Web - Client

Hi guys,

Well, after having a short break, i realized that more and more challenges are coming up, so i decided to do some working about Content-Security-Policies.
As i had seen the web page, i shook my head and confessed that it could be in safe hands, but the one property in CSP dismissed all the good hopes and i
began to think about what is here the business. I started to figure out that nearly every java script command could be executed and xss is not strange there. But as we know the target is reading the web site’s content. I will be directly here. If the bot has access upon the website on server-side, then i think it is better to fill up the form and send this payload (the bug) to server. The problem is the client side. There could be several things that can work. Every time when i get response from server i would be too late and the csp is signaling to avoid the working of payloads. So i decided to make things without csp. That was funny, but i do not think it is the only thing and further i redirected the content in an encoding to see what happens. It could work, too.
But the horrible problem is the bot, which should have something that we call an "id". I have still some ideas. I have even tried to make a search-engine-bot triggering itself over the page, no luck. What i do miss, is what on earth is the bot doing there and how to trigger that with its name, maybe..

Thx for getting the world tumbling down,
turn your back to millions of them,
at the end there you will see,
you are the strongest in lightness of silence.

hope to hear...  😳

Hi all,

I just managed to get an error, internal so on.. The one funny thing was guessing the name of the service-crawler automated. Try on, try on. I also rendered the content in some other type. Sniff, no luck.

But this error makes things less complicated. I do not know, you know... How to inject in that error. Internet shall be my friend.

thx for keeping things working, 😴

Well,

i have some good news..
I get connection from server-side. The system is working. Connection has been established. Be aware of the encoding in your payload.
Better you test that, before sending it to hell..

For now,
I have some problems, how to get the inside of content, when i am resisting before the reading of flag should occur.
This is, like always, a matter of time..

Thx for being happy,
nothing else matters..

 😛

Ok,

it is done.

Finally, this one was a pretty challenge. Getting all the content depends maybe on a well-chosen tag.

Good job,
nice to kick the screen-saver,
for no fun and profit .  😎