Computeration (web, 14 solves, 333 points)

Can you get admin's note? I heard the website runs >only on client-side so should be secure...

https://computeration.web.jctf.pro/

If you find anything interesting give me call here: https://computeration.web.jctf.pro/report

The flag is in the format: justCTF{[a-z_]+}.

Happy hacking!!

Unintended solution

It was supposed to be a hard challenge but the original challenge had an unintended (but not unthought of) vulnerability that led to a trivial solution and hence revealign a huge hint towards the intended solution. It was solved by 103 teams. The reason behind the vulnerability was a typo I made in the response headers and which was:

Referrer-policy: no-referer

Can you spot the typo? I typed no-referer instead of no-referrer which resulted in unsafe-url being set. Because of which, any URL sent through the form would leak the secret endpoint to admin's "login page" :face_palm:.

By sending the URL from the referer one can see:

Indeed, the flag was justCTF{cross_origin_timing_lol}

Original writeup (https://hackmd.io/@terjanq/justCTF2020-writeups#Computeration-web-14-solves-333-points).