{"id":28477699,"url":"https://github.com/unknnownnn/vul-webapp","last_synced_at":"2026-01-31T04:31:11.375Z","repository":{"id":296211730,"uuid":"992510878","full_name":"Unknnownnn/Vul-WebApp","owner":"Unknnownnn","description":"A Vulnerable Webpage made for CYSCOM's Online CTF Event","archived":false,"fork":false,"pushed_at":"2025-09-21T11:26:38.000Z","size":3309,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-21T12:28:00.314Z","etag":null,"topics":["ctf","ctf-challenges","ctf-writeups","cybersecurity","flask","python","web-exploitation"],"latest_commit_sha":null,"homepage":"https://vul-webapp.onrender.com","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Unknnownnn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-05-29T09:18:07.000Z","updated_at":"2025-09-21T11:26:41.000Z","dependencies_parsed_at":"2025-06-14T12:24:41.868Z","dependency_job_id":"ba585c9a-1b5a-407a-a8e4-a440bd27ed44","html_url":"https://github.com/Unknnownnn/Vul-WebApp","commit_stats":null,"previous_names":["unknnownnn/vul-webapp"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Unknnownnn/Vul-WebApp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Unknnownnn%2FVul-WebApp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Unknnownnn%2FVul-WebApp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Unknnownnn%2FVul-WebApp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Unknnownnn%2FVul-WebApp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Unknnownnn","download_url":"https://codeload.github.com/Unknnownnn/Vul-WebApp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Unknnownnn%2FVul-WebApp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28929701,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-31T04:05:25.756Z","status":"ssl_error","status_checked_at":"2026-01-31T04:02:35.005Z","response_time":128,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ctf","ctf-challenges","ctf-writeups","cybersecurity","flask","python","web-exploitation"],"created_at":"2025-06-07T17:08:29.034Z","updated_at":"2026-01-31T04:31:11.363Z","avatar_url":"https://github.com/Unknnownnn.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CYSCOM Vulnerable Web Application \n\n## Setup Instructions\n\n1. use virtual environment:\n```b\npython -m venv venv\nvenv/bin/activate \n```\n\n2. Install dependencies:\n```\npip install -r requirements.txt\n```\n\n3. Run the application:\n```\npython app.py\n```\n\nThe application will be available at `http://localhost:5000`\n\n\u003chr/\u003e\n\n# CYSCOM JUICE SHOP WALKTHROUGH\n\n\u003cimg src=\"./imagedata/logo.png\"\u003e \n\nThe CYSCOM JUICE SHOP, like OSWAP Juice Shop,includes a broad spectrum of vulnerabilities from simple input-based flaws to logic and design-level flaws. Understanding the rationale behind each exploit reinforces the importance of layered security, input validation, and robust authentication design.\nThis document provides a detailed analysis of each challenge presented in the CYSCOM Juice Shop Challenge. Each vulnerability is explained alongside its exploitation method and the flag retrieval steps.\n\n## TASK 1: MAIN FLAGS\n\n### Initial Login Page \u0026 SQL Injection\n\u003cimg src=\"./imagedata/Picture1.png\"\u003e \nThe login form is susceptible to SQL Injection, allowing attackers to bypass authentication without knowing valid credentials. This is due to improperly sanitized user inputs in SQL queries.\n\nExamples of payloads:\n```\nadmin' –\nadmin';--\nadmin' /*\n' UNION SELECT 1,2,3,1,'admin\n```\n\nEntering these in the username followed by any password lets the user login as admin.\n\n\u003e [!NOTE]\n\u003e OR-based injections are filtered, requiring alternative payloads.\n\n\u003cimg src=\"./imagedata/Picture2.png\"\u003e  \u003cimg src=\"./imagedata/Picture3.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture4.png\"\u003e \n\n\u003chr\u003e\n\n### Admin Panel Disclosure\n\nThe `/admi`n endpoint, typically hidden, becomes accessible post-SQL injection login. This panel leaks usernames and passwords of all registered users, indicating a \u003cb\u003eSensitive Data Exposure\u003c/b\u003e vulnerability.\n\n\u003cimg src=\"./imagedata/Picture5.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture6.png\"\u003e \n\n\u003cb\u003eFlag Retrieval:\u003c/b\u003e Visiting this hidden endpoint grant the user a flag. \n\n\u003cimg src=\"./imagedata/Picture7.png\" \u003e \n\nThe leaked credentials can be used to authenticate normally to ‘admin’ user and retrieve the corresponding flag. \n\n\u003cimg src=\"./imagedata/Picture8.png\"\u003e \n\n\u003chr\u003e\n\n### Documentation Panel - Token Access\n\nThis panel is visible only on admin login and shows some open endpoints that we can access.\n\n\u003cimg src=\"./imagedata/Picture9.