A while ago, I was busy traveling and didn’t have much time for CTFs. Even if I did participate, I was too lazy to write a writeup, so my last writeup was back in March. I felt it was a shame to break the streak, so I quickly wrote another one to make up for it.
Regarding the three CTFs mentioned in the title, I only participated in GoogleCTF 2023. For the other two events, I only briefly looked at the challenges, so this post will only serve as a note on the challenges and their solutions.
Keyword list:
- Inconsistent order of POST data parsing between Flask and PHP
- iframe CSP blocking certain script loads
- CSRF bypass using HEAD method
- Accessing parent origin using
location.ancestorOrigins
- Changing iframe location doesn’t affect the src
- Angular CSP bypass gadget in recaptcha URL
- Restoring input using
document.execCommand('undo');
- X-HTTP-Method-Override
- Differences between HTML and XHTML parsers