Last month’s (January 2024) Intigriti challenge was very interesting, made by @kevin_mizu. I have often seen him post client-side related challenges on Twitter before, and this time the quality of the challenge was as good as ever, worth documenting.

The challenge link is here, if you haven’t seen it yet, you can take a look: https://challenge-0124.intigriti.io/

Read More

Compared to last year and the year before, the difficulty of this year’s web challenges has significantly decreased, making them more approachable and beginner-friendly(It’s good to have both easy and difficult challenges). With the effort of my teammates, we managed to secure the first place, leaving only one web challenge unsolved.

This time, I only managed to solve the simple “funnylogin” and the challenging “safestlist” challenges. The rest were solved by my teammates. I also took a look at another challenge called “another-csp”. Therefore, this post will only cover the challenges I reviewed and the more difficult ones.

If you want to see other challenges, you can refer to other people’s writeups:

1. st98 - DiceCTF 2024 Quals writeup
2. 0xOne - 2024 Dice CTF Write up [Web]

All challenge source code provided by the organizers can be found at: https://github.com/dicegang/dicectf-quals-2024-challenges

Keyword list:

1. crash chromium
2. slower css style
3. xsleak
4. URL length limit
5. service worker
6. background fetch
7. connection pool + css injection
8. iframe width + css injection

Read More

This year’s 0CTF had a total of three web challenges, one of which was client-side. I only solved this particular challenge and managed to get the first blood. This post will briefly document my solution.

Keyword list:

1. CSS injection
2. CSS exfiltration

Read More

Due to being busy lately, I haven’t been participating in CTFs as much in the past two or three months. However, I still come across some interesting challenges on Twitter. Even though I don’t have time to solve them, I still take notes because if I don’t, I won’t be able to solve them later for sure.

This post mainly documents some web front-end related challenges. Since I might not have personally solved them, the content is based on references from others’ notes, with some personal insights added.

Keyword list:

1. copy paste XSS
2. connection pool
3. content type UTF16
4. multipart/mixed
5. Chrome DevTools Protocol
6. new headless mode default download
7. Scroll to Text Fragment (STTF)
8. webVTT cue xsleak
9. flask/werkzeug cookie parsing quirks

Read More

On November 9, 2023, Sentry published an article on their blog titled Next.js SDK Security Advisory - CVE-2023-46729. The article discusses the details of the CVE-2023-46729 vulnerability, including its cause, discovery time, and patching time.

Although the vulnerability was officially announced on 11/9, it was actually fixed in version 7.77.0 released on 10/31. Some time was given to developers to patch the vulnerability.

Now let’s briefly discuss the cause and attack method of this vulnerability.

Read More

Both of these competitions had many interesting but challenging problems. I really learned a lot.

Keyword list:

1. nim json, null byte
2. nim request smuggling
3. js-yaml
4. web worker
5. blob URL
6. meta redirect
7. file protocol & .localhost domain
8. sxg: Signed Exchanges
9. 431 CSP bypass
10. DOM clobbering document.body
11. ejs delimiter
12. Node.js + Deno prototype pollution gadget
13. XSleaks golang sort

Read More

I participated in both of these events to some extent, but I didn’t look at every challenge. This post is just a note to briefly record the solutions, without going into too much detail.

As usual, here are the keywords I noted:

1. GraphQL batch query + alias
2. Python os.path.join absolute path
3. Svg XSS, foreignObject
4. WebRTC CSP bypass
5. Status code xsleak
6. DNS rebinding
7. nmap command injection
8. Ruby rack file upload temporary storage
9. buildConstraintViolationWithTemplate EL injection
10. Request smuggling
11. document.baseURI
12. 200/404 status code xsleak

Read More

In the monthly challenges at Intigriti, I presented an XSS challenge that I named “Math Jail.” You can find the challenge at the following link: https://challenge-0823.intigriti.io/

Now that the challenge has concluded, I’d like to take this opportunity to discuss the thought process behind creating the challenge and share some of the solutions that were developed.

Read More

A while ago, I was busy traveling and didn’t have much time for CTFs. Even if I did participate, I was too lazy to write a writeup, so my last writeup was back in March. I felt it was a shame to break the streak, so I quickly wrote another one to make up for it.

Regarding the three CTFs mentioned in the title, I only participated in GoogleCTF 2023. For the other two events, I only briefly looked at the challenges, so this post will only serve as a note on the challenges and their solutions.

Keyword list:

1. Inconsistent order of POST data parsing between Flask and PHP
2. iframe CSP blocking certain script loads
3. CSRF bypass using HEAD method
4. Accessing parent origin using location.ancestorOrigins
5. Changing iframe location doesn’t affect the src
6. Angular CSP bypass gadget in recaptcha URL
7. Restoring input using document.execCommand('undo');
8. X-HTTP-Method-Override
9. Differences between HTML and XHTML parsers

Read More

Originally, I intended to write this article from a developer’s perspective. However, due to time constraints, I will first write a CTF-oriented article to record this issue. I will write from a developer’s perspective when I have more time.

In short, this article discusses the problems caused by using the following pattern:

const express = require('express')
const app = express()
const port = 3000

app.set('view engine', 'ejs');

app.get('/', (req,res) => {
    res.render('index', req.query);
})

app.listen(port, () => {
  console.log(`Example app listening on port ${port}`)
})

Read More