search
HomePlaygroundOSCPBuy Me a Flag 🚩

X marks the spot (250)

Blind XPath injection

hashtag
Problem

Another login you have to bypass. Maybe you can find an injection that works?

http://mercury.picoctf.net:16521/mercury.picoctf.netchevron-right

hashtag
Solution

I've turned this into a Medium article! Read the solution here:

Blind XPath Injections: The Path Less Travelledarrow-up-right

hashtag
References

  1. https://owasp.org/www-community/attacks/XPATH_Injectionarrow-up-right

  2. https://book.hacktricks.xyz/pentesting-web/xpath-injectionarrow-up-right

PreviousStartup Company (180)NextWeb Gauntlet (170 + 300)

Last updated