Report 5 - Flora - UMassCTF 2026 /web/order66#78
Conversation
mmstoic
left a comment
mmstoic
left a comment
There was a problem hiding this comment.
Overall a solid writeup! Please make the requested changes and the writeup will be good to go!
| # UMass 2026: web/order66 | ||
|
|
||
| ## Context & Vulnerability | ||
| This is an application with 66 order boxes and a link to the chancellor (admin) as well as a url 'logs for chancellor'. While testing out the site, you notice that you can only input into one of the orders. Additionally, regardless of the input, the link in the url box does not change, whereas inserting this link into the chancellor/admin does not work. The chancellor/admin also does not take https, only http connections. |
There was a problem hiding this comment.
"Additionally, regardless of the input, the link in the url box does not change, whereas inserting this link into the chancellor/admin does not work." Not sure what you mean by this? Could you clarify by "does not work"? Also, I think an image of the webpage would be helpful here!
|
|
||
| `is_payload_present = "<script" in current_content.lower() or "alert(" in current_content.lower()` | ||
|
|
||
| Our goal is the flag which is in the admin's cookie (see app.js). Notice how secure is set to false meaning the browser will transmit this cookie over http connections which is what the chancellor/admin takes. |
There was a problem hiding this comment.
Minor detail, but formatting it like secure is set to false is more clear.
| ## Exploitation | ||
| We notice from the `hello_word()` function that there is one vulnerable index `current_vuln_index` that means one of the 66 boxes allows for XSS with javascript. | ||
|
|
||
| ``` |
There was a problem hiding this comment.
Also minor detail, but would be helpful if you showed more context of the loop, like what its looping through (what is i?)
| if i == current_vuln_index and ("<script" in content.lower() or "alert(" in content.lower()): | ||
| is_payload_present = True | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Why is it important that "index, uid, and seed don't change"? And is this info that you're putting into the webpage? Again, an image could be helpful here.
|
|
||
| Since we see that the index, uid, and seed don't change when we enter into the order boxes, we can test each box to see which one is vulnerable with `<script>alert(1)</script>` | ||
|
|
||
| The box that allows the alert to go through is the vulnerable box which we can inject with a payload we want the chancellor/admin to execute. We can use `<script>console.log(document.cookie)</script>` in order to dump the cookie into the output of the chancellor/admin. |
|
|
||
| The box that allows the alert to go through is the vulnerable box which we can inject with a payload we want the chancellor/admin to execute. We can use `<script>console.log(document.cookie)</script>` in order to dump the cookie into the output of the chancellor/admin. | ||
|
|
||
| app.py also contains the endpoint `/view/<uid>/<int:seed>` which is what we want to add to the end of the ctf url to input to the chancellor/admin. Doing so dumps the flag. |
There was a problem hiding this comment.
Why does attaching the seed dump the flag? Can you show the relevant code that supports this?
| Failed to load resource: the server responded with a status of 404 (NOT FOUND) | ||
| ``` | ||
|
|
||
| ## Remediation |
There was a problem hiding this comment.
Just some grammar checks in the remediation section here.
2 participants
Flora's fifth writeup - web challenge from UMassCTF 2026 - XSS