There was a simple unintentional solution So we could solve this challenge with time based regex injection
The challenge page includes the note create and delete function and ...
- with
location.hash, we can set src attribute of img tag - with
location.search, we can construct regex for filtering notes by their content. (See Below)
try {
const re = new RegExp(this.search);
this.visibleNotes = this.allNotes.filter(({content}) => content.match(re));
} catch {
// pass
}String.prototype.match takes regex injection as first argument
and checkes if the string matches regex
But if we include some regex in here, it occurs DOS when regex matches.
then, only time that the substring matches with the regex, event loop of javascript will be blocked.
Blocked event loop (DOS) also make the many things of browser's action.
And redirection is also one of them (different behavior from chrome)
So, We can exfil content of note by add delayed redirection resource at tag and check response time.
FLAG: TSGCTF{5H4LL_W3_ENCRYP7}