Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

This is a Cross-Site (XS) Leaks CTF challenge with a couple of nifty tricks. The user creates a page with HTML injection that the admin then clicks on using a tool like Selenium. The goal is to leak the user's session cookie using this with a known token format. This uses a PHP server that is behind Caddy.

The limitations are also interesting. The content for the HTML injection is limited to 1024 characters. The characters can be 0x20-0x7E and newlines, but block several things like astriks, backslashes, and a few keywords. There's a CSP that prevents outbound loading of scripts, inline JavaScript, or web requests.

The browser has what is called Quirks Mode that relaxes some MIME checks. If the document loads a page with the wrong content type, it will treat it as text/css anyway. This challenge was set up to NOT use quirks mode because of the <!DOCTYPE html> at the beginning of the page. Can this be forced into Quirks mode?

If the beginning part of the page were to change in some way before loading, then this would be possible. In PHP, there are multiple ways to trigger errors that will be put at the top of the file instead. In previous research, this was done to drop CSP headers. In this case, if you added a large number of variables (more than a thousand), PHP gives a warning that ends up disabling quirks mode! Neat!

The HTML injection occurs. However, there is no practical way to exfiltrate the data due to the CSP. So, the only way is to use CSS data exfiltration. This is why the issue pointed out above with the Quirks mode is so helpful! With a simple payload, it's possible to change the color of the page.

Because of some character limitations, we need to find a way to load more data for our stylesheet. Luckily, the PHP 404 page will reflect input and can be used for this. Using /not-found.txt?{}body{background:limegreen} is a good sink for this.

Finally, in the CSS selectors, use the input:valid flag to decide whether to render the data or not based on the input from the previous step. Why does this matter? Frame counting! By viewing the page and counting the frames, we can figure out if the code was correct or not.

Overall, a pretty neat set of tricks! CTFs are sometimes on the cutting edge and niche; this is a perfect example of that.