webPromedium

YOFA 2.0

bug-makers

Task: Node.js/Express password manager with JWT auth, admin bot (Puppeteer), and CSRF protection. Vulnerability is client-side parameter pollution where duplicate query params are parsed differently by server (parseInt on array) vs client (last value from getAll). Solution: craft URL with two id params — first passes server auth, second causes client-side fetch to traverse path to /admin/addAdmin, promoting attacker's user to admin via the bot's session.

$ ls tags/ techniques/

ssrf path_traversal jwt nodejs ejs postgresql express privilege_escalation csrf admin_bot puppeteer client_side_parameter_pollution

client_side_parameter_pollution_via_duplicate_query_paramsrelative_path_traversal_in_fetchadmin_bot_csrf_exploitationjwt_role_escalation_via_reloginparseint_array_coercion

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]YOFA 1.0— bug-makers
[web][free]SSOS— hackthebox
[web][Pro]Object Master— hackerlab
[web][Pro]SecretKeeper— hackerlab
[web][Pro]Personal Blog— uoftctf2026