OK soooooo….
I have tried so much… spent two full 15 hr days and really need a solid hint. No, the others arent helping…
(THE D:) Using burp, I tried brute forcing. I noticed that with the the “d” the reply is always “blank Forbiden screen” but if I remove the “d” the replys come back as “ Invalid vote” (however the pictures and stuff still show). So I tried using burp to bruteforce every possible combination of those numbers… to see if it was a typo. Nothing… also tried that with the d… nothing.
I used burp compairererer to compair all 3 profiles and the only diff is the damn d!
Do i have to get it to accept the d? Is the d- supposed to be there? non-of the others have a d…
I tried server side and several types of url manipulation / injection including null byte… some of which return the forbidden screen… which makes me think its my shitty java skills and im just using the wrong syntax or something.
Are there any good articles or tutorials someone can point me to as a hint? what skill area do i need to focus on. URL injection or is it something i need to do in the developer tool / element inspection tool?
