if you have access to it, let us know what you think!
Test your recon There's a leak somewhere!
There's an info leak somewhere on
Open URL Redirect Can you steal the SSO token?
We've built a super secure login portal to access our diet plan and we'd love your help to make sure we've set it up correctly.
You can login to ManageMyDiet with the following credentials:
Cross Site Scripting (XSS) "I've won a bounty" generator
We know people love to say they've some bounties so simply input your username & bounty amount and then generate your image!
Can you discover how the application works and if there's anything interesting happening? Perhaps there is XSS...
Insecure Direct Object Reference Check out these HackerPhotos! Nothings wrong here.
We've created a basic web application called "HackerPhotos" to hightlight some awesome hacker-tagged photography. It is just in BETA and we'd love for you to give it a try and make sure we've not made any mistakes!
You can login...
Misc / Application Logic What's behind this admin panel?
You are faced with a login panel, but what do you do? Close the tab and find something else? Of course not, you try find what's behind the login page!
Investigate the login page and see if you can find a way to grab the admins session...
Cross Site Scripting (XSS) This strict URL filter should prevent XSS, right?
This one is pretty simple. One parameter is vulnerable,
Cross Site Request Forgery (CSRF) There's cross site request forgery (CSRF) protection, but how good is it?
Can you successfully force the admin password to be updated via CSRF? This means you must be on YOUR site and be able to force the data to be updated successfully.
The CSRF token generated is unique to your session so you must be able to...