From bc20a764875b244c312c36d2bdfbb25360d0d23a Mon Sep 17 00:00:00 2001
From: Curt Hash <chash@cfl-superfund.lanl.gov>
Date: Tue, 13 Oct 2009 15:00:04 -0600
Subject: [PATCH] 60pt webapp puzzle

---
 puzzles/webapp/50/key         |  1 -
 puzzles/webapp/60/,binary.png |  1 +
 puzzles/webapp/60/,ctf.css    |  1 +
 puzzles/webapp/60/6.cgi       | 72 +++++++++++++++++++++++++++++++++++
 puzzles/webapp/60/key         |  1 +
 puzzles/webapp/summary.txt    |  2 +
 6 files changed, 77 insertions(+), 1 deletion(-)
 create mode 120000 puzzles/webapp/60/,binary.png
 create mode 120000 puzzles/webapp/60/,ctf.css
 create mode 100755 puzzles/webapp/60/6.cgi
 create mode 100644 puzzles/webapp/60/key

diff --git a/puzzles/webapp/50/key b/puzzles/webapp/50/key
index 9c65921..042dd52 100644
--- a/puzzles/webapp/50/key
+++ b/puzzles/webapp/50/key
@@ -1,2 +1 @@
 eVkIwHzOok
-
diff --git a/puzzles/webapp/60/,binary.png b/puzzles/webapp/60/,binary.png
new file mode 120000
index 0000000..36053bd
--- /dev/null
+++ b/puzzles/webapp/60/,binary.png
@@ -0,0 +1 @@
+../10/,binary.png
\ No newline at end of file
diff --git a/puzzles/webapp/60/,ctf.css b/puzzles/webapp/60/,ctf.css
new file mode 120000
index 0000000..19b2533
--- /dev/null
+++ b/puzzles/webapp/60/,ctf.css
@@ -0,0 +1 @@
+../10/,ctf.css
\ No newline at end of file
diff --git a/puzzles/webapp/60/6.cgi b/puzzles/webapp/60/6.cgi
new file mode 100755
index 0000000..75e192b
--- /dev/null
+++ b/puzzles/webapp/60/6.cgi
@@ -0,0 +1,72 @@
+#!/usr/bin/python
+
+import os
+import cgi
+import cgitb
+cgitb.enable(context=10)
+
+#if os.environ.has_key('QUERY_STRING'):
+#	os.environ['QUERY_STRING'] = ''
+
+fields = cgi.FieldStorage()
+
+import Cookie
+c = Cookie.SimpleCookie()
+c['key'] = 'QJebByJaKX'
+c['content'] = '<p><em>Maybe I should have used sessions...</em></p>'
+
+print 'Content-Type: text/html\n%s\n\n\n' % c
+print ''
+
+print '''
+<html>
+	<head>
+		<title>6</title>
+		<link rel="stylesheet" type="text/css" href=",ctf.css" media="all" />
+		<script type="text/javascript">
+			function readCookie(key) {
+				var s = key + '=';
+				var toks = document.cookie.split(';');
+				for (var i = 0; i < toks.length; i++) {
+					var tok = toks[i];
+					while (tok.charAt(0) == ' ') {
+						tok = tok.substring(1, tok.length);
+					}
+					if (tok.indexOf(s) == 0) {
+						return tok.substring(s.length, tok.length);
+					}
+				}
+				return null;
+			}
+
+			function setContent() {
+				content = readCookie("content");
+				document.getElementById("stuff").innerHTML = content.substring(1, content.length-1);
+			}
+
+			window.onload = setContent;
+		</script>
+	</head>
+	<body>
+		<div id="wrapper">
+			<div id="content">
+				<h1>Web Application Challenge 6</h1>
+				<p>Through some manipulation or interpretation of this CGI script 
+				and the HTML page(s) that it generates, a 10 character key can be 
+				found.</p>
+				<p><strong>Find the key!</strong></p>
+
+				<div class="vertsep"></div>
+				<div id="stuff"></div>
+'''
+
+print '''
+			</div>
+			<div id="footer">
+				<p>Copyright &copy; 2009 LANS, LLC.</p>
+			</div>
+		</div>
+	</body>
+</html>
+'''
+
diff --git a/puzzles/webapp/60/key b/puzzles/webapp/60/key
new file mode 100644
index 0000000..f235990
--- /dev/null
+++ b/puzzles/webapp/60/key
@@ -0,0 +1 @@
+QJebByJaKX
diff --git a/puzzles/webapp/summary.txt b/puzzles/webapp/summary.txt
index c2868e0..c59df78 100644
--- a/puzzles/webapp/summary.txt
+++ b/puzzles/webapp/summary.txt
@@ -8,3 +8,5 @@
 50:		change the quantity value (hidden form field) to something greater than the
 		stated quantity limit. the key is in the resulting traceback. entering non-
 		integers is caught and handled, so that no longer works.
+60:		the key is in the cookie. note the javascript that reads a value from the
+		cookie, hopefully causing the player to take a look at the cookie.