WebVerse - WebVerse Writeups (Page 3)

WebVerse

Millrace

A brewery site's debug pane echoes your user-agent. Maybe don't let you set that.

WebVerse

Overrun

Overrun's change-order endpoint authorises by parent project, but loads the child object by global id alone. Players who change one digit in the URL read change orders that belong to other project managers.

WebVerse

Headcount

Headcount's compensation report aggregation endpoint has a debug parameter that was never removed from production. The org chart reveals where to look.

WebVerse

Exfil

Exfil Analytics' reporting platform. Reports go in, but nothing useful comes back out — or does it?

WebVerse

Waybill

Waybill Freight uses HMAC-signed URLs to protect shipment documents. The signing secret isn't quite as secret as the team assumed.

WebVerse

Remittance

InvoiceVault lets freelancers manage invoices and export their account data. A convenience field in the export API trusts the client a little too much.

WebVerse

Nimbus Ledger

Nimbus Ledger's report builder accepts a client-supplied query spec and runs it against the documents in an embedded NoSQL store that shares a namespace with the admin audit log.

WebVerse

Clearance

CliniCore's patient timeline exposes a GraphQL variable that was meant for internal use only. One query tweak reveals notes that receptionist accounts should never see.

WebVerse

Snickerdoodle

Snickerdoodle Bake-off's Bakers' panel hides the monthly mystery code in a note that almost nobody reads — but the admin login next door has more to say than its developers intended.

WebVerse

Apex

Apex Fitness rebuilt their member portal last year. The new build moved everything onto UUIDs — no more sequential IDs, no more spreadsheet leaks. Their CTO told the board it was "post-IDOR by construction." The CTO was, technically, describing one part of the system.

WebVerse

DeployWare

DeployWare queues repo imports for background processing. The URL you submit isn't used immediately — something else picks it up later.

WebVerse

Ciphered Cart

NovaStore's promo-code endpoint leaks one bit per request. The storefront only tells you "applied" or "invalid" — nothing more. Pry the hidden admin-vault secret out one boolean at a time. Requests are rate-limited, so brute force will not save you.