Encrypted Pastebin | Method Manipulation, Padding Oracle, and Input Validation Flaws
Hello everyone, today I would like to share my insights on hard level challenge called Encrypted Pastebin from Hacker101 platform.
First Flag
Manipulating HTTP requests is sometimes beneficial especially when we do not detect anything on the web application surface. For the first solution, you can either use browser or Burpsuite.
Except the encryption algorithm information, there was not anything like Sensitive Data Exposure, IDOR and so on… That's why, I directly analyzed the HTTP requests instead of regular vulnerabilities.
It was interesting to see such an huge POST variable content in terms of its length. Instead of variable’s content it seems like HASH or Encryption mechanism.
Let’s check:
I initially send request with the title yilmaz and textarea as atilla.
It might not be seem clearly ,so I also added it as code part:
r9ZPjaTLJcw4Qv6mxb-6CRHRWOD8fTpCFrkBgR9j4c2L5n83CyI-dkTLPa8gFwCWedquvOIggDLWg8UIG48AaAzIYwYVW7UDKIP0VfCz4sLsQVhgigpoL9zW1JLVNp2bhnUG-hzRLy!ZHvtN5ooBTMcGjKGV!TbZkSu26WOkpOOqWENzJKpB2i-8DX5fQTNFhNTnR8evPZ4q1i5HUTsV7g~~
