Enjoying HackerOne’s CTF?

If you want to make sure not to inadvertently miss any single flag while skimming through web pages, you can ask ZAP to catch them for you with this regex: ^\^FLAG\^[\w\d]{64}\$FLAG\$$

ZAP settings to capture Hacker 101 flags automatically

A “Flag” tag will appear next the requests containing a flag in their response:

HTTP request captured with ZAP containing a Hacker 101 flag

This technique is particularly useful when a flag appears in a non-obvious location such as an HTML comment.