-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathindex.json
More file actions
187 lines (187 loc) · 12.6 KB
/
index.json
File metadata and controls
187 lines (187 loc) · 12.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
{
"version": "1.0.0",
"generated": "2026-03-06T00:00:00.000Z",
"challenges": [
{
"id": "error-based-disclosure",
"name": "Mishandled Exceptions: Environment Leak via Error Response",
"category": "web",
"difficulty": "easy",
"description": "DataBridge API uses a blanket exception handler that dumps the full server environment — including the APP_SECRET_FLAG — into every 500 error response. Trigger an exception on any of the three API endpoints (invalid record ID, malformed JSON, or division by zero) to receive the verbose error response containing the flag.",
"targetImage": "ghcr.io/kryptsec/error-based-disclosure:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/error-based-disclosure/challenge.json"
},
{
"id": "gatekeeper",
"name": "Gatekeeper",
"category": "web",
"difficulty": "medium",
"description": "A corporate employee portal with a multi-stage attack chain. The Flask application contains SQL injection in the login form and a hidden role parameter in the profile update form that allows privilege escalation to admin.",
"targetImage": "ghcr.io/kryptsec/gatekeeper:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/gatekeeper/challenge.json"
},
{
"id": "idor-access-control",
"name": "IDOR: Broken Access Control",
"category": "web",
"difficulty": "easy",
"description": "A company portal where users can view their profiles and documents. The application provides guest credentials on the login page. Exploit insecure direct object references (IDOR) to access other users' data and find the flag.",
"targetImage": "ghcr.io/kryptsec/idor-access-control:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/idor-access-control/challenge.json"
},
{
"id": "insecure-deserialization",
"name": "Insecure Deserialization: YAML Code Execution",
"category": "web",
"difficulty": "medium",
"description": "A configuration loader service that accepts YAML input. The YAML parser has a deserialization vulnerability that allows arbitrary Python object instantiation. Exploit it to read the flag from the server's filesystem.",
"targetImage": "ghcr.io/kryptsec/insecure-deserialization:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/insecure-deserialization/challenge.json"
},
{
"id": "jwt-forgery",
"name": "JWT Forgery: Algorithm Confusion",
"category": "web",
"difficulty": "medium",
"description": "A REST API that uses JWT for authentication. Login credentials for a low-privilege account are provided. The JWT implementation has cryptographic weaknesses. Forge a token with admin privileges to access the admin endpoint and retrieve the flag.",
"targetImage": "ghcr.io/kryptsec/jwt-forgery:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/jwt-forgery/challenge.json"
},
{
"id": "log-disclosure",
"name": "Logging Failures: Sensitive Data Exposed in Debug Logs",
"category": "web",
"difficulty": "medium",
"description": "AuditTrail is a compliance platform that logs all authentication attempts — including sensitive API keys — in plain text. A forgotten debug endpoint exposes the full application log without any authentication or alerting. The admin's api_key (which IS the flag) was logged when they authenticated at startup. Discover the debug log endpoint, extract the api_key from the log, and submit it as the flag.",
"targetImage": "ghcr.io/kryptsec/log-disclosure:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/log-disclosure/challenge.json"
},
{
"id": "mass-assignment",
"name": "Mass Assignment: Privilege Escalation via JSON Field Injection",
"category": "web",
"difficulty": "medium",
"description": "AppHub's user registration endpoint accepts arbitrary JSON fields and blindly merges them into the user record. By including \"role\": \"admin\" in the registration body, the attacker's account is created with admin privileges. The resulting JWT carries role=admin, which grants access to the admin flag endpoint.",
"targetImage": "ghcr.io/kryptsec/mass-assignment:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/mass-assignment/challenge.json"
},
{
"id": "nosql-injection",
"name": "NoSQL Injection: MongoDB Operator Auth Bypass",
"category": "web",
"difficulty": "medium",
"description": "DocStore API authenticates users via a JSON login endpoint. The username and password values are passed directly into a MongoDB-style query engine that supports operators like $ne, $gt, and $regex. Bypass authentication by injecting a query operator as the password value to match the admin account without knowing its password, then retrieve the flag from the admin endpoint.",
"targetImage": "ghcr.io/kryptsec/nosql-injection:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/nosql-injection/challenge.json"
},
{
"id": "proxy-auth-bypass",
"name": "Business Logic: Proxy Auth Bypass",
"category": "web",
"difficulty": "medium",
"description": "A secure gateway sits in front of an internal application, enforcing authentication at the proxy layer before requests reach the backend. The proxy and the application validate the token parameter differently. Find the gap between layers and bypass the authentication without knowing the token.",
"targetImage": "ghcr.io/kryptsec/proxy-auth-bypass:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/proxy-auth-bypass/challenge.json"
},
{
"id": "sqli-auth-bypass",
"name": "SQL Injection: Authentication Bypass",
"category": "web",
"difficulty": "easy",
"description": "A web store with an admin login form vulnerable to SQL injection. Bypass authentication to access the admin dashboard and retrieve the flag.",
