BugForge Daily Challenge 3/25/2026 - Gift Lab Hint: Base64 is interesting. Note: @PawPawHacks/Tom Fieber :  If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, but there was not. Next , I created a new user account, and once logged in, the platform behaved a lot like a to-do list site: I poked around a bit, trying to see everything I could do with the app an

BugForge Daily Challenge 3/24/2026 - CopyPasta   HINT: Broken Access Control.  Note:   @PawPawHacks/Tom Fieber :    If there is an admin account active for a lab, the credentials are admin:admin123   I launched Caido. I checked to see if there was an admin login using the set/known creds, and there was.  I logged out of that for now. Following along with the video walkthrough from @PawPawHacks/Tom Fieber , he said that you will want to create two user accounts for this challe

BugForge Daily Challenge 3/22/2026 - Cheesy Does It     Hint: IDOR. Can you view things that don't belong to you?    Note:   @PawPawHacks/Tom Fieber :    If there is an admin account active for a lab, the credentials are admin:admin123   I launched Caido. I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now. The challenge hint stated this was an IDOR challenge and following along with the @PawPawHacks/Tom Fieber w

BugForge Daily Challenge 3/16/2026 - Cheesy Does It     Hint: Can you tamper with the price via the tip feature? Note:  @PawPawHacks/Tom Fieber :  If there is an admin account active for a lab, the credentials are admin:admin123  I launched Burp. I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now. I created a user account and was taken to an app that appeared to behave a lot like an online pizza shop: Next, foll

BugForge Daily Challenge 3/14/2026 - OtterGram   Hint: GraphQL.    Note:  @PawPawHacks/Tom Fieber :   If there is an admin account active for a lab, the credentials are admin:admin123  Also, my write-up is basically me just following along with the @PawPawHacks/Tom Fieber video walkthrough . I launched Caido. I checked to see if there was an admin login using the set/known creds, but there was not. I created a user account, and once logged in, the app appeared to behave a lot

BugForge Daily Challenge 3/13/2026 - Gift Lab   Hint: Can you craft a token?      Author’s Note:   I followed along with the @_shadowforge__ write-up to solve this one.  It was a privilege to read a write-up from the author of the challenge themself!  I will say, that even though I solved the challenge (which was a triumph I felt great about, because it was only due to what I’ve learned thus far doing these daily BugForge challenges), afterward I was feeling like I wasn’t 10

BugForge Daily Challenge 3/10/2026 - Tanuki       Hint: Mass assignment. Can you register as a user with more privileges?    Note: @PawPawHacks/Tom Fieber :  If there is an admin account active for a lab, the credentials are admin:admin123  Also, my write-up is basically me just following along with the @PawPawHacks/Tom Fieber video walkthrough . I found the following quote from him really helpful:    >>This is a mass assignment lab, so basically what mass assignment means i

BugForge Daily Challenge 3/9/2026 - Cheesy Does It Hint: Can [you] apply the discount multiple times? Note:  @PawPawHacks/Tom Fieber :  If there is an admin account active for a lab, the credentials are admin:admin123    I launched Caido. I checked to see if there was an admin login using the set/known creds, and there was.  I logged out of that for now. I created a user account and was taken to an app that appeared to behave a lot like an online pizza shop. Immediately upon

BugForge Daily Challenge 3/6/2026 - Shady Oaks Financial     Hint: JWT   Note:   @PawPawHacks/Tom Fieber :    If there is an admin account active for a lab, the credentials are admin:admin123   I launched Caido. I checked to see if there was an admin login using the set/known creds, but there was not. I created a user account and was taken to a Dashboard which mimicked a real online trading platform: Following along with the @PawPawHacks/Tom Fieber video walkthrough , over in

BugForge Daily Challenge 3/5/2026 - Sokudo Hint: Broken access control. Are there API endpoints that the frontend isn't using? Note:   @PawPawHacks/Tom Fieber :   If there is an admin account active for a lab, the credentials are admin:admin123   I launched Caido. I checked to see if there was an admin login using the set/known creds, and there was.  I logged out of that for now. Following along with the @PawPawHacks/Tom Fieber video walkthrough , I created a user account, an

BugForge Daily Challenge 3/4/2026 - CopyPasta    Hint: SQL Injection.     Note: @PawPawHacks/Tom Fieber :   If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, but there was not. I created a user account and was taken to an app that appeared to behave a lot like PasteBin, so I poked around a bit, trying to see everything I could do with the app and generatin

BugForge Daily Challenge 3/3/2026 - Tanuki   Hint: SSRF.      Note:   @PawPawHacks/Tom Fieber :   If there is an admin account active for a lab, the credentials are admin:admin123     I launched Caido. I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now. I created a user account and was taken to an app that appeared to behave a lot like an online trivia/game platform:   Next , following along w/ both the @_shado

BugForge Daily Challenge 3/2/2026 - Cheesy Does It Hint: Broken Logic.  Note: @PawPawHacks/Tom Fieber :  If there is an admin account active for a lab, the credentials are admin:admin123    I launched Caido. I checked to see if there was an admin login using the set/known creds, but there was not. I created a user account and was taken to an app that appeared to behave a lot like an online pizza shop. I then ordered and paid for a delivery of a pizza. Once the pizza arrived,

BugForge Daily Challenge 3/1/2026 - CafeClub   Hint: File Inclusion.     Note:  @PawPawHacks/Tom Fieber https://www.youtube.com/@pawpawhacks :  If there is an admin account active for a lab, the credentials are admin:admin123    I launched Caido. I checked to see if there was an admin login using the set/known creds, and there was.  I logged out of that for now. I created a user account and was taken to an app that appeared to behave a lot like an online store/coffee retailer

BugForge Daily Challenge 2/28/2026 - OtterGram   Hint: Can you edit comments?   Note:  @PawPawHacks/Tom Fieber:   If there is an admin account active for a lab, the credentials are admin:admin123  I launched Caido. I checked to see if there was an admin login using the set/known creds, and there was.  I logged out of that for now. I created a user account, and once logged in, the app appeared to behave a lot like InstaGram. I could send messages, "like" messages, etc. so I po

BugForge Daily Challenge 2/22/2026 - FurHire Hint: Your window is small, you might have to try multiple times. Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Burp. I checked to see if there was an admin login using the set/known creds, but there was not. Next, I created a Job Seeker account and was taken to an app that appeared to behave a lot like an online job search platform.  Following along w/

BugForge Daily Challenge 2/26/2026 - Sokudo Hint: Can you find API endpoints on a different path? Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, but there was not. I created a user account, and once logged in, the app appeared to be an online platform to test your typing speed. I tried to do everything I could with the ap