Tags: ssrf directorylisting xss 


Original writeup (https://d1r3wolf.blogspot.com/2020/03/confidence-ctf-2020-cat-web-challenge.html).
iv4nMarch 16, 2020, 6:23 a.m.

I noticed an issue:in FireFox,starting in Gecko 1.9, the file protocol's SOP restricts the files to be read must be in the same directory or in the sub directory

But I just test the challenge server:


iv4nMarch 16, 2020, 6:25 a.m.

(The content has been truncated)

It's ok to read /etc/passwd

The FireFox on chanllenge server is version 67,it should ban the request to file:///etc/passwd,so why?