User-Agent Login Log

CTF Objective: The goal of this challenge is to achieve stored XSS by exploiting the User-Agent input that gets logged in the session. (incase you use burpsuite don't forget the php session cookie)

Your objective is to craft a malicious User-Agent string that is stored in the session and then triggered upon later access. Specifically, you must trigger the execution of alert(document.domain) as a stored XSS, showing that you can execute JavaScript code on the target page, however we recommend trying ot get alert`1` to work first. Successfully accomplishing this will demonstrate your understanding of how XSS vulnerabilities can be leveraged "after" parsing.

This challange makes uses off commonly used User agent parser can you get stored xss in there. 😉
Make good use off the Reset Log button.

First Time Logged In

Login Time: 2026-02-26 07:59:32

User-Agent Log

Timestamp User-Agent Browser OS Device Is a Mobile device?
2026-02-26 07:59:32 
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
 ClaudeBot 1.0 Other Spider Not a mobile device

Explanation:
Browser: The family of the browser and its version.
OS: The operating system of the device (e.g., Windows, Android).
Device: The family of the device (e.g., iPhone, Samsung, Desktop).
Mobile Status: Indicates whether the device is mobile or not