I participated in both of these events to some extent, but I didn’t look at every challenge. This post is just a note to briefly record the solutions, without going into too much detail.

As usual, here are the keywords I noted:

1. GraphQL batch query + alias
2. Python os.path.join absolute path
3. Svg XSS, foreignObject
4. WebRTC CSP bypass
5. Status code xsleak
6. DNS rebinding
7. nmap command injection
8. Ruby rack file upload temporary storage
9. buildConstraintViolationWithTemplate EL injection
10. Request smuggling
11. document.baseURI
12. 200/404 status code xsleak

Read More

In the monthly challenges at Intigriti, I presented an XSS challenge that I named “Math Jail.” You can find the challenge at the following link: https://challenge-0823.intigriti.io/

Now that the challenge has concluded, I’d like to take this opportunity to discuss the thought process behind creating the challenge and share some of the solutions that were developed.

Read More

A while ago, I was busy traveling and didn’t have much time for CTFs. Even if I did participate, I was too lazy to write a writeup, so my last writeup was back in March. I felt it was a shame to break the streak, so I quickly wrote another one to make up for it.

Regarding the three CTFs mentioned in the title, I only participated in GoogleCTF 2023. For the other two events, I only briefly looked at the challenges, so this post will only serve as a note on the challenges and their solutions.

Keyword list:

1. Inconsistent order of POST data parsing between Flask and PHP
2. iframe CSP blocking certain script loads
3. CSRF bypass using HEAD method
4. Accessing parent origin using location.ancestorOrigins
5. Changing iframe location doesn’t affect the src
6. Angular CSP bypass gadget in recaptcha URL
7. Restoring input using document.execCommand('undo');
8. X-HTTP-Method-Override
9. Differences between HTML and XHTML parsers

Read More

Originally, I intended to write this article from a developer’s perspective. However, due to time constraints, I will first write a CTF-oriented article to record this issue. I will write from a developer’s perspective when I have more time.

In short, this article discusses the problems caused by using the following pattern:

const express = require('express')
const app = express()
const port = 3000

app.set('view engine', 'ejs');

app.get('/', (req,res) => {
    res.render('index', req.query);
})

app.listen(port, () => {
  console.log(`Example app listening on port ${port}`)
})

Read More

It’s been a long time since I made any major changes to my blog structure. Hexo has already released v6, and v7 is currently in beta, but my blog is still on hexo3.

Recently, I had some free time and decided to update my blog, and also use chatGPT as a helper.

The changes I made this time are:

1. Upgraded Hexo version
2. Modified syntax highlight
3. Dark mode
4. Automatic translation (highlight)

Read More

Regular expressions (hereinafter referred to as regexp), are mainly used for string matching. After writing a pattern, it can be used to match text that meets the rules.

Whether it’s a phone number, email, or ID number, regexp can be used to perform basic format validation to ensure that the string format matches specific rules.

Although regexp is convenient, if it is not written properly, it may cause some input validations to be bypassed and evolve into a security issue. In addition to this, there is another type of problem that will cause issues, which is ReDoS, the full name is: Regular expression Denial-of-Service, due to the denial of service attack caused by regular expressions.

Read More

In the previous articles, we talked about static analysis, which means we didn’t actually run the app. Instead, we studied the logic of the app’s operation through decompiled code and modified the code before repackaging and executing it.

Dynamic analysis, on the other hand, means that we will run the app and use various methods to hook various methods to monitor the input and output of certain methods, and even tamper with them.

In this article, let’s learn how to use Frida for dynamic analysis.

Read More

I remember when I first started working with Android, it was easy to see which requests an app was sending. All I had to do was install Charles on my computer, set up the Wi-Fi on my phone to proxy to my computer, and then download the certificate provided by Charles by entering a specific URL. Once installed, I was good to go.

However, when I tried the same process recently, I could see some packets being sent, but the traffic coming out of the app was empty. I searched online for various solutions, but none of them worked.

Finally, I found out that Android changed its security settings above 6.0, and by default, it does not trust certificates installed by users, which is why it cannot intercept them. One solution is to install a local VPN, which will route all traffic through the proxy, but I found it a bit cumbersome after trying it out.

Among the many methods, the most useful one I tried was to unpack the apk, modify some settings, and then repack it. This article will document the process and experience.

Read More

In the first part, we learned the basics of using Apktool to decompile an APK, modify its resources, reassemble it, and install the aligned and signed APK on a device.

In this part, we will learn how to modify the code.

Our goal is to bypass the root detection check on a rooted device and make the app display that it is not rooted. If you are testing on a non-rooted device, you can do the opposite and modify the app to detect that you have root access.

Read More

Five years ago, I wrote an article titled [Android] Everyone Can Reverse Engineer APKs. At that time, I was an Android engineer who, due to work requirements, researched basic Android reverse engineering with my colleagues. Our goal was to achieve a fully automated process: upload an APK, automatically decompile it, insert some strange things, and then repackage it.

Now, due to work requirements, I have revisited and reinforced my knowledge of APK reverse engineering and modification, and have written this series of articles to share with you.

First of all, I want to emphasize that this series is only an “introduction.” By using various tools to decompile and rebuild APKs, it should be sufficient for apps that are not obfuscated. However, if the app has been obfuscated, deeper knowledge of binary is required to unlock it, which is another world.

In any case, this series is suitable for those who have not been exposed to Android app reverse engineering and want to try it out, as well as for Android engineers who want to decompile their own apps and see what they look like. I think it’s quite useful.

Read More