Hack This WordPress Site — Security Challenge

[hyperpolymath]

The Challenge

We've built a security layer that sits outside WordPress — a Rust process that proxies every database query through an AST parser and monitors all file changes via BLAKE3 integrity manifests.

Your goal: Break it.

What makes this interesting

• No regex-based WAF rules to bypass — full SQL parsing via sqlparser
• File integrity enforced with BLAKE3 cryptographic hashes
• No admin panel on the live server — all writes go through ML-DSA-87 (post-quantum) signed mooring protocol
• Distroless Chainguard container — no shell, no package manager, no libc

Full Details

See the complete challenge document: HACK-ME-CHALLENGE.adoc

Includes:

• Attack surface table
• Database proxy policy (which tables are mutable/immutable)
• Signature scheme details (ML-DSA-87, BLAKE3, XChaCha20-Poly1305)
• Container security specs
• Rules of engagement
• Reporting process

Status

The live target URL will be published here once the demo instance is deployed. The challenge document is available now for review.

Reporting Vulnerabilities

If you find something: jonathan.jewell@open.ac.uk with subject "Wharf Security Finding". We'll acknowledge within 48 hours.

---

Think you can inject SQL through an AST parser? Prove it.