todo Writeup
Gpnctf 2024
Solved by : thewhiteh4t
- when we input html into admin form input then the following flow is executed in back-end :
/admin -> set flag cookie -> visit site -> fill our input in /chal input -> screenshot after delay
- flow in
/chal
route :
CSP is set -> script.js is added to head tag -> our input is added
- flow in
/script.js
route :
if the flag cookie matches -> fake flag is replaced with actual flag -> response is sent
- so the actual flag is stored inside
script.js
- CSP :
default-src 'none'; script-src 'self' 'unsafe-inline';
- cannot load js url like
/script.js
in src because connect-src is not present so default-src fallback is used which is none so request is blocked - thanks to unsafe-inline we can execute js scripts
- after looking into default-src bypass I found the following on hacktricks :
- Hacktricks CSP Bypass
- so I tried to load
/script.js
in form action like this :
<form action="/script.js" id="plz">
<button type="submit"></button>
</form>
<script>document.getElementById("plz").submit();</script>