Puzzling boxes

Understanding how an application behaves is often key to finding security vulnerabilities. This site gives you access to six "black boxes" for you to figure out how they work. Every challenge can be solved without having access to the code. For some challenges you need to write code to observe the box's behavior. The challenges itself do NOT intentionally contain security vulnerabilities.

More and more people are getting into the security space. When people are looking for security vulnerabilities they often don't know how to exploit a potential vulnerability or are wasting hours looking at the wrong thing. By doing exercises how online systems work without having the code is a valuable skill that a lot of hackers are lacking. These puzzles are an attempt at helping people develop this skill.


The goal is to figure out the challenge's behavior and write the code how you believe the black box is implemented. I have a specification written for each of the challenges and will use that to verify your submission. Please submit your implementation in Ruby, Python, PHP, Go, Java, or pseudo code.

Example challenge

There's a dummy challenge available here. By opening the page you'll notice a form. By entering a number and submitting the page, a result will be calculated. After entering a few numbers you'll notice that the result is your number plus 44. Now that you've figured this out, you can go ahead and submit your answer. This is an intentionally easy example. Have fun with the ones below, I'm sure you'll like some of them!


Below is a list of the first six challenges. Depending on how many people like this idea I might make a few more. There's some pattern matching, user input parameter discovery, and light brute forcing challenges. Have fun!

Submit answer

Frustrated? Rage tweet!

Just want to share? Tweet!