WebVerse

Brightside

Brightside Dental's support form happily accepts a curious-looking attachment. The IT contractor swore everything was fine because the file extension said .jpg. He was technically correct, and entirely wrong.

WebVerse

Parchive

Parchive's document archiving platform lets legal teams bundle case files into compressed archives. The archive name field has a filter — but it's missing a few characters.

WebVerse

LogCraft

LogCraft's health report generator accepts a custom title and shells out to produce the output. Double quotes are stripped — but that's not enough.

WebVerse

Netcheck

Netcheck's network diagnostics tool lets customers run live connectivity checks from Netcheck's own servers. What else can you make it run?

WebVerse

Kismet

A matchmaker's bio editor only allows six tags. One of them has a surprise.

WebVerse

Fieldnote

A research tool checks that shared URLs 'contain http'. They really ought to check more.

WebVerse

DroneFleet Ops

DroneFleet's callsign search pipes raw user input into a MongoDB-style $regex match. The results panel shows a match count but nothing else — until the regex helps you exfil.

WebVerse

Parasite

Parasite Systems' server management dashboard. Their configuration import feature might be more powerful than intended.

WebVerse

Whisper

Whisper Market's online product catalog. The database behind the storefront holds more than just inventory.

WebVerse

Rill

Volunteer sign-up with a 24-character cap on search queries. Safer, right?

WebVerse

Porchlight

A tool library escapes angle brackets religiously. They just forgot the quotes.

WebVerse

Chorus

An indie-music site personalises your greeting with a little inline JavaScript. The escape function caught the HTML. Not the JS.