2 min read Projects

RedFlag: A Damn Vulnerable Web App Powered by Go and Redis

RedFlag: A Damn Vulnerable Web App Powered by Go and Redis

Hey everyone — 404Yeti here, back from the Icebox ❄️
Today I want to share a project I built called RedFlag, a purposely vulnerable web app that’s small in size but massive in security training value.

Whether you’re learning web hacking, prepping for CTFs, or brushing up on your Redis fu — RedFlag was built for you.

Why did I build this?

As a security learner, I wanted to understand

  • Redis
  • IDORs in API endpoints

RedFlag is:

  • Intentionally insecure
  • Built in Go for speed
  • Backed by Redis
  • Filled with realistic flaws for red team-style attack

Tech Stack:

GoWeb backend + session logic
RedisSession & flag storage
HTML/CSSTerminal-style front-end

Features & Vulns to Exploit

Role Escalation via Redis

Change your session key in redis from: 

"role": "user"

to

"role": "admin"

Boom — instant access to admin-only routes.

IDOR Flag:

visit this endpoint:

/flag-alt?user=admin

Access flags belonging to other users. Classic IDOR mistake

Admin can delete with no Auth

/admin/delete?user=alice

No session check, no CSRF, no mercy. You’re the admin now.

Redis CLI Hacking

redis-cli
> keys *
> get session:someID
> set session:someID '{"username":"hacker","role":"admin"}'

Now refresh — and you’re root.

These are really fun exploits that you can play around with to see how they work and how Redis can be incredibly useful but incredibly dangerous as well.

Challenges You Can Try

ChallengeGoal
/flag?user=youGrab your own flag
/flag-alt?user=adminSteal someone else's flag
/admin/delete?user=aliceAbuse admin privileges
Redis session tamperBecome admin via session edit
Race for a TTL flagPractice real-time exploitation

this is really neat to see what you can do with a redis and how session management work and of course causing some havoc.

Educational Value

RedFlag teaches:

  • How real session management flaws are abused
  • How access control should be validated server-side
  • Why you should never trust client-provided data

It’s also the perfect companion to:

  • Postman, Burp, curl testing
  • CTF writeups or training demos
  • Explaining why “just use Redis” isn’t always secure

Check It Out

https://github.com/404Yeti/redflag

Fork it. Clone it. Hack it.

Warning

DO NOT deploy this to the open internet.
RedFlag is designed for offline training, red team labs, and security education only.

🧊 Final Words

“Security isn't just about firewalls and hashes. Sometimes, it's about noticing a URL that lets you delete your rival’s account.” – 404Yeti

Until next time —
Stay frosty, stay sneaky.
404Yeti out. 🐾