Description: A target service is asking for two bits of information that have the same “custom hash”, but can’t be identical. Looks like we’re going to have to generate a collision?
When we navigate to the home page, we are greeted with the source code, detailing the conditions for getting the flag and type of requests to be made:
So we know that our request body has to be JSON and that we will receive 400 errors if there is an invalid body or if we are missing request parameters “one” and “two”. Also there is a customhash not shown to us that is hashing what we send to /getflag.
Using Postman, I tried out a few sample payloads and received it’s hash value as well as rejections:
Since the hash is custom, bruteforcing would take a while. But, looking back at the source code we see that the parameters “one” and “two” are being compared with == instead of ===.
A loose comparison such as this will lead to vulnerabilities where two non-equal inputs will evaluate as true.
We can see that  and “1” evaluate as true. When we try this for our request body, we can receive our flag without having to bruteforce anything: