Recently, there were several CTF challenges that were quite good, such as SECCON and HITCON, but unfortunately, I was traveling abroad at that time and was too lazy to write complete writeups after returning. Originally, I was even too lazy to take notes, but once time passed, it became difficult to find related information, so I decided to write a brief summary.

In addition, I will also briefly mention several challenges that I think I should have taken notes on before, but for some reason, I did not.

Keywords:

1. Node.js prototype pollution gadget to RCE (Balsn CTF 2022 - 2linenodejs)
2. Obtaining the original value of a JS proxy (corCTF 2022 - sbxcalc)
3. Cache of browser back behavior (SECCON CTF 2022 - spanote)
4. Using SVG to create synchronous XSS (HITCON CTF 2022)
5. Reading data from shadow DOM (HITCON CTF 2022)

Read More

I was completely lost with the web problems and didn’t solve anything. The quality of the problems was good and I learned a lot of new things, so it’s worth recording.

Keywords:

1. Electron relaunch to RCE
2. Executing code using Python decorator
3. Preventing Apache from outputting content type header using special file names
4. GIF + JS polyglot
5. Bypassing SQLite’s illegal column names
6. JS comment <!--
7. superjson

Read More

I casually played SekaiCTF 2022 last weekend and I have to say that the visual style is pretty cool. You can tell that a lot of effort was put into it, and it feels like a game.

This time, I only played two web challenges. I got first blood on the safelist of xsleak, but I couldn’t solve the other one. It’s a bit of a shame (when justCatTheFish solved it, I was wondering who was so powerful, but after the competition, I found out that it was terjanq lol).

In this post, I will write about the solution for safelist and Obligatory Calc. If you want to see other web challenges, you can check out lebr0nli’s blog: SekaiCTF 2022 Writeups

Keywords:

1. xsleak
2. lazy loading image
3. 6 concurrent request limit
4. socket pool
5. null origin
6. null e.source

Read More

I got first blood for a challenge called “safelist” in SekaiCTF 2022, it’s a challenge about xsleaks and request timing in particular, here is my writeup.

Challenge description:

Safelist™ is a completely safe list site to hold all your important notes! I mean, look at all the security features we have, we must be safe!

Read More

In Part 1, we learned the basic principle of stealing data with CSS and successfully stole the CSRF token as a practical example using HackMD. This article will delve into some details of CSS injection and address the following issues:

1. Since HackMD can load new styles without refreshing the page, how can we steal the second character and beyond on other websites?
2. If we can only steal one character at a time, will it take a long time? Is this feasible in practice?
3. Is it possible to steal things other than attributes? For example, text content on a page or even JavaScript code?
4. What are the defense mechanisms against this attack?

Read More

When it comes to attacks on web front-ends, most people think of XSS. But what if you can’t execute JavaScript on the web page? Are there other attack methods? For example, what can you do if you can insert a style tag?

In 2018, I wrote an article about CSS keylogger: attack and defense after seeing related discussions on Hacker News. I spent some time researching it.

Now, four years later, I have re-examined this attack technique from a security perspective and plan to write one or two articles to explain CSS injection in detail.

This article covers:

1. What is CSS injection?
2. The principle of stealing data with CSS
3. How to steal data from hidden input
4. How to steal data from meta
5. Using HackMD as an example

Read More

When it comes to CSP bypass, a kind of technique using AngularJS is well-known. One of it’s variant requires another library called Prototype.js to make it works.

After understanding how it works, I began to wonder if there are other libraries on cdnjs that can do similar things, so I started researching.

This article will start with the CSP bypass of cdnjs, talk about why prototype.js is needed, and then mention how I found its replacement on cdnjs.

Read More

In Auguest, I and bruno made a XSS challenge on Intigriti. When we decided to make it, we hope it’s a difficult and fun challenge, and the players can also learn a lot from it.

Here is the writeup for this challenge.

Read More

At first, I had no intention of writing a post about this challenge because the author already had a greate one: corCTF 2022 Challenge Writeups. But, it’s my first time being the only solver for a challenge, it’s still worth writing one.

In this post, I will talk about how I tackled the challenge in the first place and how I solved it in the end.

Read More

I didn’t participate in this CTF, but I found two interesting problems related to content type and I want to write down the solutions.

Read More