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture10.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture11.png\"\u003e \n\nThis panel reveals hidden endpoints, accessible only via a Base64-encoded token in the format:\n\n```\nbase64(\"username:date\")\n```\n\nThis mechanism mimics an insecure form of token-based access control and can be exploited for endpoint access.\n\n\n\u003cb\u003eFlag Retrieval: \u003c/b\u003e Visiting `/api/v1/internal/users` endpoint:\n\n\u003cimg src=\"./imagedata/Picture12.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture13.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture14.png\"\u003e \n\nAlso visiting `/api/v1/backup?token=` with the correct token of format `(admin:time)` in base64 format, leads to:\n\nEg: `https://vul-webapp.onrender.com/api/v1/backup?token=YWRtaW46MjEzCg==`\n\n\u003cimg src=\"./imagedata/Picture14.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture15.png\"\u003e \n\n\u003chr\u003e\n\n### IDOR (Insecure Direct Object Reference)\n\nUsers can add and view personal notes with titles and some body. These also supports HTML formatting. By modifying the note ID in the URL (e.g., /note/2 to /note/1), we can access notes belonging to other users.\nVulnerability Impact: Lack of access control on object references allows unauthorized data exposure.\n\n\u003cimg src=\"./imagedata/Picture16.png\"\u003e  to \u003cimg src=\"./imagedata/Picture17.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture18.png\"\u003e \n\n\u003chr\u003e\n\n### Cross Site Scripting (XSS)\n\nHTML input fields when not sanitized allow malicious scripts to be saved and executed in the browser of other users. This compromises session tokens or redirects victims.\n\nSince the notes supports HTML formatting. We can inject code into these notes using basic HTML scripts.\n\n\u003cimg src=\"./imagedata/Picture19.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture20.png\"\u003e \n\n\u003chr\u003e\n\n### Encoded Cross Site Scripting\n\nMost websites sanitize the user inputs to prevent XSS vulnerabilities in their webpages by not allowing syntax or text for certain formats. We can bypass this using encoding text to their ascii values or decimal values and injecting the XSS. Browsers decode these before rendering, reactivating the payload.\n\nEg: `\u003cscript\u003e\u0026#97;\u0026#108;\u0026#101;\u0026#114;\u0026#116;(1)\u003c/script\u003e`\n\n\u003cimg src=\"./imagedata/Picture21.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture22.png\"\u003e \n\n\u003chr\u003e\n\n### Server-Side Template Injection (SSTI)\n\nUnsensitized input can sometimes be passed into server-side template engines (like Jinja2). If expressions are interpreted, attackers can run arbitrary code.\nFor example: \n```\n {{7*7}} =\u003e 49\n```\nThis can lead to full server compromise if RCE is possible.\n\nYou can inject Server-side templates to the file search of option to reveal sensitive data. This happens when the user input is not sanitized.\n\n\u003cimg src=\"./imagedata/Picture23.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture24.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture25.png\"\u003e \n\n\u003chr\u003e\n\n### Advanced SSTI\nExpanding SSTI beyond one field demonstrates lack of sanitization across the app, suggesting systemic weaknesses in input validation such as input to the title of user notes.\n\n\u003cimg src=\"./imagedata/Picture26.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture27.png\"\u003e \n\n\u003chr\u003e\n\n### Event-Based Cross Site Scripting\n\nEvent handlers like onerror are triggered under certain browser events. Injecting them into inputs can cause malicious execution without direct user interaction\n\n\u003cimg src=\"./imagedata/Picture28.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture29.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture30.png\"\u003e \n\n\u003chr\u003e\n\n### Broken Authentication - Token Forgery\n\nThe application allows password resets via a token which is easily found on the “/admin” endpoint. Lack of proper validation enables unauthorized access.\n\n\u003cimg src=\"./imagedata/Picture31.png\"\u003e \n\nWe need to make a base64 encode token of format:\n```\n username:date (eg: user:02, cabinet:21)\n```\nAnd convert it to `base64`.\nWe can then use this token to reset password of the account.\nThis gives us the broken authentication flag.\n\n\u003cimg src=\"./imagedata/Picture32.png\"\u003e \n\n\u003cimg src=\"./imagedata/Picture33.png\"\u003e \n\nOnly few accounts have the ability to reset password. Not all accounts can reset the password.\n\n\u003chr\u003e\n\n### Lost User (OSINT Challenge)\n\nThis is an OSINT challenge that starts by logging in to the `cabinet` user. This user already has a note with a heading “remember the date” and a link to a webpage.