Cafe Club
Daily · 8 writeupsA recurring daily challenge — each entry covers a different vulnerability. Listed oldest to newest.
BugForge - Daily - Cafe Club (Dec 28, 2025)
This vulnerability is a business logic flaw involving predictable identifiers and brute force, where gift card codes are generated with insufficient entropy…
BugForge - Daily - Cafe Club (Jan 4, 2026)
This challenge exploits a business logic vulnerability in the checkout process where the server fails to validate the points_to_use parameter against the…
BugForge - Daily - Cafe Club (Jan 11, 2026)
A SQL Injection vulnerability exists in the product API endpoint where the product ID parameter is directly concatenated into a SQLite query without…
BugForge - Daily - Cafe Club (Jan 18, 2026)
This challenge exploits a path traversal vulnerability in the application's image retrieval functionality where the server fails to sanitize user-supplied…
BugForge - Daily - Cafe Club (Jan 25, 2026)
This challenge exploits a TOCTOU (Time-of-Check Time-of-Use) race condition in the checkout flow where the cart is read twice without synchronization, once for…
BugForge - Daily - Cafe Club (Feb 8, 2026)
This challenge exploits an Insecure Direct Object Reference (IDOR) vulnerability in the profile password update functionality. The application includes the…
BugForge - Daily - Cafe Club (Mar 1, 2026)
The Cafe Club application contains a Path Traversal vulnerability in its product image loading endpoint. The endpoint accepts a user-controlled file path…
BugForge - Daily - Cafe Club (Mar 15, 2026)
The Cafe Club application contains a Business Logic Flaw in its PUT /api/profile endpoint. The endpoint accepts a user-controlled JSON body and applies all…