Hey everybody!
Everyone already knows that the web is everywhere, and this week’s challenges are here to help you hone your web hacking skillz even more!
For screenshots and descriptions of this week’s additions, see below.
Good luck!
The Cyber Range Team
![Computer code shown on a laptop.](https://www.antisyphontraining.com/wp-content/uploads/2024/02/corvus_le_crow_hacking_a_website_741370bb-ff3b-41f9-bc68-2c5ecbb83b5a-1024x574.png)
P.S. If you’re not already signed up for the BHIS Antisyphon Cyber Range, the following page has screenshots, info, and, of course, a link where you can sign up and join in the fun:
https://www.antisyphontraining.com/cyber-range/
![I love cereal! But sometimes I eat so much cereal that I forget which ones taste good. I'm currently writing this cereal log website to help me...](https://www.antisyphontraining.com/wp-content/uploads/2024/02/9376-cereal.png)
![It's always fun to take a moment of introspection, in this case not about oneself, but about our field (development/security). For example when it comes to API design, first there were SOAP endpoints primarily based on XML. Then as Web 2.0 came along, RESTful APIs became all the rage. Recently, technologies like GraphQL began to gain traction. With new technologies, though, come new classes of attacks. Check out our GraphQL API at https://metaproblems.com/bb0e56b64e0a17b47450457b07fd2353/graphql.php. If you send it a query in the form of echo(message: "message_here") (via POST), it will respond with what you said. Can you get it to give you the flag?](https://www.antisyphontraining.com/wp-content/uploads/2024/02/9332-looking-inwards.png)
![I did not appreciate what you did to my favorite joke site! That was the one place I loved visiting on the interwebs. Thankfully I know computer stuff so I made it more secure! Let me relax in piece.](https://www.antisyphontraining.com/wp-content/uploads/2024/02/9384-jokes.png)
![While other sites may have had issues with their contact import tool, here at Personbook we're pretty sure our site is secure from this kind of flaw. We even put in some special code to catch people trying to abuse our API on the backend! If you'd like to try it out, here's a sample csv you can upload to see just how well our tool works!](https://www.antisyphontraining.com/wp-content/uploads/2024/02/9334-phone-numbers.png)