picoCTF Solutions
picoCTF 2019Web ExploitationEasy

dont-use-client-side picoCTF 2019 Solution

Published: April 2, 2026

Description

Can you find the flag? It is hidden in the HTML source of this page.

Solution

Walk me through it
  1. Step 1View the page source
    Open the challenge URL. Press Ctrl+U (or right-click > View Page Source) to see the raw HTML. Look for a script tag containing the password validation logic.
    Learn more

    When a web application validates a password purely in client-side JavaScript, the correct password must exist somewhere in the code the browser downloads. There is no server-side check to hide the secret.

  2. Step 2Find and concatenate the flag parts
    The JavaScript will compare the user input to a string that is split into several variables or parts. Find each part in the source and concatenate them in order to form the complete flag.
    Learn more

    Look for lines like: var part1 = 'picoCTF{', var part2 = '...', etc. Or the comparison may be: if (input === part1 + part2 + part3). Simply join the pieces.

    This challenge is the easiest demonstration that client-side validation provides zero real security - a user never even needs to type anything into the form; they just read the source.

Flag

picoCTF{...}

The password is split into string variables in the JavaScript source. Concatenate them in order to get the flag.

Want more picoCTF 2019 writeups?

Browse picoCTF 2019Full library

Useful tools for Web Exploitation

Related reading

What to try next