Interactive labs
Reading about a bug is not the same as landing it. Exploit each one yourself, watch it work, then read the fix. Everything runs in your browser.
The bot was told to never reveal the staff coupon. Its code pastes your message straight into its instructions. Craft a message that makes it leak the coupon.
You are logged in as user 1001, invoice #1001. The endpoint returns any invoice by id with no ownership check. Read an invoice that isn't yours.
This verifier trusts the token header's alg. Edit the token so it verifies you as role=admin without knowing the secret. Hint: set the header alg to "none".
Header {"alg":"none","typ":"JWT"} = eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0 · Payload {"user":"you","role":"admin"} = eyJ1c2VyIjoieW91Iiwicm9sZSI6ImFkbWluIn0
Want the theory behind each? See the case studies, or scan a real site on Benteng.