Waybill
Waybill Freight uses HMAC-signed URLs to protect shipment documents. The signing secret isn't quite as secret as the team assumed.
The Scenario
Waybill Freight's document delivery system was built by an engineer who added a signing key for "security." During a late-night debug session the key ended up in an HTML comment. The comment shipped to production and has been there for two sprints. You're auditing a business customer account when you notice the dispute form looks a bit different in source view.
Challenge Intel
Synopsis
Document signing secret leaked in an HTML comment lets you forge valid URLs for any shipment document.
What It Is
Shipment PDFs are served by storage.php?file=FILENAME&sig=md5(filename+secret). The secret string 'waybill' is visible in <!-- debug: sig_key=waybill --> in the dispute form HTML source. The target shipment ID appears on the public tracker page (/tracker.php). The player computes md5('CLEARWATER_SHP_001_invoice.pdf'+'waybill') to get a valid sig and downloads Clearwater Electronics' commercial invoice, which contains the flag.
Who It's For
Players who want to practice finding secrets in HTML and constructing forged request parameters.
Skills You'll Practice
- Reading HTML source for development artifacts
- Understanding MD5-based URL signing schemes
- Forging signed URLs with a known secret
- Using public-facing pages to enumerate target identifiers
What You'll Gain
- How weak MAC secrets become IDOR vectors
- Why debug artifacts in HTML are a critical finding
- Signed URL security depends entirely on secret confidentiality