JurryHurry
JurryHurry is a full-service law firm with a polished public site and a staff portal where the clerks work through the contact queue.
The Scenario
JurryHurry is a long-established firm that handles everything from real estate
closings to commercial litigation. Enquiries come in through the contact form
on the public site, and a clerk works the queue from a staff portal each
morning. The managing partner wants a quiet look at that portal before a
compliance review. Start at the front door and see how far in you get.
Lab Intel
Synopsis
JurryHurry's contact queue is read by a clerk whose browser trusts more than it should. Turn a stored message into a stolen session and replay it into the staff portal.
Architecture
An easy single-application lab. The public law-firm site takes enquiries through a contact form, and a headless clerk bot works the resulting queue from the staff portal every few seconds. Stored content reaches that privileged viewer, the clerk session is not locked down the way it should be, and the clerk's browser can reach the attacker across the lab VPN. The intended path is a stored XSS that steals the clerk session and replays it to recover the flag from the staff portal.
Who It's For
Players who know basic cross-site scripting and want to practise the full steal-and-replay loop against an admin bot over the lab VPN.
Skills You'll Practice
- Spotting an unescaped sink that only a privileged viewer ever reaches
- Recognising a session cookie that is missing HttpOnly
- Building an out-of-band exfiltration payload aimed at a VPN listener
- Replaying a captured session cookie to authenticate as someone else
What You'll Gain
- End-to-end stored XSS into account takeover via session-cookie theft
- Comfort running a callback listener on your VPN IP inside a lab