← All series

Sokudo

Daily · 8 writeups

A recurring daily challenge — each entry covers a different vulnerability. Listed oldest to newest.

BugForge - Daily - Sokudo (Jan 1, 2026)

Exploited broken access control via HTTP verb tampering on the /api/stats endpoint: POST was blocked (404) but PUT lacked authorization, allowing stats…

Broken Access Control
Posted on 2026-01-01 20:00 4 min read

BugForge - Daily - Sokudo (Jan 8, 2026)

This challenge demonstrates a broken authentication vulnerability caused by predictable session tokens combined with information disclosure. The application…

Broken Authentication Information Disclosure Session Hijacking
Posted on 2026-01-08 20:00 5 min read

BugForge - Daily - Sokudo (Jan 15, 2026)

This challenge demonstrates how legacy API endpoints can introduce critical security vulnerabilities when not properly deprecated or secured. The application…

API Versioning Broken Authentication IDOR JWT Manipulation
Posted on 2026-01-15 20:40 5 min read

BugForge - Daily - Sokudo (Jan 22, 2026)

This challenge demonstrates a broken access control vulnerability exploited through HTTP verb tampering on a typing test statistics endpoint. After…

Broken Access Control Http Verb Tampering
Posted on 2026-01-22 20:00 5 min read

BugForge - Daily - Sokudo (Jan 29, 2026)

The Sokudo application uses predictable ISO 8601 timestamps as authentication tokens, creating a critical broken authentication vulnerability. By analyzing the…

Broken Authentication
Posted on 2026-01-29 20:00 3 min read

BugForge - Daily - Sokudo (Jun 17, 2026)

Sokudo is a typing speed test application whose GraphQL API exposes an unrestricted users query. By enumerating the users collection and requesting sensitive fields, the admin account's password, containing the flag, was extracted…

Graphql
Posted on 2026-06-17 20:00 3 min read

BugForge - Daily - Sokudo (Jun 26, 2026)

Sokudo's GraphQL API leaves introspection enabled, exposing the full schema. By dumping the schema, enumerating queries and mutations, and inspecting the ChampionshipResult type, an unprotected finalizeChampionship mutation was found that returned the prizeCode containing the flag…

Graphql
Posted on 2026-06-26 20:00 4 min read

BugForge - Daily - Sokudo (Jul 2, 2026)

Sokudo's profile page saves through a hardened PUT /v2/profile endpoint that strips the role field, but the legacy non-versioned PUT /api/profile route binds every field blindly. By downgrading the request to the unversioned endpoint and adding role: admin, the account was escalated to administrator, unlocking the admin-only user listing that contained the flag…

Mass Assignment Privilege Escalation Broken Access Control API Versioning
Posted on 2026-07-02 20:00 4 min read
Zw4rts

© 2026 Zw4rts. All rights reserved.