This lab draws inspiration from Brett Buerhaus, also known as Ziot (Twitter/X: @bbuerhaus). Brett stumbled upon a web application during a BugBounty program, where the frontend JavaScript was responsible for generating signatures, ostensibly to craft "secure" requests to the application's API.

For a detailed account of Brett's findings, check out his blog entry:

https://buer.haus/2024/01/16/reversing-and-tooling-a-signed-request-hash-in-obfuscated-javascript/

Your challenge is to delve into the JavaScript code, leveraging your skills to forge your own signed requests. The ultimate goal is to uncover the contents associated with article ID 3. Be aware that this endeavor will necessitate exploiting a secondary vulnerability within the application.

To start this lab and answer questions you'll either need to login or register an account

Released 16th Jan 2024 created by ziot , NahamSec and BuildHackSecure