Flaglang [LA CTF 2024]
Challenge Description
Do you speak the language of the flags?
Intuition
The website has two dropdown where I can choose two countries and see how they say “Hello world”. But, in the list there is also another country
which is the Flagistan
. If I try to select it, the website returns an error. To resume I need access to the Flagistan language.
Solution
The solution is really simple, I can just capture the request using Burp and I notice that a cookie is set by using the ISO code of the country. I can just change the value of the cookie to FL
for flagistan (I know this ISO code by looking in the source code) and I will have access to the Flagistan page. It is an insecure token vulnerability.
Flag
lactf{n0rw3g7an_y4m7_f4ns_7n_sh4mbl3s}