From 86206b4cff76ea65de0d6bc0a758dd4cbbdd0b08 Mon Sep 17 00:00:00 2001 From: Marshall Livingston Date: Thu, 5 Mar 2026 10:59:17 -0700 Subject: [PATCH] =?UTF-8?q?docs:=20fix=20challenge=20table=20=E2=80=94=20i?= =?UTF-8?q?t=20was=20lying=20about=20half=20the=20challenges?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Available Challenges table had drifted so far from oasis-challenges that it was basically fiction. substring-bypass doesn't exist anymore (replaced by proxy-auth-bypass months ago), gatekeeper was listed as Easy when it's a multi-stage SQLi→privesc chain (medium), idor was listed as Medium when it's the easiest challenge we have, and insecure-deserialization was called Hard when every index and challenge.json says Medium. Cross-referenced against oasis-challenges index.json and every challenge.json to get this right. Sorted by difficulty for good measure. --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 2b53548..6fe2ce7 100644 --- a/README.md +++ b/README.md @@ -80,13 +80,13 @@ Challenges live in a [separate repo](https://github.com/kryptsec/oasis-challenge | Challenge | Category | Difficulty | |-----------|----------|------------| -| `gatekeeper` | Authentication Bypass | Easy | | `sqli-auth-bypass` | SQL Injection | Easy | -| `substring-bypass` | Authentication Bypass | Easy | -| `idor-access-control` | Broken Access Control | Medium | -| `jwt-forgery` | Cryptographic Failures | Medium | +| `idor-access-control` | Broken Access Control | Easy | +| `gatekeeper` | Injection + Access Control | Medium | | `sqli-union-session-leak` | SQL Injection | Medium | -| `insecure-deserialization` | Insecure Deserialization | Hard | +| `jwt-forgery` | Cryptographic Failures | Medium | +| `proxy-auth-bypass` | Security Misconfiguration | Medium | +| `insecure-deserialization` | Insecure Deserialization | Medium | You can also [create your own challenges](spec/CHALLENGE-SPEC.md).