WebVerse

Canal Cove Books

The owner watched a tutorial on XSS and wrote two regexes. Two.

WebVerse

Breach

Breach's team collaboration platform. Some content is restricted to admins — but is the enforcement as tight as it looks?

WebVerse

Banyan

A community-garden app strips event handlers after a space. Only after a space.

WebVerse

Sprocket Line

A bike-parts shop paid good money for a filter that strips 'script'. Only that.

WebVerse

Palisade

Mountaineering rental site. Their filter has a case.

WebVerse

Proxy Pursuit

LoadMesh's ops console shows live connection telemetry. Behind the login, one of the pages trusts a header the user fully controls. Login with admin / admin. The injection is not on any form.

WebVerse

Herbalist Remedies

Herbalist Remedies — an herbal-blend catalog — trusts its login form to compare MongoDB query objects. Slip an operator in and see who else is home.

WebVerse

Trace Control

Trackboard, an internal issue tracker, rolled to production with display_errors accidentally left on. Its /issues page has a numeric id param and a loose sense of type safety. Coax a database error to tell you what you need.

WebVerse

SwiftSearch Hotels

SwiftSearch's hotel API accepts a JSON filter body that's merged straight into a MongoDB-style query. Ordinary users filter by city and price; operators slip in just as easily.

WebVerse

Voucher Vault

Redzone Rewards — an internal employee rewards portal — exposes a voucher search that concatenates user input straight into a SELECT. Find the hidden administrative voucher.

WebVerse

Ember Kettle

A small tea shop's brand-new online catalog has a search bar that trusts everything you give it. No filter, no escape, no second thoughts.

WebVerse

Shadow Registrar

RegistryPro's WHOIS terminal returns three things: a status word, a reflected domain name, and a lookup time. The query layer accepts stacked statements. Everything you need leaks through the clock.