In this write-up, I analyze the "Cool Name Effect" web security challenge and document the steps taken to reach the flag.

We notice that the challenge presents a web page with an input field where the user is asked to enter a name.

At first, I tried entering a random name to observe how the application responds.

Upon entering a name, we notice that the input is reflected directly on the page.

This behavior immediately raised suspicion of a possible XSS vulnerability

I then tried injecting a simple script to see how the application would handle it, but no visible result appeared.

After that, I moved on to inspect the page source code.

After inspecting the source code, it was clear that the value provided in the name parameter is directly injected into the HTML content without any form of sanitization or encoding. The input is reflected back on the page dynamically, indicating that the application does not properly validate or escape user-controlled data before rendering it.

This behavior clearly points to a reflected XSS vulnerability, where arbitrary input can be processed and displayed by the browser as part of the page. For readers who want to understand this type of vulnerability in more depth, detailed explanations and examples can be found on PortSwigger

After that, I injected the following payload, which executed successfully and allowed me to retrieve the flag:

 Z3DX </h1><svg onload=alert(1) </h1>

flag is : ciyypjz

See you soon! 👋😄

#CyberSecurity #WebPentesting #CTF