dont-use-client-side

"dont-use-client-side" Challenge README

Challenge Description

The "dont-use-client-side" challenge is a web-based challenge that requires the user to break into a secure portal by finding the correct password. The web page contains a form that prompts the user to enter a password and click on a button to verify the password. The password verification logic is implemented in a client-side JavaScript function that runs in the user's browser.

Hint

never trust the client.

Challenge Goals

The main goal of this challenge is to demonstrate the dangers of client-side password verification and highlight the importance of server-side password verification. The challenge aims to educate users about the risks of relying on client-side verification for secure password handling.

Challenge Instructions

Open the challenge website in a web browser. Enter a password and click on the "Verify Password" button. If the entered password is correct, an alert will be displayed saying "Password Verified". Challenge Solution The JavaScript function that verifies the password is flawed and insecure, and can be easily bypassed. The function checks the password entered by the user by comparing substrings of the password to hardcoded values. An attacker can easily extract these hardcoded values from the JavaScript code using the browser's developer tools and construct the correct password.

The correct password = flag is constructed by concatenating the substrings in the correct order, which are:

"pico"

"CTF{"

"lien"

"ts_p"

"lz_7"

"no_c"

"723c"

"e}"

The flag: picoCTF{no_clients_plz_7723ce}

And we broke this super secure portal! 😄

Conclusion

In real-world scenarios, client-side password verification is a bad practice and should be avoided. Passwords should be verified on the server-side using a secure and robust password verification mechanism. The "dont-use-client-side" challenge is a valuable learning tool for users to understand the risks and limitations of client-side password verification.