#owasp-top-10-2025-module

🥳

🔥

🚀

🎉

i am doing https://tryhackme.com/room/owasptopten2025three, a05: injection; where is the flag? in the current directory are only Dockerfile README.md pycache app.py requirements.txt static templates

hey:)

so the webapp gives you the flag based upon your payload

However, I pushed an updated version of the container that specific web app runs in, turns out I missed out an . in the Dockerfile, you'll need to redeploy 😅

If you deploy again and get a shell, the flag.txt wil lbe there in the /app/ of th container 🙂

That doesn't sound right. There's quite an easy way to list the contents of that directory, which is what you are supposed to do. Trying to get a shell and then redeploy the app to get the flag is not my idea of a room marked "Easy". This is a bug in the room.

hey all,
just wondering if anyone has figured out 106 insecure design i cannot seem to understand what is needed. please help

i managed to find the /api/users but thats as far as ive gotten

please @sand lintel

please @gleaming bison
please @junior helm

What's exactly the issue ?

Task Three under Application Design flaws is so plain without any info, anyone to help me out?

I also in the same situation as TheAngryScorpion, can someone give me a hint, to unstuck me?

done wfuzz till 10000 for that /api/user/ nothing works

/api/process takes payload as {"data":"healthy"}
response
{
"result": "Output: HEALTHY",
"status": "success"
}

@maiden void did you finished A03 software supply chain failure

I'm stuck on this also.

Have you tried forcing the page to error out?

It's ridiculous

try

if you stuck on insecure design

/api/messages/admin

Did you fuzz for this? I'm starting to thing that might be what's needed for Task 3 also.

😄 yeah i tried 5+ hour in A03

but i didntt get result

just now i droped it

Room Makers
@junior helm @agile lagoon @upper forge
help us with A03

Are we supposed to find lib/vulnerable_utils.py?

Just use what you have with the answers and figure out what the answer is meant to be

Thank you very much kind sir ill be testing it now

Gave +1 Rep to @stray bear (current: #1290 - 4)

@stray bear Dm me

Brute force the answer at this stage 😂

Mmmh I don't think the above writeups are a good thing, even though I admit I had a look for this task "AS03: Software Supply Chain Failures" which I genuinely don't understand how to solve. Any hint would be appreciated.

your right but it stops you from staying up all night and not putting important things off because you "almost got it". someone will explain how to work it soon as im sure many of us will go and read or watch it, till then we can give our brain a little break.

and i guessed the answer sooner than solving the question TBH

so it kinda is part of the game, brute force with osint

Fair enough 🙂

I will say that OWASP Top 10 2025: IAAA Failures was very easy and should be no issue for a beginner. I attempted 'Application Design Flaws', task 2 and got no where. I prefer the TryHackMe YouTube video than the Medium writeup because I prefer to get a hint, which triggered something that puts me on the right track. For rooms 'Application Design Flaws' and 'Insecure Data Handling', this means review of other rooms that can point me in the right direction.

task2 : remember when a server gives you too much information in the error message ? dont go to check other ID really focus on API saying too much in case of error so trigger an error 😉

how that guy finished A03 software supply chain failure

Each of us created one of the rooms. Other creators are offline after the after hours spent to create the rooms. Once they are back online we can look to add hints for the places where users are getting stuck

• AS03: Software Supply Chain Failures
• AS06: Insecure Design

Already noted and will do!

I am a bit confused on AS03: Software Supply Chain Failures, are we suppose to use some kind of command injection or as room state "It needs to be patched ASAP!" to update, I do not see any other endpoint, for an easy room it is a bit confusing

yeah, it's pretty silly the wording leads your to think you need to patch it but i got the flag after giving up on that and trying some traditonal ctf stuff.

Have you checked api/process? you can check with curl

I have added hints to the room

Thank you for the feedback!

I still do not see it. solving farewell CTF was easy then doing this Task 3

for task 3 better check the hint (i can see it): just see the code , check the hint and this is obvious what to do. i wonder what are the other methods 😄
by the way just for fun: i asked the bot to help yesterday: he said me to check dependencies with OWASP ZAP and the dependency tool of OWASP ahah and then when i say it is wrong it says use gobuster 😄

check the description again...they have changed it...and now also the source code is available for download...now it's obvious...even I got it 😄

ok I did not see the button for download the code. the question why was added now

all this do not make sense to me, I see the flag now

because you could guess without the code. trying. what is the other method you used @iron delta

stop saying that guessing

what other method you refer to? easy now when the code is given

the question is logical answer if the code is not given and room text stayed the same " fix the code"

i believed you said and other said another classic CTF method to solve . other than brute force the flag

brute force the flag is nonsense and lazy way to do it

yes you can guess. indeed it is like the previous task . you can guess you need to play with ID like IDOR but make it give you an error .

