WebVerse
Whisper
Whisper Market's online product catalog. The database behind the storefront holds more than just inventory.
WebVerse
WebVerse
Rill
Volunteer sign-up with a 24-character cap on search queries. Safer, right?
WebVerse
Porchlight
A tool library escapes angle brackets religiously. They just forgot the quotes.
WebVerse
Chorus
An indie-music site personalises your greeting with a little inline JavaScript. The escape function caught the HTML. Not the JS.
WebVerse
Canal Cove Books
The owner watched a tutorial on XSS and wrote two regexes. Two.
WebVerse
Breach
Breach's team collaboration platform. Some content is restricted to admins — but is the enforcement as tight as it looks?
WebVerse
Banyan
A community-garden app strips event handlers after a space. Only after a space.
WebVerse
Sprocket Line
A bike-parts shop paid good money for a filter that strips 'script'. Only that.
WebVerse
Palisade
Mountaineering rental site. Their filter has a case.
WebVerse
Proxy Pursuit
LoadMesh's ops console shows live connection telemetry. Behind the login, one of the pages trusts a header the user fully controls. Login with admin / admin. The injection is not on any form.
WebVerse
Herbalist Remedies
Herbalist Remedies — an herbal-blend catalog — trusts its login form to compare MongoDB query objects. Slip an operator in and see who else is home.
WebVerse
Trace Control
Trackboard, an internal issue tracker, rolled to production with display_errors accidentally left on. Its /issues page has a numeric id param and a loose sense of type safety. Coax a database error to tell you what you need.