WebVerse

Waybill

Waybill Freight uses HMAC-signed URLs to protect shipment documents. The signing secret isn't quite as secret as the team assumed.

WebVerse

Remittance

InvoiceVault lets freelancers manage invoices and export their account data. A convenience field in the export API trusts the client a little too much.

WebVerse

Nimbus Ledger

Nimbus Ledger's report builder accepts a client-supplied query spec and runs it against the documents in an embedded NoSQL store that shares a namespace with the admin audit log.

WebVerse

Clearance

CliniCore's patient timeline exposes a GraphQL variable that was meant for internal use only. One query tweak reveals notes that receptionist accounts should never see.

WebVerse

Snickerdoodle

Snickerdoodle Bake-off's Bakers' panel hides the monthly mystery code in a note that almost nobody reads — but the admin login next door has more to say than its developers intended.

WebVerse

Apex

Apex Fitness rebuilt their member portal last year. The new build moved everything onto UUIDs — no more sequential IDs, no more spreadsheet leaks. Their CTO told the board it was "post-IDOR by construction." The CTO was, technically, describing one part of the system.

WebVerse

DeployWare

DeployWare queues repo imports for background processing. The URL you submit isn't used immediately — something else picks it up later.

WebVerse

Ciphered Cart

NovaStore's promo-code endpoint leaks one bit per request. The storefront only tells you "applied" or "invalid" — nothing more. Pry the hidden admin-vault secret out one boolean at a time. Requests are rate-limited, so brute force will not save you.

WebVerse

ScanPortal

ScanPortal runs nmap safely — but every target you submit gets written raw to a log file, and the Scan Logs search feature is a different story.

WebVerse

Hartwood

Hartwood & Co. has been outfitting 'the discerning hound' since 1924. After a century of selling collars and kibble they finally built a website. The dev who built it left a test order in the live database that was never deleted.

WebVerse

SunnySide

SunnySide Daycare's personalised confirmation page was built by a parent volunteer who picked the shortest Stack Overflow answer for rendering names. That answer used a template engine.

WebVerse

WindRose

WindRose Jet Charter's fleet browser was wired up by a contractor named Hugh during the 2014 rebrand and never revisited. Hugh's email address still bounces.