TL;DR Dont trust user suppplied data, don´t screw up your jwt validation. Understanding the application The Ino Filemanager lets us, after registration, upload files and make them publicly available. After registering a user and logging in, we observed that we were issued a JSON Web Token (JWT). The

Building upon part 1 of this challenge, we continue to gather useful insights about how the target application works by using the enabled Symfony development tools. This time, we're using these insights to hack our way into a database that's used by a backend service which we normally wouldn't be

TL;DR Reusing example configurations is bad. Secretus was a pure Web challenge which presented us with a minimal form. The form did actually have no purpose as there were no handlers executed upon clicking the button or doing anything else, such as making a handstand while looking at the