Projects

Building DVCA: A Damn Vulnerable Chat App for Ethical Hackers

Hey everyone, Yeti here 🐾
As part of my journey into deeper AppSec, I wanted to build something that combines everything I’ve been learning: APIs, real-time backend behavior, front-end vulns, and secure(ish) architecture — then rip it all wide open.

So I built DVCA – Damn Vulnerable Chat App
An intentionally insecure, Go-powered chat platform for red teamers, CTF players, and curious developers.

Tech Stack & Architecture

DVCA uses:

Go – for backend services and microservices
WebSockets – for real-time chat messaging
SQLite – lightweight storage for SQLi practice
HTML/CSS (terminal-style) – simple static frontend
Microservices – including a hilariously vulnerable AI bot

🎯 Vulnerabilities You Can Explore

Here’s what you (or your students/friends/team) can attack:

🔓 JWT Token Tampering

Modify the local JWT and give yourself admin access:

localStorage.setItem("dvca_token", btoa(JSON.stringify({user: "hacker", role: "admin"})));
location.reload();

🐍 SQL Injection

Simple GET endpoint with no input filtering:

/api/messages?user=' OR 1=1--

🤖 Insecure Bot Commands

The bot microservice listens to @ai commands in plain text:

@ai help
@ai joke
@ai hack

💬 XSS in Chat

Try this:

<script>alert(document.cookie)</script>

🔐 Why I Built DVCA

I originally started because I wanted to learn about web sockets and build a chat app but later it spiraled into something bigger.

“The best way to learn is by building — then breaking what you built.” – 404Yeti

So I made DVCA for:

Learning how Go + WebSocket's behave under attack
Wanted to create a chat app project
Teaching junior devs or students about real-world risks
Wanted to create a full stack project

📦 Get the Code

GitHub: 404Yeti/dvca

Clone it, run it, and try to break it.
And if you add a new vuln, PRs are always welcome.

⚠️ Final Notes

DO NOT deploy this in production.
This is built to be insecure — that’s the whole point. Use it locally or in a secure lab environment only.

Built with love, Go, and a desire to teach and hack.

404Yeti out. 🐾

Webverse DockerHive Walkthrough

Hey everyone! I am back with another walkthrough, and this time we are trying a new website called Web Verse! They have some fun labs, and I highly recommend you check them out. Here is my walkthrough of the DockerHive challenge!

Tanuki: Following the Numbers to an IDOR

404Yeti here. Today we’re cutting into another BugForge challenge, this time focusing on Tanuki and an Insecure Direct Object Reference (IDOR) vulnerability hiding behind a simple numeric pattern. This is the kind of flaw attackers appreciate because it rarely looks dramatic at first. No loud errors. No obvious breakage.

Daily BugForge Challenge: Cheesy Does it (SQL)

1. 404Yeti here. Today we’re stepping into another BugForge challenge, this time carving open Cheesy Does It. What looked like an ordinary login portal turned out to be sitting on a brittle foundation. Under a little pressure, it cracked fast. This challenge revolves around a classic failure: SQL injection

Daily BugForge Challenge CafeClub(new)

1. Hey everyone — 404Yeti here, back with another BugForge challenge. Today we’re revisiting Cafe Club, but this time we’re focusing purely on an IDOR vulnerability and how it can scale into something much worse: mass account takeover. Let’s break it down. ❄️ Step 1: Create 2 accounts For