I am doing a CTF-style assignment and I am confronted with a web site created in Flask. This web site appears fairly unremarkable - it has 4 pages and no log-in/authentication functionality, nor does it have any input elements on any page. However, the one suspicious thing which is also pointed at in the assignment's hints, is the URL. One can visit the website by going to http://URL:port, but then for some reason a parameter is always appended even though nothing suggests that a parameter should be added ie. when I type in http://URL:port, I am taken to the site, but the URL is changed to http://URL:port/?p=index.html. This same format is used for all the other pages eg. http://URL:port/?=example.html.
I have tried doing a variety of simple things like a basic XSS attack, but to no avail. I have no idea what the significance of changing the URL does, though. Why is such a thing inherently insecure? Thanks.
I will also add that this is described as a 'web/linux' challenge, and the task involves getting into the server and obtaining a flag. No source codes are provided whatsoever, and inspection of the HTML elements yields nothing suspicious.
?=/etc/passwdand see what happens/proc/