Walkthrough: Tampering POST Data (Flash Arcade Games)

Tools Used:
Open the link to the game. Then while on that page, open chrome developer tools:



Navigate to the Network tab inside the chrome developer tools and CHECKMARK the box that says "Preserve Log".



Now swap back to the website and play the game, until you lose and it sends a high score.



If you look at the chrome developers tools, you'll see this new network request was made, submitting your high score.



Clicking on that network request, then clicking HEADERS and scrolling to the bottom shows you the parameters sent to the server. Observe in particular the "gscore" parameter, set to 500 - that's our score!



While still having that network request selected, click the PREVIEW tab, and you'll see a mini version of what rendered on the page. Once we edit the network request, we can use this preview tab to see the resulting HTML and the flag.



Now right click the network request, and select Copy -> Copy as Fetch:



Paste the string into the DevTools javascript console, find the score variable in the string and edit it - then execute it (by hitting enter).



You'll see a new entry popup in the Network tab, which is the request you just executed. Click it, then click the preview tab and retrieve the flag!