https://john-jkar.github.io/myblog/tags/url-parsing/Recent content in Url-Parsing on 4mN3s14 | CTF Player & StudentHugoen-usSun, 15 Feb 2026 08:00:00 +0000https://john-jkar.github.io/myblog/posts/you-are-being-redirected/Sun, 15 Feb 2026 08:00:00 +0000https://john-jkar.github.io/myblog/posts/you-are-being-redirected/<h2 id="you-are-being-redirected--daily-aplacahack-writeup">You Are Being Redirected – Daily Aplacahack Writeup</h2> <p><strong>Category:</strong> Web (Client-Side)<br> <strong>Goal:</strong> Exfiltrate the admin’s flag cookie using the redirect functionality.</p> <hr> <h3 id="overview">Overview</h3> <p>This challenge involves exploiting a client-side open redirect vulnerability in combination with an admin bot that visits user-supplied paths. The objective is to execute JavaScript in the context of the challenge origin and exfiltrate the administrator’s cookie containing the flag.</p> <h3 id="vulnerability">Vulnerability</h3> <p>The <code>/redirect?to=</code> endpoint attempts to block <code>javascript:</code> URLs using a string check such as:</p>