A5:2021 | Security Misconfiguration (5) | Cycubix Docs
Assignment solution
The goal of the exercise is to list the root of the file system. If we first try a normal post we see the following request:
The web page is making a xhr request to post a xml message, after that the comment is displayed in the comment section. Now let’s try change the request a bit as shown in the previous section:
So instead of including a specific file we make a reference to the root of the filesystem with file:///
. If we just copy and paste this in the comment text box you will get an error in the response body
This is due to the fact that the JavaScript is taking the input and creates the following message:
Line 7 contains the input entered in text box if we would use the comment form.
To solve the lesson you have to intercept the complete outgoing request and replace the complete body with the solution. See our lessons about intercepting HTTP traffic.
Last updated