Created
August 30, 2012 13:06
-
-
Save bubba-h57/3528134 to your computer and use it in GitHub Desktop.
Stripe CTF Level 5 - Solution Insecure Communication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| So, this problem is just... insecure communication in general. There are a couple of issues here. | |
| This code block checks to see if it was a POST but doesn't check if parameters supplied were on the GET or POST lines: | |
| post '/*' do | |
| pingback = params[:pingback] | |
| username = params[:username] | |
| password = params[:password] | |
| This is an insecure way of checking if we're Authenticated... | |
| def authenticated?(body) | |
| body =~ /[^\w]AUTHENTICATED[^\w]*$/ | |
| There are multiple ways of clearing this level...but Ryan O'Horo showed me his route, which was the cleanest one out of the four we tried. The whole idea is to get it to match the Authenticated regex, but on a host of level5-*.stripe-ctf.com | |
| So...the easiest route.... | |
| POST /user-smrqjnvcis/?username=root&pingback=https://level05-1.stripe-ctf.com/user-smrqjnvcis/%3fpingback=http://level05-2.stripe-ctf.com/AUTHENTICATED%250A HTTP/1.1 | |
| The pingback URL contains a newline (%0A) so that the regular expression's end-of-line marker matches after the word "AUTHENTICATED", and it must be double-encoded as it's nested in the original pingback parameter | |
| This will make the application do a pingback on level05 host, but since we included http:// instead of https:// it gave a 302 redirect with the URL https://level05-2.stripe-ctf.com/AUTHENTICATED%250A . Which the application matched to the response containing the regex and authenticated the user. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment