Sokudo
Daily · 8 writeupsA recurring daily challenge — each entry covers a different vulnerability. Listed oldest to newest.
BugForge - Daily - Sokudo (Jan 1, 2026)
Exploited broken access control via HTTP verb tampering on the /api/stats endpoint: POST was blocked (404) but PUT lacked authorization, allowing stats…
BugForge - Daily - Sokudo (Jan 8, 2026)
This challenge demonstrates a broken authentication vulnerability caused by predictable session tokens combined with information disclosure. The application…
BugForge - Daily - Sokudo (Jan 15, 2026)
This challenge demonstrates how legacy API endpoints can introduce critical security vulnerabilities when not properly deprecated or secured. The application…
BugForge - Daily - Sokudo (Jan 22, 2026)
This challenge demonstrates a broken access control vulnerability exploited through HTTP verb tampering on a typing test statistics endpoint. After…
BugForge - Daily - Sokudo (Jan 29, 2026)
The Sokudo application uses predictable ISO 8601 timestamps as authentication tokens, creating a critical broken authentication vulnerability. By analyzing the…
BugForge - Daily - Sokudo (Jun 17, 2026)
Sokudo is a typing speed test application whose GraphQL API exposes an unrestricted users query. By enumerating the users collection and requesting sensitive fields, the admin account's password, containing the flag, was extracted…
BugForge - Daily - Sokudo (Jun 26, 2026)
Sokudo's GraphQL API leaves introspection enabled, exposing the full schema. By dumping the schema, enumerating queries and mutations, and inspecting the ChampionshipResult type, an unprotected finalizeChampionship mutation was found that returned the prizeCode containing the flag…
BugForge - Daily - Sokudo (Jul 2, 2026)
Sokudo's profile page saves through a hardened PUT /v2/profile endpoint that strips the role field, but the legacy non-versioned PUT /api/profile route binds every field blindly. By downgrading the request to the unversioned endpoint and adding role: admin, the account was escalated to administrator, unlocking the admin-only user listing that contained the flag…