Posts Cybertalents Wrong Token Web Challenge Writeup

Cybertalents Wrong Token Web Challenge Writeup


Request to the flag is forbidden due to wrong CSRF token … can you fix it and reveal the flag

Difficulty: hard

Challenge Link:



Opening the website we will find the following web page:

Reading the source code we will find that we need to make a JSON request containing some data:

the request should look like the following:

{"action":  "view_flag",  "_token":  "asdjhDJhfkjdI"}

if you send this request you will receive this error:

Failed Comparison ( incoming CSRF token != Session CSRF token )


It seems that there is some sort of verification on this CSRF token, so we need to think of a way to bypass it.

First, I tried to remove the whole parameter but it didn’t work. I tried to remove the value only but still nothing.

Finally, I changed the data type from string to a boolean value equals True and it gives me the flag.

This post is licensed under CC BY 4.0 by the author.