now after code is given , suddenly its easy

question solve it with no code and with first text description. this room level set to easy

yes. totally agree . i dont get why not have fun and try to solve it 🙂 that s a different room and good room then 🙂

wasted all Sunday on this. Room creator and TryHackMe really did NOT do a good job here

fun for you. I do not do guessing games, I am here to learn

ahah me too i even checked the documentation of the server 😄 non sense because i was lost before i ckeck the API endpoints and try things. crazy. take care @iron delta and thx for your videos: i could see it and you spend lot of ti;e to help communauty. great

Gave +1 Rep to @iron delta (current: #108 - 86)

honestly this whole room is not an easy walkthrough 😄

more like a medium challenge

yeah seems this one was haphazardly put together without any QA

still do not see the lab relation to room task Software Supply Chain Failures. and before description was changed, how now we can update the code?

Even with the code still scratching my head with Task 3

Now they updated it with the source to app.py. There is no reason to "Update the code" just check the source and it will reveal a way to get the flag

I get that, I am referring to before the updates they did now.

yeah there was no way to identify it without going hail mary and fuzzing it with every wordlist you can think of

btw @iron delta did you do the task 5?

good, not easy for you , you need to struggle like we did 😎 😂

I did that in the morning. only task 3 was issue for me

was the download Mobile app button supposed to work?

no, again that one you need to guess another api, gobuster (will just find one) will not find it (but from the app context, you can guess the name)

you need to find 2 endpoints, one for users and other for messages / chats

seems like poorly done. There is no relation to whats being said in the task vs the actual practical task

to be fair to author for this task, it is related to Clubhouse which is mension on the task.

but still for new user / beginner it might not be that easy for them

so the idea here, app suppose to be 100% mobile only use. but you can use browser / desktop with no authentication to access the api. so you can say is fair if you read all task description

yeah but the problem for me was the original research was based on reverse engineering the app. In this case you had to guess that there is a /api endpoint and then fuzz it

I think after spending a lot time on Task 3. API is all what was on my head, so I saw that first time😂 😂 I started seeing API all over

@iron delta @vestal cloak you both agree its a lazy way to do it after you both couldnt do it?

what is your point, you did not solved it,

actually i did

you did not, you guessed the flag.

its cyber security theres more than 1 ansert

answer*

if you did update your write up to proper show how you did it

there isnt only 1 way to solve an issue, if you do everything by the book are you using your brain or someone else

this is how they make you a prisioner in your own mind

everyone paints differently, doesnt mean its not a painting

what ever make you happy, say that when you get a job interview or real pentest work

TryHackMe should make flags random so we do not have this issue

is that what makes you feel worth something

Just ignore it @iron delta

a job

Hi, I'm still struggling with this one , gobuster found one of the api end points but with a big wordlist , should I just guess ?! Since when thm work like this ??

Let’s stay constructive and avoid personal attacks please

what??? it seems you dont read carefully. i said that i tried things then after lot of time checked the API endpoints. what the point "couldn't do it"? it seems you have problems understanding and respecting other 😉

I dont have a problem respecting others, but just because my methods dont please you or @iron delta doesnt mean its lazy. I didnt reply to @odd epoch because they willingly removed my comment which was constructive criticism against @iron delta attitude to my methods yet ignores @iron delta :"say that when you get a job interview or real pentest work". My self worth isnt based on a job interview or pentest work, and i thought tryhackme was a learning platform, in which people can learn skills to get a job interview or pen test work.

no need of gobuster. you already have two API endpoints. one health is very simple. and the other one : read that is written and change what it needs to be changed when you do the POST.

Its not my fault people are frustrated with rooms they have trouble with, even if they are very experienced in the field.

never spoke about your method at all. 😉 i am just loving security and having fun here. never saying bad about other methods. anyway hacker spirit is find its way 😉 take care

Im trying to do the same man. just having fun

you too have a good day

thx man 🙂

and sorry for saying you critizied my method i missread and made a mistake i apologise

My input,

• It's a walk through that presents more like a challenge room
• Was a bit surprised to only see 32 points for completing (which is not so bad now it's easier but i got it before the hints and rework of 3. ) suspect 6 will get hints soon as well.

Thanks for this! Just for a learning moment, how did you discover the endpoint? did you just go through directory bruteforcing? if so, what wordlist did you use?

Gave +1 Rep to @stray bear (current: #1108 - 5)

It's not that task , I'm asking about this one AS06: Insecure Design, about the mobile app, you don't have any end points gobuster do gives you one , they said above that you have to guess the other one

/api/messages/admin

Thank u

Gave +1 Rep to @blazing harness (current: #3262 - 1)

Can I dm u ?

how did you find the pathway for task 06? I can't find it even with dirsearch...

He just helped me with it, the first endpoint is users , you can have it with gobuster, the second you have to guess it !! But he just give it to me /api/messages/admin , the admin user you have from the users endpoint

I didn't like this room

The room is all about fuzzing

i like this room because it is not only well done but it asks to guess. you had to guess the keyword in api , you add to trigger an error , you had to read that there is also a message API endpoint . this is different . just way of writing the question sometimes is confusing like you believe you need to find the lib when you just have to think there is a vulnerable lib badly written. from not easy out of the box the creator shows the lib now . maybe we should not give the answers here guys. i know sadly some people give answers somewhere place but what is the use not doing the challenge yourself., take care.

Really not impressed with this room, listed as easy / 30 minutes, been at it for hours and still struggling

If you are trying to teach people the basics of the OWASP 2025, this is not the room to do it, should be learning the basics, not some of the more advanced stuff in it

what do you need?

I need OWASP Top 10 - 2021 (https://tryhackme.com/room/owasptop102021) kind detailed room.

Oh this is the 2025 room, sorry I don't know the walk through for that one off my head

I am stuck in the xor part 😅 can someone help

Which a0 number

A04

@blazing harness

I am using xor bf in cyberchef atm

i should of tried to just enable it aye

😂

Can anyone help me

The file in Software supply chain failures task don't open

Why

what you mean don't open, how you are opening it? download it first, then open it with text editor

Thank you, I did it
Thank you for your video on YouTube, it helps me

Gave +1 Rep to @iron delta (current: #106 - 87)

https://medium.com/@abbasmurshidm/owasp-top-10-2025-application-design-flaws-tryhackme-5379256df01a

Read my write ups its help you solve OWASP Top 10 2025: Application Design Flaws

OWASP Top 10 2025: IAAA Failures task 3 flag does not work

please can I get a confirmation

https://medium.com/@abbasmurshidm/owasp-top-10-2025-iaaa-failures-tryhackme-714dce3267eb

ignore me cloudflare outage again. Page has gone yet again

yes same to me!!

Anyone else stuck on the Mobile app task (Insecure Design)? 🙃
https://tryhackme.com/room/owasptopten2025two

I get a single webpage on port :5005, with a non-functioning Download App button (?!)

Try to find the API endpoint

Hint: || IPAddress:5005/api/messages/admin ||

Curious how you got to the right one?
Forced browsing got me nowhere, and a cursory search didn't turn up any endpoint mentions in the reporting on the Clubhouse breach 🤔

As a note for the creator, if /api and /api/messages returned something other than a 404, that might make this endpoint more easily discoverable.

LMK what I'm missing if this feedback is like the others (e.g. basics of how to exploit an IDOR or verbose error message was missed by the user).

You’re absolutely right. I was guessing the api endpoint and got frustrated, and decided to see any suggestions on discord and YouTube and I found @iron delta video. And instead of api/<user>/message, I found that the api endpoint is api/messages/<user>

I would say the current room is developed in rushed. And I will wait for full in-depth detailed room for OWASP 2025. Because next OWASP release will take minimum 3-4 years. And this room, cannot fulfill the expectations for newbies.

Sadly, I agree.

To anyone working on/planning improvements to this room, I'd be happy to provide more detailed feedback/input of proposed changes 👍

Hey all 🙂

Yes, please feel more than free to forward on any feedback and improvements you'd recommend @snow jackal & @twilit drift (and anyone else) and I'll see to it on our side of things

Either here, or DMs, whatever you feel comfortable with

I’d be delighted to share some recommendations for a room. I’ll take some time to brainstorm some ideas and share them with you.

TYVM (but your DMs are restricted to friends; I'm sure for good reason 😅 )

Please tell me how you discovered this.
What kind of tool did you use?
I've tried:
feroxbuster
ffuf
gobuster
By search depth and endpoint (/api/) and a large list of words.
But he did not find "||messages||", although it is in the wordslist.

You are absolutely right! Even “messages” word is in wordlist, the api point returned 404 error. So I guessed that the api point should be around the chat related topics. I manually guessed all the possible endpoints such as /api/chat, /api/user/chats, /api/user/msg/, /api/user/mesgs/, /api/user/messages/. but every time I failed. So I took a help from @iron delta ‘s video, which is posted on YouTube and I found out the api endpoint. Also @iron delta mentioned in video that how he discovered and guessed endpoints. And that’s how I discovered the endpoints. If you want I can send you the video link.

