How a missing product validation and JavaScript's silent type coercion combine to let you buy anything for free — and why fail-closed design matters.

This one is a classic challenge when you have to pop a shell or execute another OS command that allows to read the `flag` file.

Pair of web challenges featuring SQLi db enumeration and revoked JWT bypass.

Forensic challenge that start with a pcap and end with Linux privesc

Shuffled chunks of bits