Your task is to assess the security of the YieldCat Micro Challenge platform that accepts and sanitizes user-submitted markdown content. The platform implements various security controls including content sanitization and CSRF protection.
Create multiple test challenge proposals on YieldCat Micro Challenge, each targeting a specific security aspect. Name your submissions clearly (e.g., "Test: Break MicroChallenge Validation Checks") so they can be easily tracked and managed.
Test: Basic Markdown Structure
- Submit content using all supported markdown elements
- Pay attention to how nested lists, code blocks, and tables are handled
- Document which markdown features are stripped or modified
- Try combinations of supported elements to find processing inconsistencies
Test: Markdown Link Handling
- Create links with different protocols (http, https, file, data)
- Test relative vs absolute paths
- Include anchors and query parameters
- Try embedding JavaScript in link definitions
Test: Image References
- Test various image sources and formats
- Include local file references
- Try SVG images with embedded scripts
- Test base64 encoded image data
Test: Basic HTML Elements
- Start with simple paragraph and formatting tags
- Progress to more complex elements
- Test how nested elements are processed
- Include comments and whitespace variations
Test: HTML Attributes
- Try different event handlers (onclick, onload, etc.)
- Include style attributes with JavaScript
- Test data-* attributes
- Use both single and double quotes
Test: Advanced HTML Features
- Include meta tags and base elements
- Try using template elements
- Test custom elements and attributes
- Include HTML5 specific features
Test: Unicode Character Handling
- Mix different Unicode ranges
- Include right-to-left markers
- Test Unicode normalization
- Use lookalike characters
Test: URL Encoding Variations
- Try different encoding patterns
- Mix encoded and unencoded content
- Test double-encoding scenarios
- Include partially encoded sequences
Test: HTML Entity Usage
- Mix numeric and named entities
- Try invalid entity sequences
- Include nested entity encoding
- Test entity boundaries
Test: Token Handling
- Submit forms with:
* Missing CSRF token
* Expired token
* Token from different session
* Modified token value
* Multiple tokens
Test: Request Processing
- Try different HTTP methods
- Test content-type variations
- Include custom headers
- Modify request origin
Test: Content Length
- Submit content at exact maximum length
- Try slightly over maximum length
- Test very large submissions
- Include multi-byte characters in length calculations
Test: Character Range Limits
- Mix ASCII and Unicode content
- Include null bytes and control characters
- Test newline variations (CR, LF, CRLF)
- Use maximum Unicode code points
Test: Template-Like Patterns
- Include content that looks like template syntax
- Try server-side include patterns
- Test expression-like content
- Include directive-like structures