@snow jackalThanks for the reply.
While I was writing to you, I tried this.
api_fuzzer.py
But it also didn't help 😅
Us need to know the end point exactly.

/api/messages endpoint is very misleading 😂

I literally doubted on my fuzzing knowledge

I've been stuck in the “OWASP Top 10 2025: Insecure Data Handling” room for about 3 hours now, and after trying everything, I decided to look at the answer. But strangely, even though I typed the answer exactly as it was, I keep getting the error in the attachment. Is this just my problem, or are others experiencing it too?

https://www.youtube.com/watch?v=lFSDVgHmWrk

.

am I the only one that struggles a lot in this room ?

Probably not - these rooms assume a certain understanding of some of these issues.
When stuck, start with the linked content, then similar rooms on the issue.
FInally you can give your fav LLM/echo the name of the room, describe what you've done, any hunches you have and ask if you're on the right track

A10 is missing from OWASP top10 2025 module and there is duplicated A04 in Application design flaws and Insecure Data handling

For those still struggling with A04, a little hint: PyCryptodome

How did you come to that path?

#owasp-top-10-2025-module message

This is one of my only gripes - if the individual components of that path returned a different value, that'd be doable.
Otherwise one has to resort to blind guesses, and/or bruteforcing with combinations of 3 values of /usr/share/wordlists/dirb/common.txt (with 4600^3 possible combinations 😵 )

Bro, I dont even comment EVER. from the bottom of my heart thank you I was stuck on this task for hours!

Gave +1 Rep to @blazing harness (current: #1748 - 3)

Hello,
could you share how did you find this endpoint?

#owasp-top-10-2025-module message

@trail flume Please slow down. Further spam will result in a short timeout.

Unfortunately there's no satisfactory answer other than extreme luck (path is 3 levels deep), walkthroughs/leaks, or an inordinate amount of bruteforcing

i try and help man, alot of people here are too scared to even look people in the eye, they wont help because they are scared someone might get upset you gave away a hint

ok

dis chat is dead fr

Mu

I'm working in this room currently

https://tryhackme.com/room/owaspapisecuritytop105w

Stuck on Task 4 practical -- I am formatting my reqeust and get a token associated with sales@mht.com then send a GET request through to http://localhost:80/MHT/apirule2/user/details with token added as a header

Not sure how to format it but I've tried

1. add token as a query parameter under name token
2. Add it as a header with format Authorization: Bearer <token>
3. Add it as a header with format Token: <token>

My token also doesn't seem URL encoded but not sure if that's the issue

going to continue tomorrow but I think my issue is specifically in how I format my request, I'm not sure how to pass the token I get from the insecure login to the detail page. Seems like that's my missing link here

OWASP Top 10 2025: Insecure Data Handling,** task 4**, after running the script of python and get the value of encode base64, submit to the web for deserialization, get the error as** Error: Deserialization error: AttributeError: Can't get attribute 'Malicious' on <module 'main' from '/app/app.py'>.** Even trying using echo for multiple times for script update, the AI keep circling back to the script will generate the same error on the web as shown before. I am not sure what happens here, any update at the server side such that read flag.txt has been blocked? or I did something wrong?

Python script?

This includes weak algorithms, hard-coded keys, poor key handling, or unencrypted sensitive data.
So which case are we in with T4, based on what you can find?
(Might want to inspect the Network tab for clues - personally I use a HTTP proxy like Caido (slowly eating BurpSuite's lunch) to make it easier to inspect what the FE/BE are saying to each other)

Hi, thanks for feedback. Integrity Lab: Insecure Deserialization, the task 4. My understanding is generating encoded-base64 payload by using pickle to read the flag.txt with** reduce method **through python, which is the script. After running the script, I got the encoded-base64 payload and submit to the web, the feedback as it mentioned before, **Error: Deserialization error: AttributeError: Can't get attribute 'Malicious' on <module 'main' from '/app/app.py'>. **. The next is pretty much what I mentioned before, getting help from echo. If you need to see encoded-base64 value, I will share with you.

Gave +1 Rep to @twilit drift (current: #140 - 77)

Are you in insecure data handling or insecure deseralization? (pickle-exploits applies to the latter).
Look for the 4 elements in the quote - you should find one that allows you to decrypt the secret document

Insecure Data Handling, A08: Software or Data Integrity Failures

@sweet sluice Please slow down. Further spam will result in a short timeout.