Election Day: any hint??

It’s very hard to give a hint for this one, but there are three steps (I know it’s kinda obvious and irritating answer, but…):
1. What do you need to do?
2. Why you cannot do it?
3. How to do it?
May be somebody can give a better hint.

well i i tried >> different encodings but nothing works. i wonder if i am in the right path :/

Please, any more help with this challenge? I am stuck ( I am new to this whole thing) and I am starting to dispair :‘)

Once you identify the challenge, it becomes fairly straightforward.
I’d suggest extensively probing the application to understand what you can and can’t do.
Figure out ways to do what you want to do by bypassing measures that are attempting to stop you.

Thanks so much for your response! I have tried a lot…I compared all candidates and what happens when I try to vote, but appart from the 400 or 200 status message, the requests don’t seem to differ..cookies are exactly the same….:( Do I need burp for this or can I solve it with web dev tools? Thanks again!!

You’re looking too far into it. There is something that stands out when trying to vote as the level description says.

Thanks again for your help! The only thing that stands out to me is the d in her vote_id. But I will keep on trying :)

Good luck! :)

reviving this thread for some hint . I know the waf is not allowing some characters and one of them is presented in the second candidate’s vote id . Can any one give a hint to put me on track

You’re on the right track ;) keep trying what you’re doing!

I have been stuck on this challenge for a while now.

Something that I did notice was the number of characters in the candidate’s last name matches the number of digits in their vote_id.

Like others have posted in this thread, the WAF is clearly blocking certain characters, like the ’d' character in ?vote_id=62d784 but I have had my hair start to fallout trying to bypass this annoying WAF.

Any tips feel free to PM me!

Still stuck as well! been on the right track for a year now…but can’t figure it out! Any help?

jules70 knows says that https://defendtheweb.net/extras/playground/election/?vote_id=62d784 return an error : Request denied by SuperSecureWAF 1.2b
in addition firefox say that in his dev tools (ctrl+shift+I) (keyboard shortcut) in this adress network tab shows : 400 Bad Request so http error 400

I know that with burpsuite, we can change error 400 to the state 200 (=all is OK, ok), so as there is no error the communication is made and we have the password.

But I have no many experiences with BS, I have see with youtube tutorial about that, I hope that in the future I will resolve this chall

I say all of that for help the people interesting in hacking

see you

I intercepted Burpsuite responses and changed the code from 400 to 200 but it did not work.

Good idea though.

sitemap.xml gives a strange error message.

When I am on my laptop I will view the source of that page.

https://defendtheweb.net/extras/playground/election/sitemap.xml

Hello !

You can also write “test.html” and it shows the same error message, it’s just the website error message when you try to go to a file that doesn’t exist, for example : https://defendtheweb.net/test42.html