Break-It Cheetsheet

!! This page should only be visible to students in the break-it phase. Alternative: only release it after a half of the Break-it phase. !!

This is a list of most likely introduced vulnerabilities. There is no guarantee that any of them will be introduced by a given team, but we believe they are a good starting point for the Break-it phase.

Security analysts often rely on such lists in the penetration testing phase. For example, OWASP provides a comprehensive collection of cheat sheets, which serve the same purpose. We strongly recommend using those as well, but in addition, we provide this list, tailored to the specifications you received.

ToDo (Cris): detail each entry and reference the corresponding problematic spec. Reference external resources, e.g., scientific papers.

Improper authentication

All the SSO-related problems Soheil mentioned.


Hopefully some of the pdf parsers are vulnerable to this if used naively


If the pdf library handles the JS code inside the pdf in a careless way.

Information disclosure

All the problems Giancarlo mentioned regarding URLs to PDFs, e.g., using links like “file://”.

Path traversal

I guess most of the frameworks are not vulnerable to this, e.g., for their views, but naively implementing saving/reading pdf files can result in this.

CPU-based DoS attack

Synchronous operations: if they do the pdf processing in the main thread/loop


Again, we need to see if the parsers usually allow this.

Zip slip

If we allow the upload of zip archives as discussed.

Account hijacking

All the bugs related to login/account management.

Logic bugs

I guess there will be quite some bugs regarding authorization checks.


I guess a lot of the students will forget to protect privileged operations for this, e.g., changing password.

(No)SQL injection

Very unlikely I think, but we may see this if we ask the students to implement some client-side validation, e.g, not rely blindly on forms to submit data, but ask them to serialize the data as JSON first and then send it to the server. In this way, we may increase the chance for NoSQL injection.

Command Injection/RCE

Should we give them a binary to run, e.g., a compression library?


We can use the vulnerable component, e.g., broken sanitizer, to increase the chance of XSS. We can also ask for features that are prone to this, e.g., print the user agent of the visitor.

Authentication in web sockets

Cross-site leaks

Insecure deserialization / prototype pollution

Framing problems