404 page XSLeak SSLeak? challenge but the session cookie's samsite attribute is Lax.
We have HTML injection in one of the pages but there is a csp.
Content-Security-Policy "script-src 'none'; object-src 'none'; frame-ancestors 'none';";
It would be easy if we could use object
elements since they render a HTML when they receive a 404 response.
- You can provide multiple sources for a font and chrome tries to load them in order and stops when it imports a valid font.
- If you provide two identical sources, chrome only sends one network request and provides the response to both requests.
@font-face {
font-family: a;
src: url(/font),url(/font)
}
/* Only one request to /font will be issued and both url()s will receive a copy of the resonse **/
- Chrome cares about the status code of the responses ( but not about mime-type ).
200 status code => try to detect the font format and fail if it isn't a valid font.
404 status code => fail instantly
-
Detecting the format of the font costs way more processing power so it allows us to distinguish 404 and 200 responses.
-
Leak "how long it takes to detect the font"
-
W
@font-face {
font-family: a;
src: url(/time-before),url(/search.php?query=corctf{a),url(/search.php?query=corctf{a),... /*10000 times */,url(/time-after)
}
Bypass the nginx ip whitelist with tabs POST /generate\tHTTP/1.1/%2e%2e/%2e%2e/FF HTTP/1.1
. Use dns rebinding to request file:///flag.txt
directly to the pdf-creation api then grab the file directly from the server
since it's also serving the output folder.