🦙🐻🐈️🐕️🐘
Beginner Hint: Client-Side Challenge (AI-translated)
- Client-side challenges target vulnerabilities caused by processing that runs in a web browser, such as JavaScript, the DOM, and CSS.
- In this type of challenge, you are given not only the web application instance but also another instance called the Admin Bot.
- The Admin Bot holds secrets such as the flag and automatically executes client-side behavior using a browser like Headless Chrome.
- Client-side behavior includes actions such as visiting pages and submitting forms.
- The goal of a client-side challenge is to exploit vulnerabilities in this browser-side behavior and steal secrets held by the client.
- In this challenge, the Admin Bot sets the flag in a cookie and can visit an arbitrary page.
- Another common stumbling point is the URL format you pass to the Admin Bot.
- The Admin Bot uses
animal-vieweras the cookie domain, and due to how Docker Compose networking works, it can access the web application athttp://animal-viewer:3000. - Therefore, the URL you submit to the Admin Bot must be
http://animal-viewer:3000, which matches the cookie domain, rather than the IP address shown in the challenge statement.