WebVerse
Crack what was never meant to be cracked. Capture a real JWT on a small admin portal, brute-force its HS256 signing secret with a wordlist, forge a new token with elevated `role:admin` claims, and replay it against the admin exports endpoint.
WebVerse
Outbox is a tiny email-newsletter SaaS run out of a Brooklyn apartment by Marisol Park. Seven dollars a month, send up to five thousand emails, no automation, no segmentation, no AI. Just a clean editor and a send button.
WebVerse
Brackish Brewing — a small Coalridge taproom — runs a Flask website the head brewer's partner wrote over a few rainy weekends. After they moved off their old reverse proxy in early 2025, nobody revisited the assumptions the staff section was quietly making about where traffic comes from.
WebVerse
Quikpay is a small payments backend used by a few dozen indie software shops. They take the design seriously. They also have a debug branch in the resend handler that the engineering lead added during a late-night incident and never wrapped in a feature flag.
WebVerse
Arc Logistics — a mid-sized regional freight carrier — just launched their public shipment tracking site. The build team rushed to hit the Q2 deadline and merged a debugging branch the night before launch. Nobody asked what got left behind.
WebVerse
You're John Smith — you built TechCorp's employee portal yourself in 2020 and ran Engineering for three years. Then on December 19th 2024 HR pushed a demotion through with no warning. Sarah Johnson took your seat the same morning. The seams you left in the portal are still there.
WebVerse
Twilight Confectionery's third-gen owner Aurora wrote the staff portal herself "with a little help from an old book of spells." The book did not cover parameterised queries, file-upload validation, or path traversal — and the portal has been left to its own quiet, glittering devices ever since.
WebVerse
You registered on BugVault three months ago. The admin panel sits behind a login wall and a Next.js middleware guard — no admin account, no escalation path. You've been reading CVE advisories. The question is whether this deployment ever patched the one that matters.
WebVerse
Slate Quarry Books has been the antiquarian shop on the green since 1971. The proprietor's nephew built a small website; the catalogue is public, but the shop's consignment ledger — who left what on consignment, what each consignor agreed to as a floor — was never meant to be.
WebVerse
Evergreen Property Management's tenant portal — wired up by a contractor in 2018 — has stayed on its first auth implementation for six years. The legacy verifier still has the vendor-debug branch the contractor left in.
WebVerse
Margaret Holloway's tax firm portal accepts OFX/XML uploads for bank-statement reconciliation. Greta wrote the importer one snowed-in February in 2014 — the libxml flag pair came from a PHP manual page she had bookmarked at the time.
WebVerse
Maggie has shown Mapleton homes for thirty years. Her son Eli rebuilt the office website one weekend after PHP 5 came out — they've been swapping photos and prices on it ever since, but nobody's looked at the templating since the original Bush administration.