todo Writeup

Solved by : thewhiteh4t

• when we input html into admin form input then the following flow is executed in back-end :

/admin -> set flag cookie -> visit site -> fill our input in /chal input -> screenshot after delay

• flow in /chal route :

CSP is set -> script.js is added to head tag -> our input is added

• flow in /script.js route :

if the flag cookie matches -> fake flag is replaced with actual flag -> response is sent

• so the actual flag is stored inside script.js
• CSP :

default-src 'none'; script-src 'self' 'unsafe-inline';

• cannot load js url like /script.js in src because connect-src is not present so default-src fallback is used which is none so request is blocked
• thanks to unsafe-inline we can execute js scripts
• after looking into default-src bypass I found the following on hacktricks :

• Hacktricks CSP Bypass
• so I tried to load /script.js in form action like this :

<form action="/script.js" id="plz">
    <button type="submit"></button>
</form>
<script>document.getElementById("plz").submit();</script>