#### Computeration (web, 14 solves, 333 points)  
>Can you get admin's note? I heard the website runs >only on client-side so
should be secure...  
>  
>https://computeration.web.jctf.pro/  
>  
> If you find anything interesting give me call here:
> https://computeration.web.jctf.pro/report  
>  
>The flag is in the format: justCTF{[a-z_]+}.  
>  
>Happy hacking!!

#### Unintended solution  
It was supposed to be a hard challenge but the original challenge had an
unintended (but not unthought of) vulnerability that led to a trivial solution
and hence revealign a huge hint towards the intended solution. It was solved
by 103 teams. The reason behind the vulnerability was a typo I made in the
response headers and which was:

```HTTP  
Referrer-policy: no-referer  
```

Can you spot the typo? I typed `no-referer` instead of `no-referrer` which
resulted in `unsafe-url` being set. Because of which, any URL sent through the
form would leak the secret endpoint to admin's "login page" :face_palm:.

![](https://i.imgur.com/xDFRqHo.png)

By sending the URL from the referer one can see:

![](https://i.imgur.com/8ESPDSS.png)

Indeed, the flag was **justCTF{cross_origin_timing_lol}**

Original writeup
(https://hackmd.io/@terjanq/justCTF2020-writeups#Computeration-
web-14-solves-333-points).