picoCTF Solutions
PathPart of the Web Exploitation path · Step 1 of 5: Source Code and Developer Tools
picoCTF 2024Web ExploitationEasy

Bookmarklet

Published: April 3, 2024

Description

Why search for the flag when I can make a bookmarklet to print it for me?

Setup

Browser only

Browse to the challenge page and find the flag!

Copy the bookmarklet code displayed on the page to inspect it.

Solution

  1. Step 1Create a bookmarklet manually
    Bookmark any page, edit that bookmark, and replace its URL with the JavaScript snippet you copied. When you click the bookmark, the code executes and shows the flag.
    javascript:(function(){ /* bookmarklet code from challenge page */ })();
    Learn more

    A bookmarklet is a browser bookmark whose URL begins with javascript: instead of https://. When you click it, the browser executes the JavaScript in the context of the currently open page, giving the code access to the page's DOM, cookies, and variables.

    Bookmarklets are wrapped in an IIFE (Immediately Invoked Function Expression) - the (function(){})() pattern - to create a private scope and avoid polluting the page's global namespace. This pattern is also the foundation of module systems in older JavaScript codebases.

    In security contexts, bookmarklets demonstrate that JavaScript injection into a browser is powerful: the same mechanism can steal session cookies, modify page content, or exfiltrate data. Understanding bookmarklets helps explain why browser extensions require careful permission review and why Content Security Policy (CSP) headers exist to restrict inline script execution.

    Real-world uses of bookmarklets include productivity tools (e.g., "Read Later" buttons), site theming tools, and security testing. Modern browser extensions are essentially elevated bookmarklets with persistent state and cross-page capabilities.

  2. Step 2Run it in a JS console instead
    Open DevTools (F12) or an online JavaScript runner, paste the snippet, and run it. The script simply calls alert() with the flag, so nothing else is required.
    // paste into browser console
(function(){
  alert("picoCTF{p@g3_turn3r_e8b...}");
})();
    Learn more

    The browser JavaScript console (accessible via F12 or Ctrl+Shift+I) is one of the most powerful tools in web security research. It provides a full JavaScript REPL (Read-Eval-Print Loop) running in the page's security context, meaning it has access to all the same objects the page's own scripts do.

    The alert() function creates a synchronous modal dialog - it pauses all JavaScript execution on the page until dismissed. While basic, alert-based output has been a debugging staple since early JavaScript. In security research, alert(1) is the canonical proof-of-concept payload for demonstrating Cross-Site Scripting (XSS) vulnerabilities because it's harmless but visually confirms code execution.

    For CTF challenges, the console is invaluable because you can inspect variables, call functions, and read properties that aren't exposed in the visible UI. Many web challenges hide flags in JavaScript variables, HTML attributes, or API responses that are only visible through the console or Network tab.

Flag

picoCTF{p@g3_turn3r_e8b...}

Running the bookmarklet reveals the alert containing the flag above.

Want more picoCTF 2024 writeups?

Browse picoCTF 2024Full library

Useful tools for Web Exploitation

Related reading

What to try next