Root-Me/HTTP - Directory indexing·15ptsHTTP - Directory indexing — Root-MeServer-side web task HTTP - Directory indexing.Webmedium#web#root-me#mediumMay 26, 2026
Root-Me/Nginx - Alias Misconfiguration·15ptsNginx - Alias Misconfiguration — Root-MeFor Nginx - Alias Misconfiguration, the backend trusts headers and cookies too much.Webmedium#web#root-me#mediumMay 26, 2026
Root-Me/API - Broken Access·15ptsAPI - Broken Access — Root-MeServer-side web task API - Broken Access.Webmedium#web#root-me#mediumMay 26, 2026
Root-Me/HTTP - POST·15ptsHTTP - POST — Root-MeServer-side web task HTTP - POST.Webmedium#web#root-me#mediumMay 26, 2026
Root-Me/Backup file·15ptsBackup file — Root-MeServer-side web task Backup file.Webmedium#web#root-me#mediumMay 26, 2026
Root-Me/HTTP - Open redirect·10ptsHTTP - Open redirect — Root-MeServer-side web task HTTP - Open redirect.Webeasy#web#root-me#easyMay 26, 2026
Root-Me/PHP - Command Injection·10ptsPHP - Command Injection — Root-MeServer-side web task PHP - Command Injection.Webeasy#web#root-me#easyMay 26, 2026
Root-Me/Weak password·10ptsWeak password — Root-MeFor Weak password, the backend trusts headers and cookies too much.Webeasy#web#root-me#easyMay 26, 2026
Root-Me/HTTP - IP restriction bypass·10ptsHTTP - IP restriction bypass — Root-MeFor HTTP - IP restriction bypass, the backend trusts headers and cookies too much.Webeasy#web#root-me#easyMay 26, 2026
Root-Me/HTML - Source code·5ptsHTML - Source code — Root-MeFor HTML - Source code, the backend trusts headers and cookies too much.Webeasy#web#root-me#easyMay 26, 2026
Root-Me/XSS DOM Based - Introduction·35ptsXSS DOM Based - Introduction — Root-MeWeb client notes for XSS DOM Based - Introduction: XSS variants, CSP bypass narratives, and chaining a UI flaw with an API call the server should have rejected..Webinsane#web#root-me#insaneMay 26, 2026
Root-Me/CSRF 0 protection·35ptsCSRF 0 protection — Root-MeClient-side web challenge CSRF 0 protection.Webinsane#web#root-me#insaneMay 26, 2026
Root-Me/CSP Bypass - Inline code·35ptsCSP Bypass - Inline code — Root-MeFor CSP Bypass - Inline code, the attack surface lives in front-end validation.Webinsane#web#root-me#insaneMay 26, 2026
Root-Me/AST - Deobfuscation·35ptsAST - Deobfuscation — Root-MeClient-side web challenge AST - Deobfuscation.Webinsane#web#root-me#insaneMay 26, 2026
Root-Me/XSS - Stored 1·30ptsXSS - Stored 1 — Root-MeWeb client notes for XSS - Stored 1: XSS variants, CSP bypass narratives, and chaining a UI flaw with an API call the server should have rejected..Webhard#web#root-me#hardMay 26, 2026
Root-Me/Javascript - Obfuscation 3·30ptsJavascript - Obfuscation 3 — Root-MeClient-side web challenge Javascript - Obfuscation 3.Webhard#web#root-me#hardMay 26, 2026
Root-Me/Javascript - Webpack·15ptsJavascript - Webpack — Root-MeFor Javascript - Webpack, the attack surface lives in front-end validation.Webmedium#web#root-me#mediumMay 26, 2026
Root-Me/Javascript - Obfuscation 1·10ptsJavascript - Obfuscation 1 — Root-MeFor Javascript - Obfuscation 1, the attack surface lives in front-end validation.Webeasy#web#root-me#easyMay 26, 2026
Root-Me/Javascript - Authentication 2·10ptsJavascript - Authentication 2 — Root-MeClient-side web challenge Javascript - Authentication 2.Webeasy#web#root-me#easyMay 26, 2026
Root-Me/Javascript - Source·5ptsJavascript - Source — Root-MeClient-side web challenge Javascript - Source.Webeasy#web#root-me#easyMay 26, 2026