When it comes to attacks on web front-ends, most people think of XSS. But what if you can’t execute JavaScript on the web page? Are there other attack methods? For example, what can you do if you can insert a style tag?

In 2018, I wrote an article about CSS keylogger: attack and defense after seeing related discussions on Hacker News. I spent some time researching it.

Now, four years later, I have re-examined this attack technique from a security perspective and plan to write one or two articles to explain CSS injection in detail.

This article covers:

  1. What is CSS injection?
  2. The principle of stealing data with CSS
  3. How to steal data from hidden input
  4. How to steal data from meta
  5. Using HackMD as an example

Read More

When it comes to CSP bypass, a kind of technique using AngularJS is well-known. One of it’s variant requires another library called Prototype.js to make it works.

After understanding how it works, I began to wonder if there are other libraries on cdnjs that can do similar things, so I started researching.

This article will start with the CSP bypass of cdnjs, talk about why prototype.js is needed, and then mention how I found its replacement on cdnjs.

Read More

At first, I had no intention of writing a post about this challenge because the author already had a greate one: corCTF 2022 Challenge Writeups. But, it’s my first time being the only solver for a challenge, it’s still worth writing one.

In this post, I will talk about how I tackled the challenge in the first place and how I solved it in the end.

Read More

I didn’t participate in this CTF, but I found two interesting problems related to content type and I want to write down the solutions.

Read More

We all heard about insecure deserialization vulnerability and saw many real-world cases in Java, PHP, and other languages.

But, we rarely hear about this vulnerability in JavaScript. I think it’s because the built-in serialization/deserialization function JSON.parse and JSON.stringify are only for basic data structures like string, number, array and object.

Class and function are not supported, so there is no way to run malicious code during deserialization.

What if we implement our deserialization logic and support class and function? What could possibly go wrong?

GoogleCTF 2022 has a web challenge called “HORKOS,” which shows us the way.

Read More

This is my first time participating in GoogleCTF. I solved a web problem (HORKOS) and almost solved another one (POSTVIEWER). Here are the solutions for each web problem, sorted by the number of solves.

The keywords are as follows:

  1. log4j
  2. ReDoS
  3. hop by hop
  4. JavaScript magic function(?)
  5. async/await and Promise
  6. race condition

Read More

This holiday, there was justCTF and WeCTF, which was all web. I originally wanted to participate in both, so if I got stuck on one, I could switch to the other. However, I got stuck on both XD

This time, justCTF had many good web challenges. As usual, I will write some notes and record some keywords:

  1. zip/tar symlink
  2. Velocity SSTI
  3. Golang path
  4. git principle
  5. scp principle
  6. xsleak, STTF + :target selector

The order below is sorted by the number of solves, with more solves at the top.

Read More

This year’s DEF CON CTF qualifier is similar to last year’s, with mostly binary-related problems, and this year requires a lot of reverse knowledge. As someone who basically doesn’t know how to reverse, I can only sit on the sidelines and cheer on my teammates.

However, the only web problem this year (called Discoteq) was quite interesting. The difficulty was not high, but it tested debugging skills, observation skills, and the ability to quickly learn something new. I think it tested basic skills rather than knowledge of a particular language or framework, which was great.

Since this was the only problem that was easy to solve this year, I decided to write about it in a different way. I will write about my thought process for solving the problem based on the timeline. The time stamp indicates how long it took from the release of the problem.

Read More