Sokudo

A recurring daily challenge — each entry covers a different vulnerability. Listed oldest to newest.

BugForge - Daily - Sokudo (Jan 1, 2026)

Exploited broken access control via HTTP verb tampering on the /api/stats endpoint—POST was blocked (404) but PUT lacked authorization, allowing stats…

Broken Access Control

Posted on 2026-01-01 20:00 4 min read

BugForge - Daily - Sokudo (Jan 8, 2026)

This challenge demonstrates a broken authentication vulnerability caused by predictable session tokens combined with information disclosure. The application…

Broken Authentication Information Disclosure Session Hijacking

Posted on 2026-01-08 20:00 5 min read

BugForge - Daily - Sokudo (Jan 15, 2026)

This challenge demonstrates how legacy API endpoints can introduce critical security vulnerabilities when not properly deprecated or secured. The application…

API Versioning Broken Authentication IDOR JWT Manipulation

Posted on 2026-01-15 20:40 5 min read

BugForge - Daily - Sokudo (Jan 22, 2026)

This challenge demonstrates a broken access control vulnerability exploited through HTTP verb tampering on a typing test statistics endpoint. After…

Broken Access Control Http Verb Tampering

Posted on 2026-01-22 20:00 5 min read

BugForge - Daily - Sokudo (Jan 29, 2026)

The Sokudo application uses predictable ISO 8601 timestamps as authentication tokens, creating a critical broken authentication vulnerability. By analyzing the…

Broken Authentication

Posted on 2026-01-29 20:00 3 min read

BugForge - Daily - Sokudo (Jun 17, 2026)

Sokudo is a typing speed test application whose GraphQL API exposes an unrestricted users query. By enumerating the users collection and requesting sensitive fields, the admin account's password — containing the flag — was extracted…

Graphql

Posted on 2026-06-17 20:00 3 min read