Introduction

In this video walk-through, we covered conducting security review for a web application using browser developer tools.

In this room you will learn how to manually review a web application for security issues using only the in-built tools in your browser. More often than not, automated security tools and scripts will miss many potential vulnerabilities and useful information.

Here is a short breakdown of the in-built browser tools you will use throughout this room:

  • View Source – Use your browser to view the human-readable source code of a website.
  • Inspector – Learn how to inspect page elements and make changes to view usually blocked content.
  • Debugger – Inspect and control the flow of a page’s JavaScript
  • Network – See all the network requests a page makes.

OSCP Certificate Notes

Exploring the Website

The web application in question is Acme RTSupport, and the walkthrough emphasizes looking for interactive components like forms, buttons, and paywalls (sections of the page hidden for non-premium users).

The tester first reviews the page source by right-clicking and selecting “View Page Source”, looking for comments or hidden information in the HTML code.Comments in the page source reveal useful information, such as an alternative homepage (new-home.html) and a framework version used to build the site.

Finding Hidden Flags

By visiting the new homepage (new-home.html), the tester discovers a flag.Another flag is found by following a hidden link (/secret), which is mentioned in the page source.The tester also finds a flag by accessing a directory listing (/assets/) that reveals a file named flag.txt.

Using the Inspector Tool

The Inspector tool allows the tester to examine the HTML structure and modify the page dynamically.The video demonstrates how to bypass the paywall by changing the CSS property for the element from display: block; to display: none;, which reveals hidden content, including a flag.

Using the Debugger Tool

The Debugger tool is used to pause the execution of the page at specific points using breakpoints.In the walkthrough, the tester sets a breakpoint at a line controlling a red flash that briefly appears on the page. By pausing the page execution at the right moment, the tester reveals a hidden flag within the flash.

Using the Network Tool

The Network tab is used to monitor and analyze all requests made between the browser and the server.The tester uses this tool to observe requests sent from the contact form and how the data is transmitted, which could reveal sensitive information or flags during real-world testing.

TryHackMe Walking an Application | Room Answers

What is the flag from the HTML comment?
 

What is the flag from the secret link?

 

What is the directory listing flag?

 

What is the framework flag?

 
What is the flag behind the paywall?
 
What is the flag in the red box?
What is the flag shown on the contact-msg network request?
 
Video Walk-Through
 

 

Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles