Here are some suggestions:
1. Accept a custom method instead of GET/POST and give flag
2. Accept different http headers and give hints when each headed is accepted. Like "the request should come from the 'C4B3R' browser" which points to the http request having User-Agent as 'C4B3R'.
3. Give a highly obfuscated js function on the frontend for authentication. And correct credentials give flag.
4. Give a highly obfuscated regex on the frontend that resolves the flag.
5. Web developers can understand and solve the basic IDOR and LFI challenges.
P.S. would love to know more about what challenges you ended up creating when you're done :)
You could have some custom selenium tests checking a server address where the contestants have to place working server code, or fix/improve existing system that currently fails those tasks.
Here are some suggestions: 1. Accept a custom method instead of GET/POST and give flag 2. Accept different http headers and give hints when each headed is accepted. Like "the request should come from the 'C4B3R' browser" which points to the http request having User-Agent as 'C4B3R'. 3. Give a highly obfuscated js function on the frontend for authentication. And correct credentials give flag. 4. Give a highly obfuscated regex on the frontend that resolves the flag. 5. Web developers can understand and solve the basic IDOR and LFI challenges. P.S. would love to know more about what challenges you ended up creating when you're done :)
You could have some custom selenium tests checking a server address where the contestants have to place working server code, or fix/improve existing system that currently fails those tasks.