In this write-up, I walk through the "x corp" web security challenge from Cybertalents. The challenge involved analyzing obfuscated JavaScript, understanding how URL parameters were handled, and bypassing input filters to retrieve the flag.

At the First of the challenge, we notice a simple web page containing an input field. so After read the cahllange description This indicates that the main goal is to test the input handling mechanism and find a way to bypass the implemented filtration in order to obtain the flag.

I first attempted to inject a simple script such as <svg onload=alert(1)> to check whether a cross-site scripting (XSS) vulnerability existed. However, the input was filtered, indicating that basic client-side protections were in place.

but nothing happened .

Then, I went to review the page source code to better understand how the input was being handled on the client side.

After analyzing the page source code, it was observed that the user input is taken directly from a URL parameter and processed by client‑side JavaScript without proper sanitization. Additionally, the server response is executed using eval, which indicates unsafe input handling. Based on this behavior, a cross‑site scripting (XSS) vulnerability was identified. By injecting the payload Z3DX'onload=alert(1), the script was successfully executed, confirming the vulnerability and allowing the flag to be obtained.

The Flag Is : Flag{X55_D4mn_G00D}

That's it for my write-up! I really enjoyed solving this challenge. Hope you found it helpful and interesting. Stay curious and keep learning!

See you soon! 👋😄

#CyberSecurity #WebPentesting #CTF#Z3DX