SShortSingh.
Back to feed

BroncoCTF 'Lovely Login' Challenge Solved via robots.txt Leak, Not Injection

0
·1 views

A Capture The Flag web challenge called 'Lovely Login' featured a login form backed by an Express API that appeared vulnerable to NoSQL operator injection, but server-side type-checking blocked all such attempts. The real vulnerability was discovered through standard web reconnaissance: the site's robots.txt file contained a disallowed path pointing to an internal documentation page at /security, along with a base64-encoded string that decoded to a list of valid usernames. The /security page revealed that user passwords were simply the reverse of their usernames — a predictable, non-random derivation scheme. Combining the decoded username list with this logic immediately produced valid credentials for the admin account. The root cause was twofold: sensitive internal notes were left publicly accessible in production, and robots.txt was mistakenly relied upon as an access control mechanism rather than a mere crawler directive.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Cisco EEM: The On-Box Automation Engine Most Network Engineers Ignore

Embedded Event Manager (EEM) is an event-driven automation framework built into Cisco IOS, IOS-XE, and NX-OS that allows network devices to monitor and respond to events without any external server or orchestration platform. The framework operates on a simple model: when a defined event occurs, the device automatically executes one or more configured actions, packaged together as an 'applet.' EEM can respond to a wide range of triggers including syslog patterns, SNMP threshold breaches, CLI commands, timers, and interface counter changes. Its key advantage over external automation tools is independence — it continues to function even when the WAN is down, the network management system is offline, or remote access is unavailable. This article is the first in a five-part series aimed at helping network engineers move beyond basic port-recovery use cases and unlock the broader capabilities of on-box automation.

0
ProgrammingDEV Community ·

Fan Builds GeoGuessr-Style Browser Game for Super Mario Odyssey

A developer has created OdysseyGuessr, a browser-based game inspired by GeoGuessr that tests players' memory of Super Mario Odyssey's in-game worlds. Players are shown a screenshot from one of the game's Kingdoms and must pin the correct location on a map, with precision determining the score. The game supports both single-player modes with customizable rounds and real-time multiplayer featuring a 5,000 HP battle system. Community members can submit locations, which are reviewed through built-in admin moderation tools. OdysseyGuessr is an unofficial fan project with no affiliation to Nintendo and is currently available to play in the browser.

0
ProgrammingDEV Community ·

Developer Builds Real-Time Solana-Snowflake Pipeline to Score World Cup Fan Conviction

A developer created FERVOR, a real-time conviction oracle that tracks World Cup fandom by analyzing on-chain wallet behavior across 16 country tokens on Solana. The system ingests live swap and transfer data via Helius, processes it through a six-stage pipeline using Snowflake Dynamic Tables and Cortex ML, and writes computed scores back to a Solana devnet oracle account every five minutes. Conviction is measured by metrics such as how long wallets hold a team's token, with Argentina currently leading at an average hold time of 109 days. The project was built as a Weekend Hackathon submission targeting best use of both Snowflake and Solana, demonstrating a bidirectional data loop between the two platforms. A live Streamlit-in-Snowflake dashboard surfaces analytics including anomaly detection, forecasts, and AI-generated briefs without requiring external hosting.

0
ProgrammingDEV Community ·

C++ STL Explained: Containers, Algorithms, and Iterators for DSA Learners

The C++ Standard Template Library (STL) is a built-in collection of tools that helps developers avoid writing common data structures and algorithms from scratch. It is built around three core components: containers that store data, algorithms that perform operations like sorting and searching, and iterators that traverse container elements. Popular containers include vectors, maps, stacks, and priority queues, while built-in algorithms cover sorting, reversing, and binary search with a single function call. STL implementations are highly optimized, making code faster and more concise, which is especially valuable in competitive programming and technical interviews. Developers recommend learning STL early, as it reflects how experienced C++ programmers actually write production-level code.

BroncoCTF 'Lovely Login' Challenge Solved via robots.txt Leak, Not Injection · ShortSingh