WaniCTF 2024 - Bad_Worker - Write-up
Welcome back
This is the write-up for Bad_Worker, a beginner Web challenge in WaniCTF 2024. In this challenge, we exploit the web worker to bypass URL validation to get the flag.
So let's get started.
The Challenge
This is a simple web page with three pages:
- Home
- Counter
- Fetch Data
And to make things simple, there is a Fetch FLAG.txt button. But if I click it, I get this.
This means the button is a diversion, or something stops me from getting the flag.
The Diligent Worker
After going through the HTML and JS code, I stumbled upon this.
The validation at line 41 stops me from getting the flag; whenever I call any URL containing FLAG.txt, the code at line 41 changes that to DUMMY.txt.
The Solution
The solution is simple: I need to make the API call and manually get the flag.
Final Thoughts
This is a simple challenge. We must understand the application flow, as everything we need is right before us.
