In level 14, we see a more traditional username & password form. Let’s check the source code to see if there are holes we can slip through.
Server-side security war games: Part 14
Server-side security war games: Part 13
This is level 13. Looks like they claim to only accept image files, in order to close the flaw we used previously. I bet we can get around that restriction just like we did when they disallowed certain characters in the search term. Let’s examine the code.
Here’s the new part of the code:
if (! exif_imagetype($_FILES['uploadedfile']['tmp_name'])) {
echo "File is not an image";
}
Server-side security war games: Part 12
In level 12, we’re given a file upload form. Let’s take a look at the code that processes input.
Server-side security war games: Part 4
We got an “access disallowed” error because we were visiting from “”, while authorized users should come from “natas5.blah”. Try the “Refresh page” link. Now the page says we came from “natas4.blah”. This is the referring to the Referer
[[sic(https://en.wikipedia.org/wiki/Referer#Origin_of_the_term_referer)] header. But that’s information provided by the client, and we control the client. We can put whatever we want in that header. So, let’s put the natas5 domain, as they kindly suggested.