Although it’s been almost two months, I’m still going to take some notes. Last year, I was electrocuted badly. I thought it would be better this year since it’s been a year, but I still got electrocuted.

Keywords:

  1. SSRF mongoDB via telnet protocol
  2. jetty cookie parser
  3. ASI (Automatic Semicolon Insertion)
  4. VM sandbox escape via Proxy
  5. process.binding
  6. Browser’s XSLT + XXE

First, let me post the official repo, which contains the code and answers: https://github.com/dicegang/dicectf-2023-challenges

Read More

Recently, someone posted a post in the Facebook frontend exchange community, which he saw a problem: Is there a problem with passing account and password json plaintext when logging in to the API?, and wanted to know everyone’s opinion on this issue.

Most of the answers below think that “using HTTPS is enough, there is no need to implement an additional layer of encryption, and there is not much meaning.”

To be honest, I used to think so too, and there have been similar discussions in the community in the past. At that time, I thought that since HTTPS already exists, and the purpose of HTTPS itself is to ensure the security of transmission, why do we need to do encryption ourselves?

But after being exposed to information security for the past year or two, my thinking has changed. I think it is meaningful for the frontend to encrypt passwords before transmission, and I will explain my reasons in detail below.

Read More

This year, I seriously followed Water Paddler to play CTF for a whole year. I saw someone wrote a CTF: Best Web Challenges 2022 and found that I had played most of the challenges inside. So I thought it would be better for me to write a summary, documenting the challenges that I personally felt I had learned something new from.

Because of my personal interest, the challenges that I played were related to frontend and JS. Challenges related to backend (PHP, Java, etc.) are not included.

Also, the techniques or solutions recorded in this article do not represent the first appearance in CTF. They are just the first time I saw them or thought they were worth recording, so I wrote them down.

I divided the challenges into several categories:

  1. JS-related knowledge
  2. Node.js related
  3. XSLeaks
  4. Frontend DOM/BOM related knowledge
  5. Browser internal operation related

Read More

Here are some notes on the challenges I solved during RCTF 2022. I won’t be including those I didn’t attempt.

As usual, here are the keywords:

  1. Exploiting Python’s os.path.join
  2. YAML & JS polyglot
  3. strace & LD_PRELOAD

Read More

Recently, there were several CTF challenges that were quite good, such as SECCON and HITCON, but unfortunately, I was traveling abroad at that time and was too lazy to write complete writeups after returning. Originally, I was even too lazy to take notes, but once time passed, it became difficult to find related information, so I decided to write a brief summary.

In addition, I will also briefly mention several challenges that I think I should have taken notes on before, but for some reason, I did not.

Keywords:

  1. Node.js prototype pollution gadget to RCE (Balsn CTF 2022 - 2linenodejs)
  2. Obtaining the original value of a JS proxy (corCTF 2022 - sbxcalc)
  3. Cache of browser back behavior (SECCON CTF 2022 - spanote)
  4. Using SVG to create synchronous XSS (HITCON CTF 2022)
  5. Reading data from shadow DOM (HITCON CTF 2022)

Read More

I was completely lost with the web problems and didn’t solve anything. The quality of the problems was good and I learned a lot of new things, so it’s worth recording.

Keywords:

  1. Electron relaunch to RCE
  2. Executing code using Python decorator
  3. Preventing Apache from outputting content type header using special file names
  4. GIF + JS polyglot
  5. Bypassing SQLite’s illegal column names
  6. JS comment <!--
  7. superjson

Read More

I casually played SekaiCTF 2022 last weekend and I have to say that the visual style is pretty cool. You can tell that a lot of effort was put into it, and it feels like a game.

This time, I only played two web challenges. I got first blood on the safelist of xsleak, but I couldn’t solve the other one. It’s a bit of a shame (when justCatTheFish solved it, I was wondering who was so powerful, but after the competition, I found out that it was terjanq lol).

In this post, I will write about the solution for safelist and Obligatory Calc. If you want to see other web challenges, you can check out lebr0nli’s blog: SekaiCTF 2022 Writeups

Keywords:

  1. xsleak
  2. lazy loading image
  3. 6 concurrent request limit
  4. socket pool
  5. null origin
  6. null e.source

Read More

I got first blood for a challenge called “safelist” in SekaiCTF 2022, it’s a challenge about xsleaks and request timing in particular, here is my writeup.

Challenge description:

Safelist™ is a completely safe list site to hold all your important notes! I mean, look at all the security features we have, we must be safe!

Read More

In Part 1, we learned the basic principle of stealing data with CSS and successfully stole the CSRF token as a practical example using HackMD. This article will delve into some details of CSS injection and address the following issues:

  1. Since HackMD can load new styles without refreshing the page, how can we steal the second character and beyond on other websites?
  2. If we can only steal one character at a time, will it take a long time? Is this feasible in practice?
  3. Is it possible to steal things other than attributes? For example, text content on a page or even JavaScript code?
  4. What are the defense mechanisms against this attack?

Read More