2019 Stonecutters - Fink Does Yoga
The "Fink Does Yoga" website was a very basic login form to schedule a yoga class. No matter what you entered as credentials, the username was reflected back to the user on the next page that loaded and the password given didn't really seem to matter. I started this challenge fuzzing bad characters to find some kind of injection vulnerability. I found that entering a " < " as the username gave me an interesting error. Seen below is the complete response: Warning: DOMDocument::loadXML(): StartTag: invalid element name in Entity, line: 1 in /app/web/login.php on line 22 Warning: simplexml_import_dom(): Invalid Nodetype to import in /app/web/login.php on line 24 Hi there, ! Welcome back. Calendar No spots are available at the moment. Please check back later. I noticed XML errors in this output so I tried the following XXE injection attack against the username field: <?xml version="1.0" encoding="ISO-8859-1"?> <!DO