avatar
Bug bounty
Public

YesWeHack Dojo

Step into the YesWeHack Dojo for exciting monthly challenges that bring real-world vulnerabilities to life in a Capture The Flag (CTF) format. Each month, a new challenge awaits, offering you the opportunity to sharpen your skills, earn points for successful solves, and fast-track your way to exclusive private invites. Submit one of the top three write-ups, and you’ll win an exclusive swag pack! Remember, only KYC-verified hunters are eligible for private invites, so be sure your verification is complete. Ready to level up? Challenge yourself and let's hack the planet! 🤘

Program

Scope
1

Supported languages
French
English

Hacktivity

Reports
1723
1st response
< 3 days
Reports last 24h
4
Reports last week
18
Reports this month
33

Challenge - Xmas wishlist

dojo-38-banner.jpg

  • ⏳ Active until : 17th January 2025
  • 🎁 The 3 best quality reports will win a special swag pack!

BRUTE FORCE IS NOT ALLOWED!
(Applies only to the Dojo challenge page itself)

A valid solution for the challenge must meet these requirements:

  • Your report must include a proof of concept (PoC) showing how you obtained the flag
  • The flag must be included in the report

Are you interested in doing your own Dojo challenge? Send us a message on Twitter!

Challenge rules

Those rules applies for each challenge:

  1. Challenges solves are accepted exclusively in the form of reports on this program.
  2. The 3 bests quality write-up reports will be rewarded with a swag pack!
  3. Any report without a fully qualified write-up report will be discarded.
  4. Flags inside the YesWeHack Dojo sample databases are without value and are publicly accessible from the challenge pages. This is a feature, not a bug.
  5. Hack smart, don't brute-force or automate testing, challenges are made for manual solving.
  6. If you leak a solution as a reply to one of our social media thread instead of filling a report, you are spoiling the challenge for the others, don't do it before the challenge ends and winner list is known.
  7. Don't forget to link your Twitter or Linkedin profile, if you want a highlight in the Winners announcement we will post as a reply to the challenge initial post.

Write-up report

What is a "write-up report", would you ask?

The challenges are drawn from real-life vulnerabilities, if you manage to solve a challenge, you must create a report explaining the logic behind your solution: "How did you solve the challenge?"

Why is this important?

  1. It avoids copy-paste solutions.
  2. It shows your unique talent as a professional bug bounty hunter.

We will publish the best write-up report along the winners list for each challenge session on our blog (See an example here)

🎁 Rewards

Swag pack with Yeswehack goodies

We fiercely protect your privacy, no personal information from your profile will ever be used by anyone, except for individual exchanges between you and YesWeHack for the purpose of this challenge and for awarding gifts.

About the Dojo platform

The YesWeHack Dojo is a unique training and learning tool, it allows to witness how code is manipulated by inputs and parameters in real time.
The YesWeHack Dojo also can be used to rebuild complex exploitation scenarios from scratch and share them.

We have crafted nifty challenges using the Dojo platform, that we will initiate from the YesWeHack twitter account, stay tuned.

Overview of the Dojo platform

On our blog, we describe how you can use the platform effectively with all the features offered.

dojo-challenge.png
dojo-waf.png
learn-modules.png
chall-solved.png


Scopes

ScopeTypeAsset value
https://dojo-yeswehack.com/challenge-of-the-month/dojo-38 web-application
Medium

Out of scopes

  • Everything that's out of the scope root URL

Vulnerability types

Qualifying vulnerabilities

  • A working, reproducible, one shot, input string that solves the challenge.

Non-qualifying vulnerabilities

  • Anything that isn't related to the current challenge.
  • Obtaining the flag without showing a proof of concept on how to solve the challenge.

Hunting requirements

Account access

No automated probes, exploit manually.