Bring your own Anthropic API key to skip rate limits and pay only for what you use. Get one at console.anthropic.com/settings/keys. The key stays in your browser session — never written to disk or logged.
Paste a writeup URL (HTB, bug bounty report, Medium article) or the raw text. Screenshots in the writeup are fed to Claude's vision so payloads visible in Burp captures get extracted too.
The Breach challenge on WebVerse Labs exposes a GraphQL API backing a notes application. The notes are visible in the UI, but a GraphQL schema often has surfaces the front-end never touches. Map what's really there, and find a way to reach the flag.
Ottergram is a social-media-style web application on Bugforge.io where users browse otter photos. The attack chain is two-stage: first, find functionality you shouldn't be able to reach. Then, find a way past the gate that's supposed to stop you.
A phishing/spam email promotes a 'free partnership tool' at start.avail.zone. The invite URL passes a domain through a query parameter — what does the server actually do with it? Investigate the request flow and find an abuse path that could turn this 'invite' into something nastier.
A pizza-ordering web application on Bugforge gives registered users a single-use discount code. The flag goes to whoever can apply more discount than they should — the fix is one HTTP request away, but you'll need to think carefully about how the server interprets the input you send.
Enjoying Hintru? Buy me a coffee ☕ ☕