"X-Mas Capture the Flag" challenge

AppSec Research creates a challenge to the public to find a web app vulnerability to uncover the hidden message. The vulnerable webpage is located here.

Update: Solution posted here. I will try out the steps during the Xmas long weekend.