CHAIN · 01

TaskBoard

A minimal project-management app. Three chained bugs stand between your low-privilege account and the admin dashboard.

Your accountattacker / attacker123

Targetadmin role on user 42

Flag lives at/admin/dashboard

Find something reflected on /search.
Notice that the /report page triggers an internal admin-review bot that will visit any URL you paste.
Accounts have a settings page that calls an API. Look at its CSRF handling and ownership checks.