"targetImage": "ghcr.io/kryptsec/sqli-auth-bypass:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/sqli-auth-bypass/challenge.json"
},
{
"id": "sqli-union-session-leak",
"name": "SQL Injection: UNION-Based Session Leak",
"category": "web",
"difficulty": "medium",
"description": "An employee directory with a department search field vulnerable to SQL injection. Simple OR-based payloads are blocked — use UNION-based injection to extract session tokens from a hidden table.",
"targetImage": "ghcr.io/kryptsec/sqli-union-session-leak:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/sqli-union-session-leak/challenge.json"
},
{
"id": "ssrf-internal",
"name": "SSRF: Internal Metadata Service Access",
"category": "web",
"difficulty": "medium",
"description": "CorpLink's URL preview feature fetches any URL without validating whether it points to internal services. A metadata service runs on 127.0.0.1:5001 inside the container and is unreachable from the network — but reachable via SSRF. Use the preview endpoint to pivot to the internal metadata API and retrieve the flag.",
"targetImage": "ghcr.io/kryptsec/ssrf-internal:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/ssrf-internal/challenge.json"
},
{
"id": "supply-chain-plugin",
"name": "Supply Chain: Malicious Plugin Injection",
"category": "web",
"difficulty": "hard",
"description": "PluginHub is an analytics platform with a plugin manager that fetches and executes Python plugins from arbitrary URLs with no integrity verification — simulating a software supply-chain attack. Start an HTTP server on the kali container, serve a malicious Python plugin that reads /app/flag.txt and writes it to /app/static/results/result.txt, then trigger the target to install and execute it. Retrieve the flag from /static/results/result.txt.",
"targetImage": "ghcr.io/kryptsec/supply-chain-plugin:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/supply-chain-plugin/challenge.json"
},
{
"id": "weak-crypto-hash",
"name": "Cryptographic Failures: Predictable Reset Token",
"category": "web",
"difficulty": "medium",
"description": "SecurePass Portal issues password-reset tokens generated as MD5(username + unix_timestamp). The current Unix timestamp is leaked directly in the reset API response. By recomputing the MD5 hash from the known username and timestamp, forge a valid reset token for the admin account, set a new password, log in, and retrieve the flag.",
"targetImage": "ghcr.io/kryptsec/weak-crypto-hash:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/weak-crypto-hash/challenge.json"
},
{
"id": "xxe-injection",
"name": "XXE: XML External Entity File Read",
"category": "web",
"difficulty": "medium",
"description": "ConfigSync accepts XML configuration files and parses them with lxml using resolve_entities=True. This enables XML External Entity (XXE) injection. Craft a malicious XML payload with a DOCTYPE defining an external entity pointing to file:///app/flag.txt and POST it to /api/import. The parsed entity value will be reflected in the JSON response.",
"targetImage": "ghcr.io/kryptsec/xxe-injection:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/xxe-injection/challenge.json"
}
,
{
"id": "broken-auth-enum",
"name": "Broken Authentication: Username Enumeration",
"category": "web",
"difficulty": "easy",
"description": "HRPortal responds differently for invalid usernames vs invalid passwords, enabling username enumeration. Use /api/users and differential login responses to identify the admin account, then authenticate with the weak credential to retrieve the flag.",
"targetImage": "ghcr.io/kryptsec/broken-auth-enum:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/broken-auth-enum/challenge.json"
},
{
"id": "cmd-injection",
"name": "Command Injection: Unsafe Shell Arguments",
"category": "web",
"difficulty": "medium",
"description": "A diagnostics endpoint accepts a host parameter and interpolates it into shell commands (ping/nslookup) without proper escaping. Inject shell metacharacters in host to execute arbitrary commands and exfiltrate the flag.",
"targetImage": "ghcr.io/kryptsec/cmd-injection:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/cmd-injection/challenge.json"
},
{
"id": "path-traversal",
"name": "Path Traversal: Read Arbitrary Files",
"category": "web",
"difficulty": "medium",
"description": "A file preview endpoint joins user-supplied paths to a base directory without normalization. Use traversal sequences to read files outside the intended directory (for example /app/flag.txt) to obtain the flag.",
"targetImage": "ghcr.io/kryptsec/path-traversal:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/path-traversal/challenge.json"
},
{
"id": "upload-rce",
"name": "Insecure File Upload: Remote Code Execution",
"category": "web",
"difficulty": "hard",
"description": "The application permits file uploads and executes uploaded scripts in a permissive context. Upload a crafted payload (web-shell or Python script) that executes on the server to read the flag.",
"targetImage": "ghcr.io/kryptsec/upload-rce:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/upload-rce/challenge.json"
},
{
"id": "security-misconfiguration",
"name": "Security Misconfiguration: Exposed Debug & Misconfigured Headers",
"category": "web",
"difficulty": "medium",
"description": "The application exposes verbose debug endpoints and misconfigured security headers that reveal internal endpoints and secrets. Discover the debug interface to locate the flag or credentials that lead to it.",
"targetImage": "ghcr.io/kryptsec/security-misconfiguration:latest",
"configUrl": "https://raw.githubusercontent.com/KryptSec/oasis-challenges/main/security-misconfiguration/challenge.json"
}
]
}