tl;dr

• Bypass nginx’s DENY ALL using SCRIPT_NAME
• Calculate key_id uploading flag.txt.enc
• Leak the key and decrypt flag.txt.enc

tl;dr

• XSS using DOM Clobbering
• <a id="showInfos"></a><a id="SETTINGS" name=check data-timezone="aaa" data-location="eval(window.name)"><a id="SETTINGS" name="x">
• Bypass CSRF protection to execute XSS and read flag.

tl;dr

• Notepad 1 - Use Set-Cookie header to get XSS on the Admin
• Notepad 1.5 - CRLF on the name parameter of Golang’s Header().Set() method
• Notepad 2 - Xsleaks using Timing-Allow-Origin header

tl;dr

• Json_Interoperability - /verify_roles?role=supersuperuseruser\ud800","name":"admin
• Prototype_Pollution - {"constructor":{"prototype":{"test":"123"}}} in config-handler

tl;dr

• Leak admin’s hash using wildcard target origin in postMessage or by calculating sha256('').
• Create an XSS payload to read /api/flag and send it to attacker server.

tl;dr

• Using Prototype pollution vulnerablity in fast-json-patch pollute value in outputFunctionName
• Get a shell as the flag can only be obtained using binary file

tl;dr

• Make a GET request to /gettoken%3fcreditcard=mmm&promocode=FREEWAF to get the token.
• Using the token make another request with {"name":"' union select flag, 1, 1, 1 from flag -- -", "name":"x"} to get the flag.

tl;dr

• Intended: Append ; secure; samesite=none to cookie. Now, <script src="https://jason.2021.chall.actf.co/flags?callback=load"></script> would retrieve the flag.
• Unintended: Append .actf.co as domain to cookie using CSRF -> Setup a xss payload in reaction.py challenge -> Log in to this using CSRF -> Payload in Reaction.py exfiltrates document.cookie

tl;dr

• Unintended Solution: Cookie Path Restriction bypass using pop-up windows + JS Sandbox Escape
• Intended Solution: Service Workers + JS Sandbox Escape

tl;dr

• Payload: {"widgetName":"constructor","widgetData":"{\"prototype\":{\"srcdoc\":\"<script src='/admin/debug/add_widget?panelid=star7rix&widgetname=test123&widgetdata=%27%29%2C%28%27star7rix%27%2C+%28select+flag+from+flag%29%2C+%27%7B%22type%22%3A%22test123%22%7D%27%29+--'></script>\"}}"}