The Holiday Hack Trail was a fun little spin on the classic game we all failed miserably at as kids: The Oregon Trail.  It was a fun challenge designed to highlight the dangers of HTTP Parameter Pollution.

Accessing the Challenge

I discovered this challenge after solving Frosty Keypad and making my way into the Dorm.  I found the challenge in the eastern hallway.  Once clicked, you're presented with an Oregon Trail-styled console screen asking if you want to play in easy, medium, or hard modes.

HTTP Parameter Pollution

I chose to go the easy route.  Once I selected "easy", I immediately noticed the URL at the top of the screen with a bunch of parameters and values.

The URL string showed the following parameter values:

hhc://trail.hhc/store/?difficulty=0&distance=0&money=5000&pace=0&curmonth=7&curday=1&reindeer=2&runners=2&ammo=100&meds=20&food=400&name0=Dop&health0=100&cond0=0&causeofdeath0=&deathday0=0&deathmonth0=0&name1=Jane&health1=100&cond1=0&causeofdeath1=&deathday1=0&deathmonth1=0&name2=Herbert&health2=100&cond2=0&causeofdeath2=&deathday2=0&deathmonth2=0&name3=Jane&health3=100&cond3=0&causeofdeath3=&deathday3=0&deathmonth3=0

After some testing, I found that the game would require you to cover a distance of 8000 by 25 Dec.

I modified the following parameters in the URL:

• distance=8000
• curmonth=12
• curday=24

Once modified, I clicked the > button to follow the URL path.

Now that I had no distance remaining on 24 Dec, all I had to do was click Go and I won the game and the challenge.

Conclusion

This was another fun challenge that showed why it's important to provide validation in web applications to prevent HTTP parameter pollution or other forms of cross-site scripting.