\n\n\u003cimg src=\"./imagedata/Picture34.png\"\u003e \n\nIt also has another note that states that the official account `cyscom` is scheduled for deletion because the password was too easy to guess (a date).\n\nOn clicking the link to the webpage, we can scroll down to find a timeline to events.\n\n\u003cimg src=\"./imagedata/Picture35.png\"\u003e \n\nTrying the date 15012022 (15 January 2022) as the password for `cyscom` user, we get access to the account that is to be removed. \n\n\u003cimg src=\"./imagedata/Picture36.png\"\u003e \n\nClicking the `view Flags` button, we are given the Lost User flag.\n\n\u003cimg src=\"./imagedata/Picture37.png\"\u003e \n\n\u003chr\u003e\n\n### Type Juggling (PHP)\n\nType juggling or type casting refers to a PHP functionality. Since PHP does not require explicit type definition in variable declaration, a string can be assigned to a variable ‘a’ and later on an int can also be assigned to variable ‘a’. \n```\n '0e12345' == '0e54321' // true in PHP\n```\n\nIf the computed hash only contains numbers after the first `0e`, PHP will treat the hash as a float. A password hash that begins with `0e` will always appear to match the strings, regardless of what they actually are.\nThis can be used to bypass authentication in vulnerable PHP programs. We can emulate this in our webpage by sending a POST request as:\n```\ncurl -X POST \"https://SERVER_IP/api/v1/verify_backup\" -H \"Content-Type: application/json\" -H \"Cookie: session=YOUR_SESSION_COOKIE\" -d \"{\\\"id\\\":123,\\\"hash\\\":\\\"0e123456789\\\"}\"\n```\n\n\u003cimg src=\"./imagedata/Picture38.png\"\u003e \n\nThis request sends a request with these parameters:\n```\n{\n \"id\": 123,\n \"hash\": \"0e123456789\"\n}\n```\nTo the `/api/v1/verify_backup` endpoint, which bypasses the authentication with an hash starting with 0e.\n\n\u003e [!NOTE]\n\u003e In the above request, replace SERVER\\_IP with the website IP address \u0026 YOUR\\_SESSION\\_COOKIE with your session token. This can be found using inspect element. In Firefox, it can be found at:\n\u003e \u003cimg src=\"./imagedata/Picture39.png\"\u003e \n\n\u003chr\u003e\n\n### Prototype Pollution (JavaScript)\n\nPrototype pollution is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global object prototypes, which might be inherited by user-defined objects. This vulnerability let’s an attacker control property of objects that would otherwise be inaccessible. \nJavaScript objects inherit from Object.prototype. Injecting into `__proto__` alters default properties application-wide, potentially bypassing logic or introducing backdoors.\n\nTo emulate this, we can send a curl request to the server using this data:\n```\n{\n \"__proto__\": {\n \"polluted\": true\n }\n}\n```\nExample command:\n```\ncurl -X POST \"https://SERVER_IP/api/v1/user/preferences\" \\ -H \"Content-Type: application/json\" \\ -H \"Cookie: session=YOUR_SESSION_COOKIE\" \\ -d \"{\\\"normal_key\\\": \\\"normal_value\\\", \\\"__proto__\\\": {\\\"polluted\\\": true}}\"\n```\n\n\u003cimg src=\"./imagedata/Picture40.png\"\u003e \n\n\u003e [!NOTE]\n\u003e In the above request, replace SERVER\\_IP with the website IP address \u0026 YOUR\\_SESSION\\_COOKIE with your session token. This can be found using inspect element.\n\n\u003chr\u003e\n\n## TASK 2: BONUS FLAGS\n\n### Image Steganography\nData is hidden within image files using LSB or metadata techniques. Tools like zsteg extract such hidden data.\nLogging into user `Unknown` gives us an image in the notes\n\n\u003cimg src=\"./imagedata/Picture41.png\"\u003e \n\nWe can download this image and try to run text extraction techniques on it such as steghide, zsteg, etc.\n\n\u003cimg src=\"./imagedata/Picture42.png\"\u003e \n\nUsing `zsteg`, we can see the flag hidden in the image.\n\n\u003chr\u003e\n\n### Audio Steganography\nLogging into the user `user`, we can see that this user has a .wav file as a note. Downloading and running this through a spectrogram generator gives us the flag.\n\n\u003cimg src=\"./imagedata/Picture43.png\"\u003e \n\n\u003chr\u003e\n\n### Hidden in plain sight\nA flag is revealed to the user in the documentation page of the webpage as the DEBUG\\_KEY. \n\n\u003cimg src=\"./imagedata/Picture44.png\"\u003e \n\n\u003chr\u003e\n\n### Discussions Tab\n\u003cimg src=\"./imagedata/Picture45.png\"\u003e \n\nTaking the first letter of every comment from 2nd to 3rd last gives CYSM, our flag format. The 2nd last comment give us the full flag `CYSM{dafweyif29ybvf23d}`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funknnownnn%2Fvul-webapp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Funknnownnn%2Fvul-webapp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funknnownnn%2Fvul-webapp/lists"}