Tags: csrf ping-attribute csp-bypass
Rating:
# ▼▼▼GiantURL(Web:190pts、solved:20/1374=1.5%)▼▼▼
This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)
```
Have you ever wished your URLs were longer? No? Well here's a site that does it anyways (source).
Note: the admin does visit the URL you have lengthened.
Author: kmh11
Hint: With all these new browser features, you don't even need CSRF tokens anymore!
```
---
## 【source code】
```
<html>
<head>
<title>GiantURL</title>
</head>
<body style="margin: 0; padding: 0; font-family: sans-serif;">
<h1 style="font-family: 'Comic Sans MS', sans-serif; background-color: #097aa0; margin-top: 0; padding: 1em; color: white"><span>Giant</span>URL</h1>
<form method="GET" action="/redirect" style="padding-left: 2em;">
Enter url:
Find a URL you don't think we should be redirecting? Enter the lengthened URL here and an admin will review it:
Click on >this link to go to your page!
The admin will review the link shortly.
Here's your flag:
Enter password:
Here's your flag:
Incorrect password.
404 Page not found
---
## 【Understanding functions】
・Sending url will create a long url
・When url is sent, admin comes to access
・Admin's login function (**flag can be obtained by sending a password**)
・**Countermeasures for CSRF attacks** are implemented on the browser side from Hint
(My guess "do not send Cookie if Referer is not same Origin")
・Also, admin **clicks the link of <a href=●●>**
---
Send the following request
↓
```
GET /redirect?_=NzQ1NDU1NTM1YjY1NzY5Y2I3ZWExMDk1ZDQ0NzIwYzE1Njg1OTVlYjhhMGE2Mjk5OTk2ZDg2M2ZmZjljMzRmM2YzOTNmYzA0NDM1MWIxODYwMmNmYWYyZGU5MjBiNjRiYzE5Y2QwNTE0OTYwMTA0MmRlYmIyZjNmNWVmNmI3OTc%3D&url=http%3A%2F%2Fexample.com&__=N2U2YWU2ZDZjNGVkMWM2OWNhZmNmMWM4OWVkODcyY2MwMWNjYzQ4MTEyYzI3ZGJhMGFkMzFiMzdjM2NmOWIyZGZmMTE3NzZiMmE1YTNiOTdmZTdkMTJhMTZjYTIyMDY0ZDcyOGRjNGQzMTA2OWJjZTEyZDVkZWI3ZjY3N2E2NDE%3D HTTP/1.1
Host: giant_url.2019.chall.actf.co
```
↓
```
<html>
<head>
<title>GiantURL</title>
</head>
<body style="margin: 0; padding: 0; font-family: sans-serif;">
<h1 style="font-family: 'Comic Sans MS', sans-serif; background-color: #097aa0; margin-top: 0; padding: 1em; color: white"><span>Giant</span>URL</h1>
Click on this link to go to your page!
↓
`url` parameter is reflected but there is **no enclosing character**.
`javascript:alert(1)` can not be XSS because it is **prevented by CSP**(Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline';)
---
## 【exploit】
Send **POST** method using **<a>** tag's **ping attribute**
↓
Send the following url to admin.
↓
As a result of sending a POST request, CSRF attack changes admin's password !!
---
Next, access `/admin`, enter the following in admin password and send
`0123456789abcdef00000000000000000000000000000000000000000000000000000000000000000000000000000000000000`
↓
`actf{p1ng_p0ng_9b05891fa9c3bed74d02a349877b1c60}`