WebVerse

Fieldnote

A research tool checks that shared URLs 'contain http'. They really ought to check more.

Minatour

29 Apr 2026 — 3 min read

Room Description

https://dashboard.webverselabs-pro.com/challenges/fieldnote

Scenario

Fieldnote is a journaling app for field biologists. Colleagues paste links to related papers or references and share them via a /share?u= URL. The filter is one line — if the URL doesn't contain 'http', replace it with a safe default. The filter author didn't think about what 'contains' actually means.

Objective

A research tool checks that shared URLs 'contain http'. They really ought to check more.

Initial Analysis

The UI looks beautiful! Just like those cozy flat/house organizing indie games that are getting popular. I would even consider nabbing that blog formatting :D

The endpoints we have exposed:

<a class="fn-tab" href="/journal">Journal</a><a class="fn-tab" href="/species">Species</a><a class="fn-tab" href="/cite">Citations</a><a class="fn-tab" href="/export">Export</a>

I wonder what these biologists have been writing about.

Finding the bug

Let's have a look through the app.

/journal

Just a static list of entries:

/species

Another static list of information, even though it says you can add information per species.

/export

This is just a blob of text, no real way to export the journal really.

/cite

If we try to input something like "test", we send the information, but it doesn't get rendered anywhere.

What if we try to send a payload like:

<img src=http onmouseover=alert(1)>

This fullfils the "must contain http" requirement, this way we will see where it gets rendered.

Okay, we see what our newly added citation looks like. Let's check the frontend.

Exploitation

Great, so our payload gets inserted into a href attribute, the comment also states the vulnerability we need to exploit. Since we need to provide an exploit in a URL field, we have a very useful way to do so:

https://developer.mozilla.org/en-US/docs/Web/URI/Reference/Schemes/javascript

We can basically input our own script, and all we need to do is create an alert pop-up to bypass the CSP and get the flag, and also include something saying http since that's the only filter.

javascript:alert(1)//http

We get a successful alert pop-up, now let's check the frontend to see that is is being called properly and everything.

We get the flag:

Goat Gear Garage

Kyle opened Goat Gear Garage with a single 1972 Triumph Bonneville and a handshake loan. Twenty years later the inventory spans sixty bikes and the shop is still the same three bays. The website went live in 2019 and hasn't had a code review since.

Briarcliff Foundation

Briarcliff Foundation has accepted humanities and historical-preservation proposals through the same Fluxx-style portal since 2018. The withdraw-application control was added late in development — and shares plumbing with the committee's own review tooling.

Salt Brook Pilates

Salt Brook Pilates is a founder-led studio in the Hudson Valley running reformer classes out of two storefronts. The new profile endpoint went live without a strong-params review — the form only ever submitted four fields, so nobody worried about what else the API would accept.

Heartwood Outfitters

Heartwood's site was built in a long weekend by a co-founder who reads more about fly-fishing than web security. The reset flow uses a 4-digit numeric code; the verify endpoint has no rate-limit, no captcha, and no lockout — so the 10,000-code space is fully enumerable.